Support the Clear-Site-Data header on resource requests

content/browser/browsing_data/clear_site_data_throttle_browsertest.cc

Index: content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
diff --git a/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc b/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
index f5e43643bc67802e5fd264bf70fd51cd243394c3..3fb867d86f5d4f324e4d85ba550f38d55c98e7c2 100644
--- a/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
+++ b/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
@@ -112,12 +112,26 @@ class ClearSiteDataThrottleBrowserTest : public ContentBrowserTest {
   // Handles all requests. If the request url query contains a "header" key,
   // responds with the "Clear-Site-Data" header of the corresponding value.
   // If the query contains a "redirect" key, responds with a redirect to a url
-  // given by the corresponding value.
+  // given by the corresponding value. If the query contains a "html" key,
+  // the response will contain a text/html content given by the corresponding
+  // value. If the query contains a "file" key, it will instead serve content
+  // from a file with the corresponding
   //
   // Example: "https://localhost/?header={}&redirect=example.com" will respond
   // with headers
   // Clear-Site-Data: {}
   // Location: example.com
+  //
+  // Example: "https://localhost/?html=<html><head></head><body></body></html>"
+  // will respond with the header
+  // Content-Type: text/html
+  // and content
+  // <html><head></head><body></body></html>
+  //
+  // Example: "https://localhost/?file=file.html
+  // will respond with the header
+  // Content-Type: text/html
+  // and content from the file content/test/data/file.html
   std::unique_ptr<net::test_server::HttpResponse> HandleRequest(
       const net::test_server::HttpRequest& request) {
     std::unique_ptr<net::test_server::BasicHttpResponse> response(
@@ -134,6 +148,31 @@ class ClearSiteDataThrottleBrowserTest : public ContentBrowserTest {
       response->set_code(net::HTTP_OK);
     }
 
+    if (net::GetValueForKeyInQuery(request.GetURL(), "html", &value)) {
+      response->set_content_type("text/html");
+      response->set_content(value);
+    }
+
+    if (net::GetValueForKeyInQuery(request.GetURL(), "file", &value)) {
+      base::FilePath path(GetTestFilePath("browsing_data", value.c_str()));
+      base::File file(path, base::File::FLAG_OPEN | base::File::FLAG_READ);
+      EXPECT_TRUE(file.IsValid());
+      int64_t length = file.GetLength();
+      EXPECT_GE(length, 0);
+      std::unique_ptr<char[]> buffer(new char[length + 1]);
+      file.Read(0, buffer.get(), length);
+      buffer[length] = '\0';
+
+      if (path.Extension() == ".js")
+        response->set_content_type("application/javascript");
+      else if (path.Extension() == ".html")
+        response->set_content_type("text/html");
+      else
+        NOTREACHED();
+
+      response->set_content(buffer.get());
+    }
+
     return std::move(response);
   }
 
@@ -142,9 +181,9 @@ class ClearSiteDataThrottleBrowserTest : public ContentBrowserTest {
 };
 
 // Tests that the header is recognized on the beginning, in the middle, and on
-// the end of a redirect chain. Each of the three parts of the chain may or
-// may not send the header, so there are 8 configurations to test.
-IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Redirect) {
+// the end of a navigation redirect chain. Each of the three parts of the chain
+// may or may not send the header, so there are 8 configurations to test.
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, RedirectNavigation) {
   GURL base_urls[3] = {
       https_server()->GetURL("origin1.com", "/"),
       https_server()->GetURL("origin2.com", "/foo/bar"),
@@ -182,8 +221,55 @@ IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Redirect) {
   }
 }
 
+// Tests that the header is recognized on the beginning, in the middle, and on
+// the end of a resource load redirect chain. Each of the three parts of the
+// chain may or may not send the header, so there are 8 configurations to test.
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, RedirectResourceLoad) {
+  GURL base_urls[3] = {
+      https_server()->GetURL("origin1.com", "/image.png"),
+      https_server()->GetURL("origin2.com", "/redirected-image.png"),
+      https_server()->GetURL("origin3.com", "/actual-image.png"),
+  };
+
+  // Iterate through the configurations. URLs whose index is matched by the mask
+  // will send the header, the others won't.
+  for (int mask = 0; mask < (1 << 3); ++mask) {
+    GURL urls[3];
+
+    // Set up the expectations.
+    for (int i = 0; i < 3; ++i) {
+      urls[i] = base_urls[i];
+      if (mask & (1 << i))
+        AddQuery(&urls[i], "header", kClearCookiesHeader);
+
+      EXPECT_CALL(*GetContentBrowserClient(),
+                  ClearSiteData(shell()->web_contents()->GetBrowserContext(),
+                                url::Origin(urls[i]), _, _, _, _))
+          .Times((mask & (1 << i)) ? 1 : 0);
+    }
+
+    // Set up redirects between urls 0 --> 1 --> 2.
+    AddQuery(&urls[1], "redirect", urls[2].spec());
+    AddQuery(&urls[0], "redirect", urls[1].spec());
+
+    // Navigate to a page that embeds "https://origin1.com/image.png"
+    // and observe the loading of that resource.
+    GURL page_with_image = https_server()->GetURL("origin4.com", "/index.html");
+    std::string content_with_image =
+        "<html><head></head><body>"
+        "<img src=\"" +
+        urls[0].spec() +
+        "\" />"
+        "</body></html>";
+    AddQuery(&page_with_image, "html", content_with_image);
+    NavigateToURL(shell(), page_with_image);
+
+    testing::Mock::VerifyAndClearExpectations(GetContentBrowserClient());
+  }
+}
+
 // Tests that the Clear-Site-Data header is ignored for insecure origins.
-IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Insecure) {
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, InsecureNavigation) {
   // ClearSiteData() should not be called on HTTP.
   GURL url = embedded_test_server()->GetURL("example.com", "/");
   AddQuery(&url, "header", kClearCookiesHeader);
@@ -195,6 +281,138 @@ IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Insecure) {
   NavigateToURL(shell(), url);
 }
 
+// Tests that the Clear-Site-Data header is honored for secure resource loads
+// and ignored for insecure ones.
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest,
+                       SecureAndInsecureResourceLoad) {
+  EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _))

[msramek, 2016/10/13 14:26:03]

Removing this as it's duplicated below.

+      .Times(0);
+
+  GURL insecure_image =
+      embedded_test_server()->GetURL("example.com", "/image.png");
+  GURL secure_image = https_server()->GetURL("example.com", "/image.png");
+
+  ASSERT_TRUE(secure_image.SchemeIsCryptographic());
+  ASSERT_FALSE(insecure_image.SchemeIsCryptographic());
+
+  AddQuery(&secure_image, "header", kClearCookiesHeader);
+  AddQuery(&insecure_image, "header", kClearCookiesHeader);
+
+  std::string content_with_insecure_image =
+      "<html><head></head><body>"
+      "<img src=\"" +
+      insecure_image.spec() +
+      "\" />"
+      "</body></html>";
+
+  std::string content_with_secure_image =
+      "<html><head></head><body>"
+      "<img src=\"" +
+      secure_image.spec() +
+      "\" />"
+      "</body></html>";
+
+  // Test insecure resources.
+  GURL insecure_page = embedded_test_server()->GetURL("example.com", "/");
+  GURL secure_page = https_server()->GetURL("example.com", "/");
+
+  AddQuery(&insecure_page, "html", content_with_insecure_image);
+  AddQuery(&secure_page, "html", content_with_insecure_image);
+
+  EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _))
+      .Times(0);
+
+  // Insecure resource on an insecure page does not execute Clear-Site-Data.
+  NavigateToURL(shell(), insecure_page);
+
+  // Insecure resource on a secure page does not execute Clear-Site-Data.
+  NavigateToURL(shell(), secure_page);
+
+  testing::Mock::VerifyAndClearExpectations(GetContentBrowserClient());
+
+  // Test secure resources.
+  insecure_page = embedded_test_server()->GetURL("example.com", "/");
+  secure_page = https_server()->GetURL("example.com", "/");
+
+  AddQuery(&insecure_page, "html", content_with_secure_image);
+  AddQuery(&secure_page, "html", content_with_secure_image);
+
+  // Secure resource on an insecure page does execute Clear-Site-Data.
+  EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _))
+      .Times(1);
+
+  NavigateToURL(shell(), secure_page);
+  testing::Mock::VerifyAndClearExpectations(GetContentBrowserClient());
+
+  // Secure resource on a secure page does execute Clear-Site-Data.
+  EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _))
+      .Times(1);
+
+  NavigateToURL(shell(), secure_page);
+}
+
+// Tests that the Clear-Site-Data header is ignored for service worker resource
+// loads. Specifically, we test it on a cross-origin request; the header is
+// ignored for same-origin requests as well, but there it isn't harmful.
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest,
+                       DISABLED_ServiceWorker) {
+  GURL origin1 = https_server()->GetURL("origin1.com", "/");
+  GURL origin2 = https_server()->GetURL("origin2.com", "/");
+
+  // We will load |origin1| and make cross-origin requests for |origin2| from
+  // there. We need to inform the JS side about |origin2| using a query
+  // parameter; it cannot be hardcoded in the JS code, as the port number
+  // of the test server is chosen randomly.

[mmenke, 2016/09/26 12:59:17]

The service worker should redirect requests to |origin2| to |origin1|, so we
don't actually need a server at origin2, do we?

[msramek, 2016/10/13 14:26:03]

The first part of the test makes a fetch from |origin2| before installing the
service worker, and expects it to succeed - we need the server there.

Technically, we don't need to test that - successful instances are well covered
by the other tests. But I felt that a test which is fully negative has so many
ways to accidentally pass when something is broken in the setup that I added one
successful fetch to make it a bit more robust.

+  GURL url = origin1;
+  AddQuery(&url, "file", "worker_setup.html");
+  AddQuery(&url, "other_origin", origin2.spec());
+
+  // Navigation to worker_setup.html will first request a resource with the
+  // Clear-Site-Data header. This is done for control - to make sure that
+  // the second part of this test will ignore the header because it's processed
+  // by a service worker, and not because the test is set up incorrectly.
+  EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _))
+      .Times(1);
+  NavigateToURL(shell(), url);
+
+  // After the resource was fetched, a service worker should have been
+  // installed and the page reloaded. The service worker will now serve a page
+  // containing an image, and fetching that image will again return the
+  // Clear-Site-Data header. This time, it should be ignored.
+  //
+  // Since the installation of a service worker is asynchronous, the JS side
+  // will inform us about it in its URL hash.
+  // TODO(msramek): Find a solution without polling.
+  while (true) {
+    if (shell()->web_contents()->GetLastCommittedURL().ref_piece() ==
+        "service-worker-registered") {
+      break;
+    }
+
+    base::RunLoop run_loop;
+    run_loop.RunUntilIdle();
+  }
+  testing::Mock::VerifyAndClearExpectations(GetContentBrowserClient());
+
+  // The service worker should be now installed. Stop the server so that we
+  // lose connectivity and the service worker can handle requests.
+  ASSERT_TRUE(https_server()->ShutdownAndWaitUntilComplete());
+
+  EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _))
+      .Times(0);
+
+  NavigateToURL(shell(), origin1);
+  while (true) {
+    if (shell()->web_contents()->GetVisibleURL().ref_piece() ==
+        "service-worker-active") {
+      break;
+    }
+
+    base::RunLoop run_loop;
+    run_loop.RunUntilIdle();
+  }
+}
+

[mmenke, 2016/09/27 18:24:02]

Should also check CORS and non-CORS cross-site resource requests.

[msramek, 2016/10/13 14:26:03]

I chatted with mkwst@ about this as well.

While Access-Control-Allow-Origin et al. influence the visibility of the
response, they do not affect whether cookies are set. And therefore, they should
not affect Clear-Site-Data either. In fact, the check against
Access-Control-Allow-Origin is performed in Blink after the throttle's
destructor, so we can't easily do it even if we chose to.

However, the 'credentials' parameter does affect how cookies are set, and
therefore it should influence Clear-Site-Data as well. Again, I filed a bug
against the spec: https://github.com/w3c/webappsec-clear-site-data/issues/4 and
added a test here.

 // Tests that ClearSiteData() is called for the correct datatypes.
 IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Types) {
   GURL base_url = https_server()->GetURL("example.com", "/");