Index: content/browser/browsing_data/clear_site_data_throttle_browsertest.cc |
diff --git a/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc b/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc |
index f5e43643bc67802e5fd264bf70fd51cd243394c3..3fb867d86f5d4f324e4d85ba550f38d55c98e7c2 100644 |
--- a/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc |
+++ b/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc |
@@ -112,12 +112,26 @@ class ClearSiteDataThrottleBrowserTest : public ContentBrowserTest { |
// Handles all requests. If the request url query contains a "header" key, |
// responds with the "Clear-Site-Data" header of the corresponding value. |
// If the query contains a "redirect" key, responds with a redirect to a url |
- // given by the corresponding value. |
+ // given by the corresponding value. If the query contains a "html" key, |
+ // the response will contain a text/html content given by the corresponding |
+ // value. If the query contains a "file" key, it will instead serve content |
+ // from a file with the corresponding |
// |
// Example: "https://localhost/?header={}&redirect=example.com" will respond |
// with headers |
// Clear-Site-Data: {} |
// Location: example.com |
+ // |
+ // Example: "https://localhost/?html=<html><head></head><body></body></html>" |
+ // will respond with the header |
+ // Content-Type: text/html |
+ // and content |
+ // <html><head></head><body></body></html> |
+ // |
+ // Example: "https://localhost/?file=file.html |
+ // will respond with the header |
+ // Content-Type: text/html |
+ // and content from the file content/test/data/file.html |
std::unique_ptr<net::test_server::HttpResponse> HandleRequest( |
const net::test_server::HttpRequest& request) { |
std::unique_ptr<net::test_server::BasicHttpResponse> response( |
@@ -134,6 +148,31 @@ class ClearSiteDataThrottleBrowserTest : public ContentBrowserTest { |
response->set_code(net::HTTP_OK); |
} |
+ if (net::GetValueForKeyInQuery(request.GetURL(), "html", &value)) { |
+ response->set_content_type("text/html"); |
+ response->set_content(value); |
+ } |
+ |
+ if (net::GetValueForKeyInQuery(request.GetURL(), "file", &value)) { |
+ base::FilePath path(GetTestFilePath("browsing_data", value.c_str())); |
+ base::File file(path, base::File::FLAG_OPEN | base::File::FLAG_READ); |
+ EXPECT_TRUE(file.IsValid()); |
+ int64_t length = file.GetLength(); |
+ EXPECT_GE(length, 0); |
+ std::unique_ptr<char[]> buffer(new char[length + 1]); |
+ file.Read(0, buffer.get(), length); |
+ buffer[length] = '\0'; |
+ |
+ if (path.Extension() == ".js") |
+ response->set_content_type("application/javascript"); |
+ else if (path.Extension() == ".html") |
+ response->set_content_type("text/html"); |
+ else |
+ NOTREACHED(); |
+ |
+ response->set_content(buffer.get()); |
+ } |
+ |
return std::move(response); |
} |
@@ -142,9 +181,9 @@ class ClearSiteDataThrottleBrowserTest : public ContentBrowserTest { |
}; |
// Tests that the header is recognized on the beginning, in the middle, and on |
-// the end of a redirect chain. Each of the three parts of the chain may or |
-// may not send the header, so there are 8 configurations to test. |
-IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Redirect) { |
+// the end of a navigation redirect chain. Each of the three parts of the chain |
+// may or may not send the header, so there are 8 configurations to test. |
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, RedirectNavigation) { |
GURL base_urls[3] = { |
https_server()->GetURL("origin1.com", "/"), |
https_server()->GetURL("origin2.com", "/foo/bar"), |
@@ -182,8 +221,55 @@ IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Redirect) { |
} |
} |
+// Tests that the header is recognized on the beginning, in the middle, and on |
+// the end of a resource load redirect chain. Each of the three parts of the |
+// chain may or may not send the header, so there are 8 configurations to test. |
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, RedirectResourceLoad) { |
+ GURL base_urls[3] = { |
+ https_server()->GetURL("origin1.com", "/image.png"), |
+ https_server()->GetURL("origin2.com", "/redirected-image.png"), |
+ https_server()->GetURL("origin3.com", "/actual-image.png"), |
+ }; |
+ |
+ // Iterate through the configurations. URLs whose index is matched by the mask |
+ // will send the header, the others won't. |
+ for (int mask = 0; mask < (1 << 3); ++mask) { |
+ GURL urls[3]; |
+ |
+ // Set up the expectations. |
+ for (int i = 0; i < 3; ++i) { |
+ urls[i] = base_urls[i]; |
+ if (mask & (1 << i)) |
+ AddQuery(&urls[i], "header", kClearCookiesHeader); |
+ |
+ EXPECT_CALL(*GetContentBrowserClient(), |
+ ClearSiteData(shell()->web_contents()->GetBrowserContext(), |
+ url::Origin(urls[i]), _, _, _, _)) |
+ .Times((mask & (1 << i)) ? 1 : 0); |
+ } |
+ |
+ // Set up redirects between urls 0 --> 1 --> 2. |
+ AddQuery(&urls[1], "redirect", urls[2].spec()); |
+ AddQuery(&urls[0], "redirect", urls[1].spec()); |
+ |
+ // Navigate to a page that embeds "https://origin1.com/image.png" |
+ // and observe the loading of that resource. |
+ GURL page_with_image = https_server()->GetURL("origin4.com", "/index.html"); |
+ std::string content_with_image = |
+ "<html><head></head><body>" |
+ "<img src=\"" + |
+ urls[0].spec() + |
+ "\" />" |
+ "</body></html>"; |
+ AddQuery(&page_with_image, "html", content_with_image); |
+ NavigateToURL(shell(), page_with_image); |
+ |
+ testing::Mock::VerifyAndClearExpectations(GetContentBrowserClient()); |
+ } |
+} |
+ |
// Tests that the Clear-Site-Data header is ignored for insecure origins. |
-IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Insecure) { |
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, InsecureNavigation) { |
// ClearSiteData() should not be called on HTTP. |
GURL url = embedded_test_server()->GetURL("example.com", "/"); |
AddQuery(&url, "header", kClearCookiesHeader); |
@@ -195,6 +281,138 @@ IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Insecure) { |
NavigateToURL(shell(), url); |
} |
+// Tests that the Clear-Site-Data header is honored for secure resource loads |
+// and ignored for insecure ones. |
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, |
+ SecureAndInsecureResourceLoad) { |
+ EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _)) |
msramek
2016/10/13 14:26:03
Removing this as it's duplicated below.
|
+ .Times(0); |
+ |
+ GURL insecure_image = |
+ embedded_test_server()->GetURL("example.com", "/image.png"); |
+ GURL secure_image = https_server()->GetURL("example.com", "/image.png"); |
+ |
+ ASSERT_TRUE(secure_image.SchemeIsCryptographic()); |
+ ASSERT_FALSE(insecure_image.SchemeIsCryptographic()); |
+ |
+ AddQuery(&secure_image, "header", kClearCookiesHeader); |
+ AddQuery(&insecure_image, "header", kClearCookiesHeader); |
+ |
+ std::string content_with_insecure_image = |
+ "<html><head></head><body>" |
+ "<img src=\"" + |
+ insecure_image.spec() + |
+ "\" />" |
+ "</body></html>"; |
+ |
+ std::string content_with_secure_image = |
+ "<html><head></head><body>" |
+ "<img src=\"" + |
+ secure_image.spec() + |
+ "\" />" |
+ "</body></html>"; |
+ |
+ // Test insecure resources. |
+ GURL insecure_page = embedded_test_server()->GetURL("example.com", "/"); |
+ GURL secure_page = https_server()->GetURL("example.com", "/"); |
+ |
+ AddQuery(&insecure_page, "html", content_with_insecure_image); |
+ AddQuery(&secure_page, "html", content_with_insecure_image); |
+ |
+ EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _)) |
+ .Times(0); |
+ |
+ // Insecure resource on an insecure page does not execute Clear-Site-Data. |
+ NavigateToURL(shell(), insecure_page); |
+ |
+ // Insecure resource on a secure page does not execute Clear-Site-Data. |
+ NavigateToURL(shell(), secure_page); |
+ |
+ testing::Mock::VerifyAndClearExpectations(GetContentBrowserClient()); |
+ |
+ // Test secure resources. |
+ insecure_page = embedded_test_server()->GetURL("example.com", "/"); |
+ secure_page = https_server()->GetURL("example.com", "/"); |
+ |
+ AddQuery(&insecure_page, "html", content_with_secure_image); |
+ AddQuery(&secure_page, "html", content_with_secure_image); |
+ |
+ // Secure resource on an insecure page does execute Clear-Site-Data. |
+ EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _)) |
+ .Times(1); |
+ |
+ NavigateToURL(shell(), secure_page); |
+ testing::Mock::VerifyAndClearExpectations(GetContentBrowserClient()); |
+ |
+ // Secure resource on a secure page does execute Clear-Site-Data. |
+ EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _)) |
+ .Times(1); |
+ |
+ NavigateToURL(shell(), secure_page); |
+} |
+ |
+// Tests that the Clear-Site-Data header is ignored for service worker resource |
+// loads. Specifically, we test it on a cross-origin request; the header is |
+// ignored for same-origin requests as well, but there it isn't harmful. |
+IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, |
+ DISABLED_ServiceWorker) { |
+ GURL origin1 = https_server()->GetURL("origin1.com", "/"); |
+ GURL origin2 = https_server()->GetURL("origin2.com", "/"); |
+ |
+ // We will load |origin1| and make cross-origin requests for |origin2| from |
+ // there. We need to inform the JS side about |origin2| using a query |
+ // parameter; it cannot be hardcoded in the JS code, as the port number |
+ // of the test server is chosen randomly. |
mmenke
2016/09/26 12:59:17
The service worker should redirect requests to |or
msramek
2016/10/13 14:26:03
The first part of the test makes a fetch from |ori
|
+ GURL url = origin1; |
+ AddQuery(&url, "file", "worker_setup.html"); |
+ AddQuery(&url, "other_origin", origin2.spec()); |
+ |
+ // Navigation to worker_setup.html will first request a resource with the |
+ // Clear-Site-Data header. This is done for control - to make sure that |
+ // the second part of this test will ignore the header because it's processed |
+ // by a service worker, and not because the test is set up incorrectly. |
+ EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _)) |
+ .Times(1); |
+ NavigateToURL(shell(), url); |
+ |
+ // After the resource was fetched, a service worker should have been |
+ // installed and the page reloaded. The service worker will now serve a page |
+ // containing an image, and fetching that image will again return the |
+ // Clear-Site-Data header. This time, it should be ignored. |
+ // |
+ // Since the installation of a service worker is asynchronous, the JS side |
+ // will inform us about it in its URL hash. |
+ // TODO(msramek): Find a solution without polling. |
+ while (true) { |
+ if (shell()->web_contents()->GetLastCommittedURL().ref_piece() == |
+ "service-worker-registered") { |
+ break; |
+ } |
+ |
+ base::RunLoop run_loop; |
+ run_loop.RunUntilIdle(); |
+ } |
+ testing::Mock::VerifyAndClearExpectations(GetContentBrowserClient()); |
+ |
+ // The service worker should be now installed. Stop the server so that we |
+ // lose connectivity and the service worker can handle requests. |
+ ASSERT_TRUE(https_server()->ShutdownAndWaitUntilComplete()); |
+ |
+ EXPECT_CALL(*GetContentBrowserClient(), ClearSiteData(_, _, _, _, _, _)) |
+ .Times(0); |
+ |
+ NavigateToURL(shell(), origin1); |
+ while (true) { |
+ if (shell()->web_contents()->GetVisibleURL().ref_piece() == |
+ "service-worker-active") { |
+ break; |
+ } |
+ |
+ base::RunLoop run_loop; |
+ run_loop.RunUntilIdle(); |
+ } |
+} |
+ |
mmenke
2016/09/27 18:24:02
Should also check CORS and non-CORS cross-site res
msramek
2016/10/13 14:26:03
I chatted with mkwst@ about this as well.
While A
|
// Tests that ClearSiteData() is called for the correct datatypes. |
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Types) { |
GURL base_url = https_server()->GetURL("example.com", "/"); |