Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/macros.h" | 5 #include "base/macros.h" |
| 6 #include "base/strings/pattern.h" | 6 #include "base/strings/pattern.h" |
| 7 #include "build/build_config.h" | 7 #include "build/build_config.h" |
| 8 #include "content/browser/web_contents/web_contents_impl.h" | 8 #include "content/browser/web_contents/web_contents_impl.h" |
| 9 #include "content/public/test/browser_test_utils.h" | 9 #include "content/public/test/browser_test_utils.h" |
| 10 #include "content/public/test/content_browser_test.h" | 10 #include "content/public/test/content_browser_test.h" |
| (...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 83 "link.target = '_blank';" | 83 "link.target = '_blank';" |
| 84 "link.click()")); | 84 "link.click()")); |
| 85 | 85 |
| 86 // The link should create a new tab. | 86 // The link should create a new tab. |
| 87 Shell* new_shell = new_shell_observer.GetShell(); | 87 Shell* new_shell = new_shell_observer.GetShell(); |
| 88 WebContents* new_contents = new_shell->web_contents(); | 88 WebContents* new_contents = new_shell->web_contents(); |
| 89 WaitForLoadStop(new_contents); | 89 WaitForLoadStop(new_contents); |
| 90 | 90 |
| 91 EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(), | 91 EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(), |
| 92 "blob:" + origin.Serialize() + "/*")); | 92 "blob:" + origin.Serialize() + "/*")); |
| 93 std::string page_content; | 93 std::string popup_text; |
| 94 EXPECT_TRUE(ExecuteScriptAndExtractString( | 94 EXPECT_TRUE(ExecuteScriptAndExtractString( |
| 95 new_contents, | 95 new_contents, |
| 96 "domAutomationController.send(" | 96 "domAutomationController.send(" |
| 97 " document.origin + ' ' + document.body.innerText);", | 97 " document.origin + ' ' + document.body.innerText);", |
| 98 &page_content)); | 98 &popup_text)); |
| 99 EXPECT_EQ(origin.Serialize() + " potato", page_content); | 99 EXPECT_EQ(origin.Serialize() + " potato", popup_text); |
| 100 | |
| 101 // The popup is same origin with its opener, and can script it. | |
| 102 std::string opener_text; | |
| 103 EXPECT_TRUE(ExecuteScriptAndExtractString( | |
| 104 new_contents, | |
| 105 "domAutomationController.send(window.opener.document.body.innerText);", | |
| 106 &opener_text)); | |
| 107 EXPECT_EQ("This page has no title. Click Me!", opener_text); | |
| 108 } | |
| 109 | |
| 110 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginFileBlob) { | |
| 111 // Using a file:// page, click a link that opens a popup to a same-origin | |
| 112 // blob. | |
| 113 GURL url = GetTestUrl(NULL, "title1.html"); | |
| 114 EXPECT_EQ("file://", url::Origin(url).Serialize()); | |
| 115 NavigateToURL(shell(), url); | |
| 116 | |
| 117 ShellAddedObserver new_shell_observer; | |
| 118 EXPECT_TRUE(ExecuteScript( | |
| 119 shell(), | |
| 120 "var link = document.body.appendChild(document.createElement('a'));" | |
| 121 "link.innerText = 'Click Me!';" | |
| 122 "link.href = URL.createObjectURL(new Blob(['potato']));" | |
| 123 "link.target = '_blank';" | |
| 124 "link.click()")); | |
| 125 | |
| 126 // The link should create a new tab. | |
| 127 Shell* new_shell = new_shell_observer.GetShell(); | |
| 128 WebContents* new_contents = new_shell->web_contents(); | |
| 129 WaitForLoadStop(new_contents); | |
| 130 | |
| 131 EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(), | |
| 132 "blob:file:///*")); | |
|
Charlie Reis
2016/09/28 22:48:10
I was surprised by this. In practice, we get a "n
| |
| 133 EXPECT_EQ(url::Origin(url), url::Origin(new_contents->GetVisibleURL())); | |
| 134 std::string popup_text; | |
| 135 EXPECT_TRUE(ExecuteScriptAndExtractString( | |
| 136 new_contents, | |
| 137 "domAutomationController.send(" | |
| 138 " document.origin + ' ' + document.body.innerText);", | |
| 139 &popup_text)); | |
| 140 EXPECT_EQ("file:// potato", popup_text); | |
| 141 | |
| 142 // The popup is same origin with its opener, and can script it. | |
| 143 std::string opener_text; | |
| 144 EXPECT_TRUE(ExecuteScriptAndExtractString( | |
| 145 new_contents, | |
| 146 "domAutomationController.send(window.opener.document.body.innerText);", | |
|
Charlie Reis
2016/09/28 22:48:10
Amazingly, this still works even with my null orig
| |
| 147 &opener_text)); | |
| 148 EXPECT_EQ("This page has no title. Click Me!", opener_text); | |
| 100 } | 149 } |
| 101 | 150 |
| 102 // Regression test for https://crbug.com/646278 | 151 // Regression test for https://crbug.com/646278 |
| 103 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) { | 152 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithUsername) { |
| 104 // Using an http page, click a link that opens a popup to a same-origin blob | 153 // Using an http page, click a link that opens a popup to a same-origin blob |
| 105 // that has a spoofy authority section applied. This should be blocked. | 154 // that has a spoofy authority section applied. This should be blocked. |
| 106 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); | 155 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); |
| 107 url::Origin origin(url); | 156 url::Origin origin(url); |
| 108 NavigateToURL(shell(), url); | 157 NavigateToURL(shell(), url); |
| 109 | 158 |
| 110 ShellAddedObserver new_shell_observer; | 159 ShellAddedObserver new_shell_observer; |
| 111 EXPECT_TRUE(ExecuteScript( | 160 EXPECT_TRUE(ExecuteScript( |
| 112 shell(), | 161 shell(), |
| 113 "var link = document.body.appendChild(document.createElement('a'));" | 162 "var link = document.body.appendChild(document.createElement('a'));" |
| (...skipping 17 matching lines...) Expand all Loading... | |
| 131 std::string page_content; | 180 std::string page_content; |
| 132 EXPECT_TRUE(ExecuteScriptAndExtractString( | 181 EXPECT_TRUE(ExecuteScriptAndExtractString( |
| 133 new_contents, | 182 new_contents, |
| 134 "domAutomationController.send(" | 183 "domAutomationController.send(" |
| 135 " document.origin + ' ' + document.body.innerText);", | 184 " document.origin + ' ' + document.body.innerText);", |
| 136 &page_content)); | 185 &page_content)); |
| 137 EXPECT_EQ(origin.Serialize() + " ", page_content); // no potato | 186 EXPECT_EQ(origin.Serialize() + " ", page_content); // no potato |
| 138 } | 187 } |
| 139 | 188 |
| 140 // Regression test for https://crbug.com/646278 | 189 // Regression test for https://crbug.com/646278 |
| 141 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddAuthorityToBlob) { | 190 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddUsernameToBlob) { |
| 142 // history.replaceState from a validly loaded blob URL shouldn't allow adding | 191 // history.replaceState from a validly loaded blob URL shouldn't allow adding |
| 143 // an authority to the inner URL, which would be spoofy. | 192 // an authority to the inner URL, which would be spoofy. |
| 144 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); | 193 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); |
| 145 url::Origin origin(url); | 194 url::Origin origin(url); |
| 146 NavigateToURL(shell(), url); | 195 NavigateToURL(shell(), url); |
| 147 | 196 |
| 148 ShellAddedObserver new_shell_observer; | 197 ShellAddedObserver new_shell_observer; |
| 149 EXPECT_TRUE(ExecuteScript( | 198 EXPECT_TRUE(ExecuteScript( |
| 150 shell(), | 199 shell(), |
| 151 "var spoof_fn = function () {\n" | 200 "var spoof_fn = function () {\n" |
| (...skipping 27 matching lines...) Expand all Loading... | |
| 179 // TODO(nick): Currently, window.location still reflects the spoof URL. | 228 // TODO(nick): Currently, window.location still reflects the spoof URL. |
| 180 // This seems unfortunate -- can we fix it? | 229 // This seems unfortunate -- can we fix it? |
| 181 std::string window_location; | 230 std::string window_location; |
| 182 EXPECT_TRUE(ExecuteScriptAndExtractString( | 231 EXPECT_TRUE(ExecuteScriptAndExtractString( |
| 183 new_contents, "domAutomationController.send(window.location.href);", | 232 new_contents, "domAutomationController.send(window.location.href);", |
| 184 &window_location)); | 233 &window_location)); |
| 185 EXPECT_TRUE(base::MatchPattern(window_location, "*spoof*")); | 234 EXPECT_TRUE(base::MatchPattern(window_location, "*spoof*")); |
| 186 } | 235 } |
| 187 | 236 |
| 188 } // namespace content | 237 } // namespace content |
| OLD | NEW |