BlobUrlBrowserTest: Add a test exercising blob: URLs from file:// documents.

content/browser/blob_storage/blob_url_browsertest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/macros.h"
 #include "base/strings/pattern.h"
 #include "build/build_config.h"
 #include "content/browser/web_contents/web_contents_impl.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
@@ skipping 72 matching lines @@
       "link.target = '_blank';"
       "link.click()"));
 
   // The link should create a new tab.
   Shell* new_shell = new_shell_observer.GetShell();
   WebContents* new_contents = new_shell->web_contents();
   WaitForLoadStop(new_contents);
 
   EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),
                                  "blob:" + origin.Serialize() + "/*"));
-  std::string page_content;
+  std::string popup_text;
   EXPECT_TRUE(ExecuteScriptAndExtractString(
       new_contents,
       "domAutomationController.send("
       "    document.origin + ' ' + document.body.innerText);",
-      &page_content));
-  EXPECT_EQ(origin.Serialize() + " potato", page_content);
+      &popup_text));
+  EXPECT_EQ(origin.Serialize() + " potato", popup_text);
+
+  // The popup is same origin with its opener, and can script it.
+  std::string opener_text;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send(window.opener.document.body.innerText);",
+      &opener_text));
+  EXPECT_EQ("This page has no title. Click Me!", opener_text);
+}
+
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginFileBlob) {
+  // Using a file:// page, click a link that opens a popup to a same-origin
+  // blob.
+  GURL url = GetTestUrl(NULL, "title1.html");
+  EXPECT_EQ("file://", url::Origin(url).Serialize());
+  NavigateToURL(shell(), url);
+
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(ExecuteScript(
+      shell(),
+      "var link = document.body.appendChild(document.createElement('a'));"
+      "link.innerText = 'Click Me!';"
+      "link.href = URL.createObjectURL(new Blob(['potato']));"
+      "link.target = '_blank';"
+      "link.click()"));
+
+  // The link should create a new tab.
+  Shell* new_shell = new_shell_observer.GetShell();
+  WebContents* new_contents = new_shell->web_contents();
+  WaitForLoadStop(new_contents);
+
+  EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),
+                                 "blob:file:///*"));

[Charlie Reis, 2016/09/28 22:48:10]

I was surprised by this.  In practice, we get a "null" origin on the blob URL,
since file URLs aren't allowed to script each other.

Looks like this is happening due to the following line in
BrowserTestBase::SetUp:
command_line->AppendSwitch(switches::kAllowFileAccessFromFiles);

+  EXPECT_EQ(url::Origin(url), url::Origin(new_contents->GetVisibleURL()));
+  std::string popup_text;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send("
+      "    document.origin + ' ' + document.body.innerText);",
+      &popup_text));
+  EXPECT_EQ("file:// potato", popup_text);
+
+  // The popup is same origin with its opener, and can script it.
+  std::string opener_text;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send(window.opener.document.body.innerText);",

[Charlie Reis, 2016/09/28 22:48:10]

Amazingly, this still works even with my null origin blob!  That's pretty
surprising.  According to dcheng@, that's because the blob inherits the
SecurityOrigin of the creator (in PublicURLManager::registerURL).

+      &opener_text));
+  EXPECT_EQ("This page has no title. Click Me!", opener_text);
 }
 
 // Regression test for https://crbug.com/646278
-IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithUsername) {
   // Using an http page, click a link that opens a popup to a same-origin blob
   // that has a spoofy authority section applied. This should be blocked.
   GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
   url::Origin origin(url);
   NavigateToURL(shell(), url);
 
   ShellAddedObserver new_shell_observer;
   EXPECT_TRUE(ExecuteScript(
       shell(),
       "var link = document.body.appendChild(document.createElement('a'));"
@@ skipping 17 matching lines @@
   std::string page_content;
   EXPECT_TRUE(ExecuteScriptAndExtractString(
       new_contents,
       "domAutomationController.send("
       "    document.origin + ' ' + document.body.innerText);",
       &page_content));
   EXPECT_EQ(origin.Serialize() + " ", page_content);  // no potato
 }
 
 // Regression test for https://crbug.com/646278
-IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddAuthorityToBlob) {
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddUsernameToBlob) {
   // history.replaceState from a validly loaded blob URL shouldn't allow adding
   // an authority to the inner URL, which would be spoofy.
   GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
   url::Origin origin(url);
   NavigateToURL(shell(), url);
 
   ShellAddedObserver new_shell_observer;
   EXPECT_TRUE(ExecuteScript(
       shell(),
       "var spoof_fn = function () {\n"
@@ skipping 27 matching lines @@
   // TODO(nick): Currently, window.location still reflects the spoof URL.
   // This seems unfortunate -- can we fix it?
   std::string window_location;
   EXPECT_TRUE(ExecuteScriptAndExtractString(
       new_contents, "domAutomationController.send(window.location.href);",
       &window_location));
   EXPECT_TRUE(base::MatchPattern(window_location, "*spoof*"));
 }
 
 }  // namespace content