BlobUrlBrowserTest: Add a test exercising blob: URLs from file:// documents.

content/browser/blob_storage/blob_url_browsertest.cc

Index: content/browser/blob_storage/blob_url_browsertest.cc
diff --git a/content/browser/blob_storage/blob_url_browsertest.cc b/content/browser/blob_storage/blob_url_browsertest.cc
index f25ee5b258fa24a455d7e1d13e7f6f8f42299705..d6b5e6e17af5fa5fb2605ec6d7e11609f5d28cc2 100644
--- a/content/browser/blob_storage/blob_url_browsertest.cc
+++ b/content/browser/blob_storage/blob_url_browsertest.cc
@@ -90,17 +90,66 @@ IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlob) {
 
   EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),
                                  "blob:" + origin.Serialize() + "/*"));
-  std::string page_content;
+  std::string popup_text;
   EXPECT_TRUE(ExecuteScriptAndExtractString(
       new_contents,
       "domAutomationController.send("
       "    document.origin + ' ' + document.body.innerText);",
-      &page_content));
-  EXPECT_EQ(origin.Serialize() + " potato", page_content);
+      &popup_text));
+  EXPECT_EQ(origin.Serialize() + " potato", popup_text);
+
+  // The popup is same origin with its opener, and can script it.
+  std::string opener_text;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send(window.opener.document.body.innerText);",
+      &opener_text));
+  EXPECT_EQ("This page has no title. Click Me!", opener_text);
+}
+
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginFileBlob) {
+  // Using a file:// page, click a link that opens a popup to a same-origin
+  // blob.
+  GURL url = GetTestUrl(NULL, "title1.html");
+  EXPECT_EQ("file://", url::Origin(url).Serialize());
+  NavigateToURL(shell(), url);
+
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(ExecuteScript(
+      shell(),
+      "var link = document.body.appendChild(document.createElement('a'));"
+      "link.innerText = 'Click Me!';"
+      "link.href = URL.createObjectURL(new Blob(['potato']));"
+      "link.target = '_blank';"
+      "link.click()"));
+
+  // The link should create a new tab.
+  Shell* new_shell = new_shell_observer.GetShell();
+  WebContents* new_contents = new_shell->web_contents();
+  WaitForLoadStop(new_contents);
+
+  EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),
+                                 "blob:file:///*"));

[Charlie Reis, 2016/09/28 22:48:10]

I was surprised by this.  In practice, we get a "null" origin on the blob URL,
since file URLs aren't allowed to script each other.

Looks like this is happening due to the following line in
BrowserTestBase::SetUp:
command_line->AppendSwitch(switches::kAllowFileAccessFromFiles);

+  EXPECT_EQ(url::Origin(url), url::Origin(new_contents->GetVisibleURL()));
+  std::string popup_text;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send("
+      "    document.origin + ' ' + document.body.innerText);",
+      &popup_text));
+  EXPECT_EQ("file:// potato", popup_text);
+
+  // The popup is same origin with its opener, and can script it.
+  std::string opener_text;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send(window.opener.document.body.innerText);",

[Charlie Reis, 2016/09/28 22:48:10]

Amazingly, this still works even with my null origin blob!  That's pretty
surprising.  According to dcheng@, that's because the blob inherits the
SecurityOrigin of the creator (in PublicURLManager::registerURL).

+      &opener_text));
+  EXPECT_EQ("This page has no title. Click Me!", opener_text);
 }
 
 // Regression test for https://crbug.com/646278
-IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithUsername) {
   // Using an http page, click a link that opens a popup to a same-origin blob
   // that has a spoofy authority section applied. This should be blocked.
   GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
@@ -138,7 +187,7 @@ IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {
 }
 
 // Regression test for https://crbug.com/646278
-IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddAuthorityToBlob) {
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddUsernameToBlob) {
   // history.replaceState from a validly loaded blob URL shouldn't allow adding
   // an authority to the inner URL, which would be spoofy.
   GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");