| Index: content/browser/blob_storage/blob_url_browsertest.cc
|
| diff --git a/content/browser/blob_storage/blob_url_browsertest.cc b/content/browser/blob_storage/blob_url_browsertest.cc
|
| index f25ee5b258fa24a455d7e1d13e7f6f8f42299705..7a6171db3dab736eab456b0c121558aecd04b1a9 100644
|
| --- a/content/browser/blob_storage/blob_url_browsertest.cc
|
| +++ b/content/browser/blob_storage/blob_url_browsertest.cc
|
| @@ -22,7 +22,11 @@ namespace content {
|
| // Tests of the blob: URL scheme.
|
| class BlobUrlBrowserTest : public ContentBrowserTest {
|
| public:
|
| - BlobUrlBrowserTest() {}
|
| + BlobUrlBrowserTest() {
|
| + // Run with file:// URLs in unique origins, as is the default for the
|
| + // browser, but normally relaxed in browsertests.
|
| + RevokeFileAccessFromFiles();
|
| + }
|
|
|
| void SetUpOnMainThread() override {
|
| host_resolver()->AddRule("*", "127.0.0.1");
|
| @@ -90,17 +94,77 @@ IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlob) {
|
|
|
| EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),
|
| "blob:" + origin.Serialize() + "/*"));
|
| - std::string page_content;
|
| + std::string popup_text;
|
| EXPECT_TRUE(ExecuteScriptAndExtractString(
|
| new_contents,
|
| "domAutomationController.send("
|
| " document.origin + ' ' + document.body.innerText);",
|
| - &page_content));
|
| - EXPECT_EQ(origin.Serialize() + " potato", page_content);
|
| + &popup_text));
|
| + EXPECT_EQ(origin.Serialize() + " potato", popup_text);
|
| +
|
| + // The popup is same origin with its opener, and can script it.
|
| + std::string opener_text;
|
| + EXPECT_TRUE(ExecuteScriptAndExtractString(
|
| + new_contents,
|
| + "domAutomationController.send(window.opener.document.body.innerText);",
|
| + &opener_text));
|
| + EXPECT_EQ("This page has no title. Click Me!", opener_text);
|
| +}
|
| +
|
| +IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginFileBlob) {
|
| + // Using a file:// page, click a link that opens a popup to a same-origin
|
| + // blob.
|
| + GURL url = GetTestUrl(NULL, "title1.html");
|
| + EXPECT_EQ("file://", url::Origin(url).Serialize());
|
| + NavigateToURL(shell(), url);
|
| +
|
| + ShellAddedObserver new_shell_observer;
|
| + EXPECT_TRUE(ExecuteScript(
|
| + shell(),
|
| + "var link = document.body.appendChild(document.createElement('a'));"
|
| + "link.innerText = 'Click Me!';"
|
| + "link.href = URL.createObjectURL(new Blob(['potato']));"
|
| + "link.target = '_blank';"
|
| + "link.click()"));
|
| +
|
| + // The link should create a new tab.
|
| + Shell* new_shell = new_shell_observer.GetShell();
|
| + WebContents* new_contents = new_shell->web_contents();
|
| + WaitForLoadStop(new_contents);
|
| +
|
| + EXPECT_EQ(new_contents->GetRenderProcessHost(),
|
| + shell()->web_contents()->GetRenderProcessHost());
|
| +
|
| + EXPECT_TRUE(
|
| + base::MatchPattern(new_contents->GetVisibleURL().spec(), "blob:null/*"));
|
| + EXPECT_EQ("file://", shell()
|
| + ->web_contents()
|
| + ->GetMainFrame()
|
| + ->GetLastCommittedOrigin()
|
| + .Serialize());
|
| + EXPECT_EQ("null", url::Origin(new_contents->GetVisibleURL()).Serialize());
|
| + EXPECT_EQ("file://",
|
| + url::Origin(new_contents->GetMainFrame()->GetLastCommittedOrigin())
|
| + .Serialize());
|
| + std::string popup_text;
|
| + EXPECT_TRUE(ExecuteScriptAndExtractString(
|
| + new_contents,
|
| + "domAutomationController.send("
|
| + " document.origin + ' ' + document.body.innerText);",
|
| + &popup_text));
|
| + EXPECT_EQ("null potato", popup_text);
|
| +
|
| + // The popup is same origin with its opener, and can script it.
|
| + std::string opener_text;
|
| + EXPECT_TRUE(ExecuteScriptAndExtractString(
|
| + new_contents,
|
| + "domAutomationController.send(window.opener.document.body.innerText);",
|
| + &opener_text));
|
| + EXPECT_EQ("This page has no title. Click Me!", opener_text);
|
| }
|
|
|
| // Regression test for https://crbug.com/646278
|
| -IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {
|
| +IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithUsername) {
|
| // Using an http page, click a link that opens a popup to a same-origin blob
|
| // that has a spoofy authority section applied. This should be blocked.
|
| GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
|
| @@ -138,7 +202,7 @@ IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {
|
| }
|
|
|
| // Regression test for https://crbug.com/646278
|
| -IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddAuthorityToBlob) {
|
| +IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddUsernameToBlob) {
|
| // history.replaceState from a validly loaded blob URL shouldn't allow adding
|
| // an authority to the inner URL, which would be spoofy.
|
| GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
|
|
|