Disallow top-level navigation in gaia iframe

chrome/browser/ui/webui/signin/inline_login_ui_browsertest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/signin/signin_promo.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/url_constants.h"
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chrome/test/base/test_chrome_web_ui_controller_factory.h"
 #include "chrome/test/base/testing_browser_process.h"
 #include "chrome/test/base/ui_test_utils.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/session_storage_namespace.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_ui_controller.h"
 #include "content/public/common/url_constants.h"
 #include "content/public/test/browser_test_utils.h"
+#include "net/base/url_util.h"
+#include "net/test/embedded_test_server/embedded_test_server.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using ::testing::_;
 
 namespace {
 
 struct ContentInfo {
   ContentInfo(int pid, content::StoragePartition* storage_partition) {
     this->pid = pid;
@@ skipping 85 matching lines @@
                          CURRENT_TAB);
 
   ASSERT_EQ(info1.pid, info2.pid);
   ASSERT_NE(info1.pid, info3.pid);
 }
 
 class InlineLoginUISafeIframeBrowserTest : public InProcessBrowserTest {
  public:
   FooWebUIProvider& foo_provider() { return foo_provider_; }
 
+  void WaitUntilUIReady() {
+    // TODO(guohui): fix the logic below for CrOS.
+#if !defined(OS_CHROMEOS)
+    ASSERT_TRUE(content::ExecuteScript(
+        browser()->tab_strip_model()->GetActiveWebContents(),
+        "if (!inline.login.getAuthExtHost())"
+        "  inline.login.initialize();"
+        "inline.login.getAuthExtHost().addEventListener('ready', function() {"
+        "  window.domAutomationController.setAutomationId(0);"
+        "  window.domAutomationController.send('ready');"
+        "});"));
+
+    content::DOMMessageQueue message_queue;
+    std::string message;
+    ASSERT_TRUE(message_queue.WaitForMessage(&message));

[xiyuan, 2014/04/17 15:04:15]

This is could timeout when 'ready' event is already fired. We probably need to
keep the 'ready' state in GaiaAuthHost and check the state also in addition to
the event listener. 

This might be the case on cros.

[guohui, 2014/04/17 15:08:31]

it seems on cros ready event is fired upon receiving clearOldAttempts message
from the gaia page, while on desktop ready event if fired upon load complete of
the gaia page. To fix the test for cros, i need to change cros code.  As
mentioned in an earlier comment, to minimize the risk, i prefer to disable
WaitUntilUIReady for cros, and fix it in a separate CL.

[guohui, 2014/04/17 15:28:49]

as clarified over chat, xiyuan is right, on desktop this may timeout if ready
event is already fired.  Fixed in a new patch.

+    EXPECT_EQ("\"ready\"", message);
+#endif // OS_CHROMEOS
+  }
+
  private:
   virtual void SetUpOnMainThread() OVERRIDE {
     content::WebUIControllerFactory::UnregisterFactoryForTesting(
         ChromeWebUIControllerFactory::GetInstance());
     test_factory_.reset(new TestChromeWebUIControllerFactory);
     content::WebUIControllerFactory::RegisterFactory(test_factory_.get());
     test_factory_->AddFactoryOverride(
         GURL(kFooWebUIURL).host(), &foo_provider_);
   }
 
@@ skipping 17 matching lines @@
   ui_test_utils::NavigateToURL(browser(), GURL(kFooWebUIURL));
 }
 
 // Make sure that the foo webui handler does not get created when we try to
 // load it inside the iframe of the login ui.
 IN_PROC_BROWSER_TEST_F(InlineLoginUISafeIframeBrowserTest, NoWebUIInIframe) {
   GURL url = signin::GetPromoURL(signin::SOURCE_START_PAGE, false).
       Resolve("?source=0&frameUrl=chrome://foo");
   EXPECT_CALL(foo_provider(), NewWebUI(_, _)).Times(0);
   ui_test_utils::NavigateToURL(browser(), url);
+  WaitUntilUIReady();
 }
+
+// Make sure that the gaia iframe cannot trigger top-frame navigation.
+IN_PROC_BROWSER_TEST_F(InlineLoginUISafeIframeBrowserTest,
+    TopFrameNavigationDisallowed) {
+  ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
+  // Loads into gaia iframe a web page that attempts to deframe on load.
+  GURL deframe_url(embedded_test_server()->GetURL("/login/deframe.html"));
+  GURL url(net::AppendOrReplaceQueryParameter(
+      signin::GetPromoURL(signin::SOURCE_START_PAGE, false),
+      "frameUrl", deframe_url.spec()));
+  ui_test_utils::NavigateToURL(browser(), url);
+  WaitUntilUIReady();
+
+  content::WebContents* contents =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  EXPECT_EQ(url, contents->GetVisibleURL());
+
+  content::NavigationController& controller = contents->GetController();
+  EXPECT_TRUE(controller.GetPendingEntry() == NULL);
+}