chrome/browser/extensions/window_open_apitest.cc - Issue 2454563003: Fix web accessible resource checks in ShouldAllowOpenURL

Side by Side Diff: chrome/browser/extensions/window_open_apitest.cc

Issue 2454563003: Fix web accessible resource checks in ShouldAllowOpenURL (Closed)

Patch Set: Tighten check a bit more Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« chrome/browser/extensions/process_manager_browsertest.cc ('K') | « chrome/browser/extensions/process_manager_browsertest.cc ('k') | chrome/test/data/extensions/uitest/window_open/manifest.json » ('j') | chrome/test/data/extensions/uitest/window_open/manifest.json » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <stddef.h>	5 #include <stddef.h>

6	6

7 #include "base/path_service.h"	7 #include "base/path_service.h"

8 #include "base/strings/stringprintf.h"	8 #include "base/strings/stringprintf.h"

9 #include "build/build_config.h"	9 #include "build/build_config.h"

10 #include "chrome/browser/extensions/extension_apitest.h"	10 #include "chrome/browser/extensions/extension_apitest.h"

11 #include "chrome/browser/profiles/profile.h"	11 #include "chrome/browser/profiles/profile.h"

12 #include "chrome/browser/ui/browser.h"	12 #include "chrome/browser/ui/browser.h"

13 #include "chrome/browser/ui/browser_finder.h"	13 #include "chrome/browser/ui/browser_finder.h"

14 #include "chrome/browser/ui/browser_list.h"	14 #include "chrome/browser/ui/browser_list.h"

15 #include "chrome/browser/ui/tabs/tab_strip_model.h"	15 #include "chrome/browser/ui/tabs/tab_strip_model.h"

16 #include "chrome/common/chrome_paths.h"	16 #include "chrome/common/chrome_paths.h"

17 #include "chrome/test/base/ui_test_utils.h"	17 #include "chrome/test/base/ui_test_utils.h"

	18 #include "content/public/browser/notification_service.h"

	19 #include "content/public/browser/notification_types.h"

	20 #include "content/public/browser/render_frame_host.h"

18 #include "content/public/browser/render_process_host.h"	21 #include "content/public/browser/render_process_host.h"

19 #include "content/public/browser/web_contents.h"	22 #include "content/public/browser/web_contents.h"

20 #include "content/public/common/result_codes.h"	23 #include "content/public/common/result_codes.h"

21 #include "content/public/common/url_constants.h"	24 #include "content/public/common/url_constants.h"

22 #include "content/public/test/browser_test_utils.h"	25 #include "content/public/test/browser_test_utils.h"

23 #include "extensions/browser/extension_host.h"	26 #include "extensions/browser/extension_host.h"

24 #include "extensions/browser/process_manager.h"	27 #include "extensions/browser/process_manager.h"

25 #include "extensions/common/constants.h"	28 #include "extensions/common/constants.h"

26 #include "extensions/common/extension.h"	29 #include "extensions/common/extension.h"

27 #include "extensions/test/extension_test_message_listener.h"	30 #include "extensions/test/extension_test_message_listener.h"

(...skipping 249 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
277 last_loaded_extension_id() + "/newtab.html"),	280 last_loaded_extension_id() + "/newtab.html"),

278 false,	281 false,

279 &newtab));	282 &newtab));

280	283

281 // Extension API should succeed.	284 // Extension API should succeed.

282 bool result = false;	285 bool result = false;

283 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(newtab, "testExtensionApi()",	286 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(newtab, "testExtensionApi()",

284 &result));	287 &result));

285 EXPECT_TRUE(result);	288 EXPECT_TRUE(result);

286 }	289 }

	290

	291 // Tests that calling window.open for an extension URL from a non-HTTP or HTTPS

	292 // URL on a new tab cannot access non-web-accessible resources.

	293 IN_PROC_BROWSER_TEST_F(ExtensionBrowserTest,

	294 WindowOpenInaccessibleResourceFromDataURL) {
	alexmos 2016/10/28 00:29:41 This is checking the case that would've previously This is checking the case that would've previously been incorrectly allowed by ShouldAllowOpenURL due to the SchemeIsHTTPOrHTTPS() restriction.
	295 ASSERT_TRUE(LoadExtension(

	296 test_data_dir_.AppendASCII("uitest").AppendASCII("window_open")));

	297

	298 ui_test_utils::NavigateToURL(browser(), GURL("data:text/html,foo"));

	299

	300 // test.html is not web-accessible and should not be loaded.

	301 GURL extension_url(std::string(extensions::kExtensionScheme) +

	302 url::kStandardSchemeSeparator +

	303 last_loaded_extension_id() + "/test.html");

	304 content::WindowedNotificationObserver windowed_observer(

	305 content::NOTIFICATION_LOAD_STOP,

	306 content::NotificationService::AllSources());

	307 ASSERT_TRUE(content::ExecuteScript(

	308 browser()->tab_strip_model()->GetActiveWebContents(),

	309 "window.open('" + extension_url.spec() + "');"));

	310 windowed_observer.Wait();

	311 content::NavigationController* controller =

	312 content::Source<content::NavigationController>(windowed_observer.source())

	313 .ptr();

	314 content::WebContents* newtab = controller->GetWebContents();

	315 ASSERT_TRUE(newtab);

	316

	317 EXPECT_NE(extension_url, newtab->GetMainFrame()->GetLastCommittedURL());

	318 EXPECT_NE(std::string(extensions::kExtensionScheme),

	319 newtab->GetMainFrame()->GetSiteInstance()->GetSiteURL().scheme());
	ncarter (slow) 2016/10/28 21:45:03 If you add UMA stats, you could use a histogram_te If you add UMA stats, you could use a histogram_tester here to validate that we blocked it for the reason you expect. alexmos 2016/10/31 23:34:48 Done. Never used histogram_tester before, so wasn Show quoted text On 2016/10/28 21:45:03, ncarter wrote: > If you add UMA stats, you could use a histogram_tester here to validate that we > blocked it for the reason you expect. Done. Never used histogram_tester before, so wasn't sure whether it was worth exposing the ShouldAllowOpenURLFailureReason enum values to tests or just using hardcoded values. I did the latter for now, as the enum covers such obscure cases that I'm not sure it's worth exposing more widely, but also happy to do the former (is there a good place for the enum?). ncarter (slow) 2016/10/31 23:42:09 Hardcoded values are the way to go. It's arguably Show quoted text On 2016/10/31 23:34:48, alexmos wrote: > On 2016/10/28 21:45:03, ncarter wrote: > > If you add UMA stats, you could use a histogram_tester here to validate that > we > > blocked it for the reason you expect. > > Done. Never used histogram_tester before, so wasn't sure whether it was worth > exposing the ShouldAllowOpenURLFailureReason enum values to tests or just using > hardcoded values. I did the latter for now, as the enum covers such obscure > cases that I'm not sure it's worth exposing more widely, but also happy to do > the former (is there a good place for the enum?). Hardcoded values are the way to go. It's arguably a layering violation, but I actually kind of like this kind of deliberate brittleness for "tests in chrome/ that are really tests of logic in content/".
	320 }

OLD	NEW