Index: chrome/browser/extensions/window_open_apitest.cc |
diff --git a/chrome/browser/extensions/window_open_apitest.cc b/chrome/browser/extensions/window_open_apitest.cc |
index fd74795d400469757105e131d63d72e4c9daa33a..2715d1d706a6904761c488f3418bf95cb6453bc1 100644 |
--- a/chrome/browser/extensions/window_open_apitest.cc |
+++ b/chrome/browser/extensions/window_open_apitest.cc |
@@ -15,6 +15,9 @@ |
#include "chrome/browser/ui/tabs/tab_strip_model.h" |
#include "chrome/common/chrome_paths.h" |
#include "chrome/test/base/ui_test_utils.h" |
+#include "content/public/browser/notification_service.h" |
+#include "content/public/browser/notification_types.h" |
+#include "content/public/browser/render_frame_host.h" |
#include "content/public/browser/render_process_host.h" |
#include "content/public/browser/web_contents.h" |
#include "content/public/common/result_codes.h" |
@@ -284,3 +287,34 @@ IN_PROC_BROWSER_TEST_F(ExtensionBrowserTest, WindowOpenNoPrivileges) { |
&result)); |
EXPECT_TRUE(result); |
} |
+ |
+// Tests that calling window.open for an extension URL from a non-HTTP or HTTPS |
+// URL on a new tab cannot access non-web-accessible resources. |
+IN_PROC_BROWSER_TEST_F(ExtensionBrowserTest, |
+ WindowOpenInaccessibleResourceFromDataURL) { |
alexmos
2016/10/28 00:29:41
This is checking the case that would've previously
|
+ ASSERT_TRUE(LoadExtension( |
+ test_data_dir_.AppendASCII("uitest").AppendASCII("window_open"))); |
+ |
+ ui_test_utils::NavigateToURL(browser(), GURL("data:text/html,foo")); |
+ |
+ // test.html is not web-accessible and should not be loaded. |
+ GURL extension_url(std::string(extensions::kExtensionScheme) + |
+ url::kStandardSchemeSeparator + |
+ last_loaded_extension_id() + "/test.html"); |
+ content::WindowedNotificationObserver windowed_observer( |
+ content::NOTIFICATION_LOAD_STOP, |
+ content::NotificationService::AllSources()); |
+ ASSERT_TRUE(content::ExecuteScript( |
+ browser()->tab_strip_model()->GetActiveWebContents(), |
+ "window.open('" + extension_url.spec() + "');")); |
+ windowed_observer.Wait(); |
+ content::NavigationController* controller = |
+ content::Source<content::NavigationController>(windowed_observer.source()) |
+ .ptr(); |
+ content::WebContents* newtab = controller->GetWebContents(); |
+ ASSERT_TRUE(newtab); |
+ |
+ EXPECT_NE(extension_url, newtab->GetMainFrame()->GetLastCommittedURL()); |
+ EXPECT_NE(std::string(extensions::kExtensionScheme), |
+ newtab->GetMainFrame()->GetSiteInstance()->GetSiteURL().scheme()); |
ncarter (slow)
2016/10/28 21:45:03
If you add UMA stats, you could use a histogram_te
alexmos
2016/10/31 23:34:48
Done. Never used histogram_tester before, so wasn
ncarter (slow)
2016/10/31 23:42:09
Hardcoded values are the way to go. It's arguably
|
+} |