Chromium Code Reviews Chromium Code Reviews
Issue 2607413003:
Add security feature to ProvisionalSavePassword (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <string> | 5 #include <string> |
| 6 #include <utility> | 6 #include <utility> |
| 7 | 7 |
| 8 #include "base/command_line.h" | 8 #include "base/command_line.h" |
| 9 #include "base/macros.h" | 9 #include "base/macros.h" |
| 10 #include "base/memory/ptr_util.h" | 10 #include "base/memory/ptr_util.h" |
| (...skipping 1394 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1405 std::unique_ptr<BubbleObserver> prompt_observer( | 1405 std::unique_ptr<BubbleObserver> prompt_observer( |
| 1406 new BubbleObserver(WebContents())); | 1406 new BubbleObserver(WebContents())); |
| 1407 ui_test_utils::NavigateToURL(browser(), https_url); | 1407 ui_test_utils::NavigateToURL(browser(), https_url); |
| 1408 | 1408 |
| 1409 observer.SetPathToWaitFor("/password/done_and_separate_login_form.html"); | 1409 observer.SetPathToWaitFor("/password/done_and_separate_login_form.html"); |
| 1410 observer.Wait(); | 1410 observer.Wait(); |
| 1411 | 1411 |
| 1412 EXPECT_FALSE(prompt_observer->IsShowingSavePrompt()); | 1412 EXPECT_FALSE(prompt_observer->IsShowingSavePrompt()); |
| 1413 } | 1413 } |
| 1414 | 1414 |
| 1415 IN_PROC_BROWSER_TEST_F( | |
| 1416 PasswordManagerBrowserTestBase, | |
| 1417 NoPromptForSeperateLoginFormWhenSwitchingFromHttpsToHttp) { | |
| 1418 base::CommandLine::ForCurrentProcess()->AppendSwitch( | |
| 1419 ::switches::kAllowRunningInsecureContent); | |
| 1420 base::CommandLine::ForCurrentProcess()->AppendSwitch( | |
| 1421 ::switches::kIgnoreCertificateErrors); | |
| 1422 const base::FilePath::CharType kDocRoot[] = | |
| 1423 FILE_PATH_LITERAL("chrome/test/data"); | |
| 1424 net::EmbeddedTestServer https_test_server( | |
| 1425 net::EmbeddedTestServer::TYPE_HTTPS); | |
| 1426 https_test_server.ServeFilesFromSourceDirectory(base::FilePath(kDocRoot)); | |
| 1427 ASSERT_TRUE(https_test_server.Start()); | |
|
jdoerrie
2017/01/05 18:11:30
This part probably should be moved into its own me
vasilii
2017/01/09 14:16:55
Acknowledged.
| |
| 1428 | |
| 1429 std::string path = "/password/password_form.html"; | |
| 1430 GURL https_url(https_test_server.GetURL(path)); | |
| 1431 ASSERT_TRUE(https_url.SchemeIs(url::kHttpsScheme)); | |
| 1432 | |
| 1433 NavigationObserver form_observer(WebContents()); | |
| 1434 ui_test_utils::NavigateToURL(browser(), https_url); | |
| 1435 form_observer.Wait(); | |
| 1436 | |
| 1437 std::string fill_and_submit_redirect = | |
| 1438 "document.getElementById('username_redirect').value = 'user';" | |
| 1439 "document.getElementById('password_redirect').value = 'password';" | |
| 1440 "document.getElementById('submit_redirect').click()"; | |
| 1441 ASSERT_TRUE( | |
| 1442 content::ExecuteScript(RenderViewHost(), fill_and_submit_redirect)); | |
| 1443 | |
| 1444 NavigationObserver redirect_observer(WebContents()); | |
| 1445 redirect_observer.SetPathToWaitFor("/password/redirect.html"); | |
| 1446 redirect_observer.Wait(); | |
| 1447 | |
| 1448 GURL http_url(embedded_test_server()->GetURL("/password/done.html")); | |
| 1449 std::string http_redirect = | |
| 1450 "window.location.href = '" + http_url.spec() + "';"; | |
| 1451 ASSERT_TRUE(content::ExecuteScript(RenderViewHost(), http_redirect)); | |
| 1452 | |
| 1453 NavigationObserver first_done_observer(WebContents()); | |
| 1454 first_done_observer.SetPathToWaitFor("/password/done.html"); | |
| 1455 first_done_observer.Wait(); | |
| 1456 | |
| 1457 std::string attacker_redirect = | |
| 1458 "window.location.href = 'simple_password.html'"; | |
| 1459 ASSERT_TRUE(content::ExecuteScript(RenderViewHost(), attacker_redirect)); | |
| 1460 | |
| 1461 NavigationObserver attacker_observer(WebContents()); | |
| 1462 attacker_observer.SetPathToWaitFor("/password/simple_password.html"); | |
| 1463 attacker_observer.Wait(); | |
| 1464 | |
| 1465 std::string fill_and_submit_attacker_form = | |
| 1466 "document.getElementById('username_field').value = 'attacker_username';" | |
| 1467 "document.getElementById('password_field').value = 'attacker_password';" | |
| 1468 "document.getElementById('input_submit_button').click()"; | |
| 1469 ASSERT_TRUE( | |
| 1470 content::ExecuteScript(RenderViewHost(), fill_and_submit_attacker_form)); | |
| 1471 | |
| 1472 NavigationObserver second_done_observer(WebContents()); | |
| 1473 second_done_observer.SetPathToWaitFor("/password/done.html"); | |
| 1474 second_done_observer.Wait(); | |
| 1475 | |
| 1476 BubbleObserver prompt_observer(WebContents()); | |
| 1477 EXPECT_TRUE(prompt_observer.IsShowingSavePrompt()); | |
| 1478 prompt_observer.AcceptSavePrompt(); | |
| 1479 | |
| 1480 // Check that credentials are stored. | |
| 1481 scoped_refptr<password_manager::TestPasswordStore> password_store = | |
| 1482 static_cast<password_manager::TestPasswordStore*>( | |
| 1483 PasswordStoreFactory::GetForProfile( | |
| 1484 browser()->profile(), ServiceAccessType::IMPLICIT_ACCESS) | |
| 1485 .get()); | |
| 1486 | |
| 1487 // Spin the message loop to make sure the password store had a chance to save | |
| 1488 // the password. | |
| 1489 base::RunLoop run_loop; | |
| 1490 run_loop.RunUntilIdle(); | |
| 1491 EXPECT_FALSE(password_store->IsEmpty()); | |
| 1492 | |
| 1493 CheckThatCredentialsStored(password_store.get(), base::ASCIIToUTF16("user"), | |
| 1494 base::ASCIIToUTF16("password")); | |
| 1495 } | |
| 1496 | |
| 1415 IN_PROC_BROWSER_TEST_F(PasswordManagerBrowserTestBase, | 1497 IN_PROC_BROWSER_TEST_F(PasswordManagerBrowserTestBase, |
| 1416 PromptWhenPasswordFormWithoutUsernameFieldSubmitted) { | 1498 PromptWhenPasswordFormWithoutUsernameFieldSubmitted) { |
| 1417 scoped_refptr<password_manager::TestPasswordStore> password_store = | 1499 scoped_refptr<password_manager::TestPasswordStore> password_store = |
| 1418 static_cast<password_manager::TestPasswordStore*>( | 1500 static_cast<password_manager::TestPasswordStore*>( |
| 1419 PasswordStoreFactory::GetForProfile( | 1501 PasswordStoreFactory::GetForProfile( |
| 1420 browser()->profile(), ServiceAccessType::IMPLICIT_ACCESS).get()); | 1502 browser()->profile(), ServiceAccessType::IMPLICIT_ACCESS).get()); |
| 1421 | 1503 |
| 1422 EXPECT_TRUE(password_store->IsEmpty()); | 1504 EXPECT_TRUE(password_store->IsEmpty()); |
| 1423 | 1505 |
| 1424 NavigateToFile("/password/form_with_only_password_field.html"); | 1506 NavigateToFile("/password/form_with_only_password_field.html"); |
| (...skipping 1652 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3077 // about all frames, not just the main one. The factories should receive | 3159 // about all frames, not just the main one. The factories should receive |
| 3078 // messages for non-main frames, in particular | 3160 // messages for non-main frames, in particular |
| 3079 // AutofillHostMsg_PasswordFormsParsed. If that were the first time the | 3161 // AutofillHostMsg_PasswordFormsParsed. If that were the first time the |
| 3080 // factories hear about such frames, this would crash. | 3162 // factories hear about such frames, this would crash. |
| 3081 tab_strip_model->AddWebContents(detached_web_contents.release(), -1, | 3163 tab_strip_model->AddWebContents(detached_web_contents.release(), -1, |
| 3082 ::ui::PAGE_TRANSITION_AUTO_TOPLEVEL, | 3164 ::ui::PAGE_TRANSITION_AUTO_TOPLEVEL, |
| 3083 TabStripModel::ADD_ACTIVE); | 3165 TabStripModel::ADD_ACTIVE); |
| 3084 } | 3166 } |
| 3085 | 3167 |
| 3086 } // namespace password_manager | 3168 } // namespace password_manager |
| OLD | NEW |
