Disallow JS execution on WebUI pages.

ios/web/web_state/ui/crw_web_controller_unittest.mm

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "ios/web/web_state/ui/crw_web_controller.h"
 
 #import <WebKit/WebKit.h>
 
 #include <utility>
 
@@ skipping 15 matching lines @@
 #import "ios/web/public/web_state/crw_web_controller_observer.h"
 #import "ios/web/public/web_state/ui/crw_content_view.h"
 #import "ios/web/public/web_state/ui/crw_native_content.h"
 #import "ios/web/public/web_state/ui/crw_native_content_provider.h"
 #import "ios/web/public/web_state/ui/crw_web_view_content_view.h"
 #include "ios/web/public/web_state/url_verification_constants.h"
 #include "ios/web/public/web_state/web_state_observer.h"
 #import "ios/web/test/web_test_with_web_controller.h"
 #import "ios/web/test/wk_web_view_crash_utils.h"
 #import "ios/web/web_state/ui/crw_web_controller_container_view.h"
+#import "ios/web/web_state/ui/web_view_js_utils.h"
 #import "ios/web/web_state/web_state_impl.h"
 #import "ios/web/web_state/wk_web_view_security_util.h"
 #import "net/base/mac/url_conversions.h"
 #include "net/ssl/ssl_info.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_data_directory.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #import "testing/gtest_mac.h"
 #include "third_party/ocmock/OCMock/OCMock.h"
 #include "third_party/ocmock/gtest_support.h"
@@ skipping 821 matching lines @@
   // Expect at least one more TitleWasSet callback after changing title via
   // JavaScript. On iOS 10 WKWebView fires 3 callbacks after JS excucution
   // with the following title changes: "Title2", "" and "Title2".
   // TODO(crbug.com/696104): There should be only 2 calls of TitleWasSet.
   // Fix expecteation when WKWebView stops sending extra KVO calls.
   ExecuteJavaScript(@"window.document.title = 'Title2';");
   EXPECT_EQ("Title2", base::UTF16ToUTF8(web_state()->GetTitle()));
   EXPECT_GE(observer.title_change_count(), 2);
 };
 
+// Test fixture for JavaScript execution.
+class ScriptExecutionTest : public web::WebTestWithWebController {
+ protected:
+  // Calls |executeUserJavaScript:completionHandler:|, waits for script
+  // execution completion, and synchronously returns the result.
+  id ExecuteUserJavaScript(NSString* java_script, NSError** error) {
+    __block id script_result = nil;
+    __block NSError* script_error = nil;
+    __block bool script_executed = false;
+    [web_controller()
+        executeUserJavaScript:java_script
+            completionHandler:^(id local_result, NSError* local_error) {
+              script_result = [local_result retain];
+              script_error = [local_error retain];
+              script_executed = true;
+            }];
+
+    WaitForCondition(^{
+      return script_executed;
+    });
+
+    if (error) {
+      *error = script_error;
+    }
+    [script_error autorelease];
+    return [script_result autorelease];
+  }
+};
+
+// Tests evaluating user script on an http page.
+TEST_F(ScriptExecutionTest, UserScriptOnHttpPage) {
+  LoadHtml(@"<html></html>", GURL(kTestURLString));
+  NSError* error = nil;
+  EXPECT_NSEQ(@0, ExecuteUserJavaScript(@"window.w = 0;", &error));
+  EXPECT_FALSE(error);
+
+  EXPECT_NSEQ(@0, ExecuteJavaScript(@"window.w"));
+};
+
+// Tests evaluating user script on app-specific page. Pages with app-specific
+// URLs have elevatied previledges and JavaScript execution should not be

[lpromero, 2017/03/23 12:43:48]

nit: elevated privileges

[Eugene But (OOO till 7-30), 2017/03/23 17:45:08]

Done.

+// allowed for them.
+TEST_F(ScriptExecutionTest, UserScriptOnAppSpecificPage) {
+  LoadHtml(@"<html></html>", GURL(kTestURLString));
+
+  // Change last committed URL to app-specific URL.
+  web::NavigationManagerImpl& nav_manager =
+      [web_controller() webStateImpl]->GetNavigationManagerImpl();
+  nav_manager.AddPendingItem(GURL(kTestAppSpecificURL), web::Referrer(),
+                             ui::PAGE_TRANSITION_TYPED,
+                             web::NavigationInitiationType::USER_INITIATED);
+  [nav_manager.GetSessionController() commitPendingItem];
+
+  NSError* error = nil;
+  EXPECT_FALSE(ExecuteUserJavaScript(@"window.w = 0;", &error));
+  ASSERT_TRUE(error);
+  EXPECT_NSEQ(web::kJSEvaluationErrorDomain, error.domain);
+  EXPECT_EQ(web::JS_EVALUATION_ERROR_CODE_NO_WEB_VIEW, error.code);
+
+  EXPECT_FALSE(ExecuteJavaScript(@"window.w"));
+};
+
 // Fixture class to test WKWebView crashes.
 class CRWWebControllerWebProcessTest : public web::WebTestWithWebController {
  protected:
   void SetUp() override {
     web::WebTestWithWebController::SetUp();
     webView_.reset([web::BuildTerminatedWKWebView() retain]);
     base::scoped_nsobject<TestWebViewContentView> webViewContentView(
         [[TestWebViewContentView alloc]
             initWithMockWebView:webView_
                      scrollView:[webView_ scrollView]]);
@@ skipping 12 matching lines @@
   web::TestWebStateObserver* observer_ptr = &observer;
   web::SimulateWKWebViewCrash(webView_);
   base::test::ios::WaitUntilCondition(^bool() {
     return observer_ptr->render_process_gone_info();
   });
   EXPECT_EQ(web_state(), observer.render_process_gone_info()->web_state);
   EXPECT_FALSE([web_controller() isViewAlive]);
 };
 
 }  // namespace