| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/html/HTMLIFrameElement.h" | 5 #include "core/html/HTMLIFrameElement.h" |
| 6 | 6 |
| 7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "testing/gtest/include/gtest/gtest.h" | 8 #include "testing/gtest/include/gtest/gtest.h" |
| 9 | 9 |
| 10 namespace blink { | 10 namespace blink { |
| (...skipping 11 matching lines...) Expand all Loading... |
| 22 | 22 |
| 23 // Test setting feature policy via the DOMTokenList (JS codepath). | 23 // Test setting feature policy via the DOMTokenList (JS codepath). |
| 24 TEST(HTMLIFrameElementTest, SetAllowAttributeJS) { | 24 TEST(HTMLIFrameElementTest, SetAllowAttributeJS) { |
| 25 Document* document = Document::Create(); | 25 Document* document = Document::Create(); |
| 26 HTMLIFrameElement* iframe = HTMLIFrameElement::Create(*document); | 26 HTMLIFrameElement* iframe = HTMLIFrameElement::Create(*document); |
| 27 | 27 |
| 28 iframe->allow()->setValue("fullscreen"); | 28 iframe->allow()->setValue("fullscreen"); |
| 29 EXPECT_EQ("fullscreen", iframe->getAttribute(HTMLNames::allowAttr)); | 29 EXPECT_EQ("fullscreen", iframe->getAttribute(HTMLNames::allowAttr)); |
| 30 } | 30 } |
| 31 | 31 |
| 32 // Test that the correct origin is used when constructing the container policy, |
| 33 // and that frames which should inherit their parent document's origin do so. |
| 34 TEST(HTMLIFrameElementTest, FramesUseCorrectOrigin) { |
| 35 Document* document = Document::Create(); |
| 36 KURL document_url = KURL(KURL(), "http://example.com"); |
| 37 document->SetURL(document_url); |
| 38 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 39 |
| 40 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 41 |
| 42 frame_element->setAttribute(HTMLNames::srcAttr, "about:blank"); |
| 43 RefPtr<SecurityOrigin> effective_origin = |
| 44 frame_element->GetOriginForFeaturePolicy(); |
| 45 EXPECT_TRUE( |
| 46 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 47 |
| 48 frame_element->setAttribute(HTMLNames::srcAttr, |
| 49 "data:text/html;base64,PHRpdGxlPkFCQzwvdGl0bGU+"); |
| 50 effective_origin = frame_element->GetOriginForFeaturePolicy(); |
| 51 EXPECT_FALSE( |
| 52 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 53 EXPECT_TRUE(effective_origin->IsUnique()); |
| 54 |
| 55 frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
| 56 effective_origin = frame_element->GetOriginForFeaturePolicy(); |
| 57 EXPECT_FALSE( |
| 58 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 59 EXPECT_FALSE(effective_origin->IsUnique()); |
| 60 } |
| 61 |
| 62 // Test that a unique origin is used when constructing the container policy in a |
| 63 // sandboxed iframe. |
| 64 TEST(HTMLIFrameElementTest, SandboxFramesUseCorrectOrigin) { |
| 65 Document* document = Document::Create(); |
| 66 KURL document_url = KURL(KURL(), "http://example.com"); |
| 67 document->SetURL(document_url); |
| 68 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 69 |
| 70 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 71 |
| 72 frame_element->setAttribute(HTMLNames::sandboxAttr, ""); |
| 73 frame_element->setAttribute(HTMLNames::srcAttr, "http://example.com/"); |
| 74 RefPtr<SecurityOrigin> effective_origin = |
| 75 frame_element->GetOriginForFeaturePolicy(); |
| 76 EXPECT_FALSE( |
| 77 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 78 EXPECT_TRUE(effective_origin->IsUnique()); |
| 79 |
| 80 frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
| 81 effective_origin = frame_element->GetOriginForFeaturePolicy(); |
| 82 EXPECT_FALSE( |
| 83 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 84 EXPECT_TRUE(effective_origin->IsUnique()); |
| 85 } |
| 86 |
| 87 // Test that a sandboxed iframe with the allow-same-origin sandbox flag uses the |
| 88 // parent document's origin for the container policy. |
| 89 TEST(HTMLIFrameElementTest, SameOriginSandboxFramesUseCorrectOrigin) { |
| 90 Document* document = Document::Create(); |
| 91 KURL document_url = KURL(KURL(), "http://example.com"); |
| 92 document->SetURL(document_url); |
| 93 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 94 |
| 95 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 96 |
| 97 frame_element->setAttribute(HTMLNames::sandboxAttr, "allow-same-origin"); |
| 98 frame_element->setAttribute(HTMLNames::srcAttr, "http://example.com/"); |
| 99 RefPtr<SecurityOrigin> effective_origin = |
| 100 frame_element->GetOriginForFeaturePolicy(); |
| 101 EXPECT_TRUE( |
| 102 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 103 EXPECT_FALSE(effective_origin->IsUnique()); |
| 104 } |
| 105 |
| 106 // Test that the parent document's origin is used when constructing the |
| 107 // container policy in a srcdoc iframe. |
| 108 TEST(HTMLIFrameElementTest, SrcdocFramesUseCorrectOrigin) { |
| 109 Document* document = Document::Create(); |
| 110 KURL document_url = KURL(KURL(), "http://example.com"); |
| 111 document->SetURL(document_url); |
| 112 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 113 |
| 114 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 115 |
| 116 frame_element->setAttribute(HTMLNames::srcdocAttr, "<title>title</title>"); |
| 117 RefPtr<SecurityOrigin> effective_origin = |
| 118 frame_element->GetOriginForFeaturePolicy(); |
| 119 EXPECT_TRUE( |
| 120 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 121 } |
| 122 |
| 123 // Test that a unique origin is used when constructing the container policy in a |
| 124 // sandboxed iframe with a srcdoc. |
| 125 TEST(HTMLIFrameElementTest, SandboxedSrcdocFramesUseCorrectOrigin) { |
| 126 Document* document = Document::Create(); |
| 127 KURL document_url = KURL(KURL(), "http://example.com"); |
| 128 document->SetURL(document_url); |
| 129 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 130 |
| 131 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 132 |
| 133 frame_element->setAttribute(HTMLNames::sandboxAttr, ""); |
| 134 frame_element->setAttribute(HTMLNames::srcdocAttr, "<title>title</title>"); |
| 135 RefPtr<SecurityOrigin> effective_origin = |
| 136 frame_element->GetOriginForFeaturePolicy(); |
| 137 EXPECT_FALSE( |
| 138 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 139 EXPECT_TRUE(effective_origin->IsUnique()); |
| 140 } |
| 141 |
| 142 // Test that iframes with relative src urls correctly construct their origin |
| 143 // relative to the parent document. |
| 144 TEST(HTMLIFrameElementTest, RelativeURLsUseCorrectOrigin) { |
| 145 Document* document = Document::Create(); |
| 146 KURL document_url = KURL(KURL(), "http://example.com"); |
| 147 document->SetURL(document_url); |
| 148 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 149 |
| 150 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 151 |
| 152 // Host-relative URLs should resolve to the same domain as the parent. |
| 153 frame_element->setAttribute(HTMLNames::srcAttr, "index2.html"); |
| 154 RefPtr<SecurityOrigin> effective_origin = |
| 155 frame_element->GetOriginForFeaturePolicy(); |
| 156 EXPECT_TRUE( |
| 157 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 158 |
| 159 // Scheme-relative URLs should not resolve to the same domain as the parent. |
| 160 frame_element->setAttribute(HTMLNames::srcAttr, "//example.net/index2.html"); |
| 161 effective_origin = frame_element->GetOriginForFeaturePolicy(); |
| 162 EXPECT_FALSE( |
| 163 effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
| 164 } |
| 165 |
| 166 // Test that various iframe attribute configurations result in the correct |
| 167 // container policies. |
| 168 |
| 169 // Test that the correct container policy is constructed on an iframe element. |
| 170 TEST(HTMLIFrameElementTest, DefaultContainerPolicy) { |
| 171 Document* document = Document::Create(); |
| 172 KURL document_url = KURL(KURL(), "http://example.com"); |
| 173 document->SetURL(document_url); |
| 174 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 175 |
| 176 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 177 |
| 178 frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
| 179 frame_element->UpdateContainerPolicyForTests(); |
| 180 |
| 181 const WebParsedFeaturePolicy& container_policy = |
| 182 frame_element->ContainerPolicy(); |
| 183 EXPECT_EQ(0UL, container_policy.size()); |
| 184 } |
| 185 |
| 186 // Test that the allow attribute results in a container policy which is |
| 187 // restricted to the domain in the src attribute. |
| 188 TEST(HTMLIFrameElementTest, AllowAttributeContainerPolicy) { |
| 189 Document* document = Document::Create(); |
| 190 KURL document_url = KURL(KURL(), "http://example.com"); |
| 191 document->SetURL(document_url); |
| 192 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 193 |
| 194 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 195 |
| 196 frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
| 197 frame_element->setAttribute(HTMLNames::allowAttr, "fullscreen"); |
| 198 frame_element->UpdateContainerPolicyForTests(); |
| 199 |
| 200 const WebParsedFeaturePolicy& container_policy1 = |
| 201 frame_element->ContainerPolicy(); |
| 202 |
| 203 EXPECT_EQ(1UL, container_policy1.size()); |
| 204 EXPECT_EQ(WebFeaturePolicyFeature::kFullscreen, container_policy1[0].feature); |
| 205 EXPECT_FALSE(container_policy1[0].matches_all_origins); |
| 206 EXPECT_EQ(1UL, container_policy1[0].origins.size()); |
| 207 EXPECT_EQ("http://example.net", container_policy1[0].origins[0].ToString()); |
| 208 |
| 209 frame_element->setAttribute(HTMLNames::allowAttr, "payment fullscreen"); |
| 210 frame_element->UpdateContainerPolicyForTests(); |
| 211 |
| 212 const WebParsedFeaturePolicy& container_policy2 = |
| 213 frame_element->ContainerPolicy(); |
| 214 EXPECT_EQ(2UL, container_policy2.size()); |
| 215 EXPECT_TRUE( |
| 216 container_policy2[0].feature == WebFeaturePolicyFeature::kFullscreen || |
| 217 container_policy2[1].feature == WebFeaturePolicyFeature::kFullscreen); |
| 218 EXPECT_TRUE( |
| 219 container_policy2[0].feature == WebFeaturePolicyFeature::kPayment || |
| 220 container_policy2[1].feature == WebFeaturePolicyFeature::kPayment); |
| 221 EXPECT_FALSE(container_policy2[0].matches_all_origins); |
| 222 EXPECT_EQ(1UL, container_policy2[0].origins.size()); |
| 223 EXPECT_EQ("http://example.net", container_policy2[0].origins[0].ToString()); |
| 224 EXPECT_FALSE(container_policy2[1].matches_all_origins); |
| 225 EXPECT_EQ(1UL, container_policy2[1].origins.size()); |
| 226 EXPECT_EQ("http://example.net", container_policy2[1].origins[0].ToString()); |
| 227 } |
| 228 |
| 229 // Test that the allow attribute on a sandboxed frame results in a container |
| 230 // policy which is restricted to a unique origin. |
| 231 TEST(HTMLIFrameElementTest, SandboxAttributeContainerPolicy) { |
| 232 Document* document = Document::Create(); |
| 233 KURL document_url = KURL(KURL(), "http://example.com"); |
| 234 document->SetURL(document_url); |
| 235 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 236 |
| 237 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 238 |
| 239 frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
| 240 frame_element->setAttribute(HTMLNames::allowAttr, "fullscreen"); |
| 241 frame_element->setAttribute(HTMLNames::sandboxAttr, ""); |
| 242 frame_element->UpdateContainerPolicyForTests(); |
| 243 |
| 244 const WebParsedFeaturePolicy& container_policy = |
| 245 frame_element->ContainerPolicy(); |
| 246 |
| 247 EXPECT_EQ(1UL, container_policy.size()); |
| 248 EXPECT_EQ(WebFeaturePolicyFeature::kFullscreen, container_policy[0].feature); |
| 249 EXPECT_FALSE(container_policy[0].matches_all_origins); |
| 250 EXPECT_EQ(1UL, container_policy[0].origins.size()); |
| 251 EXPECT_TRUE(container_policy[0].origins[0].IsUnique()); |
| 252 } |
| 253 |
| 254 // Test that the allow attribute on a sandboxed frame with the allow-same-origin |
| 255 // flag results in a container policy which is restricted to the origin of the |
| 256 // containing document. |
| 257 TEST(HTMLIFrameElementTest, SameOriginSandboxAttributeContainerPolicy) { |
| 258 Document* document = Document::Create(); |
| 259 KURL document_url = KURL(KURL(), "http://example.com"); |
| 260 document->SetURL(document_url); |
| 261 document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
| 262 |
| 263 HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
| 264 |
| 265 frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
| 266 frame_element->setAttribute(HTMLNames::allowAttr, "fullscreen"); |
| 267 frame_element->setAttribute(HTMLNames::sandboxAttr, "allow-same-origin"); |
| 268 frame_element->UpdateContainerPolicyForTests(); |
| 269 |
| 270 const WebParsedFeaturePolicy& container_policy = |
| 271 frame_element->ContainerPolicy(); |
| 272 |
| 273 EXPECT_EQ(1UL, container_policy.size()); |
| 274 EXPECT_EQ(WebFeaturePolicyFeature::kFullscreen, container_policy[0].feature); |
| 275 EXPECT_FALSE(container_policy[0].matches_all_origins); |
| 276 EXPECT_EQ(1UL, container_policy[0].origins.size()); |
| 277 EXPECT_FALSE(container_policy[0].origins[0].IsUnique()); |
| 278 EXPECT_EQ("http://example.net", container_policy[0].origins[0].ToString()); |
| 279 } |
| 280 |
| 32 } // namespace blink | 281 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2797813002:
Replicate feature policy container policies. (Closed)
