third_party/WebKit/Source/bindings/core/v8/BindingSecurityTest.cpp - Issue 2881393002: Count cross-origin property access.

Side by Side Diff: third_party/WebKit/Source/bindings/core/v8/BindingSecurityTest.cpp

Issue 2881393002: Count cross-origin property access. (Closed)

Patch Set: Rebase. Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
(Empty)
	1 // Copyright 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "bindings/core/v8/BindingSecurity.h"

	6

	7 #include "core/dom/Document.h"

	8 #include "core/frame/UseCounter.h"

	9 #include "core/page/Page.h"

	10 #include "platform/testing/UnitTestHelpers.h"

	11 #include "testing/gtest/include/gtest/gtest.h"

	12 #include "web/tests/sim/SimRequest.h"

	13 #include "web/tests/sim/SimTest.h"

	14

	15 namespace blink {

	16

	17 namespace {

	18 const char* kMainFrame = "https://example.com/main.html";
	dcheng 2017/05/17 22:10:45 Nit: const char kMainFrame[] (kMainFrame is actua Nit: const char kMainFrame[] (kMainFrame is actually assignable as written)
	19 const char* kSameOriginTarget = "https://example.com/target.html";

	20 const char* kCrossOriginTarget = "https://not-example.com/target.html";

	21 }

	22

	23 class BindingSecurityCounterTest

	24 : public SimTest,

	25 public ::testing::WithParamInterface<const char*> {

	26 public:

	27 enum class OriginDisposition { CrossOrigin, SameOrigin };

	28

	29 BindingSecurityCounterTest() {}

	30

	31 void LoadWindowAndAccessProperty(OriginDisposition which_origin,

	32 const String& property) {

	33 GetDocument()

	34 .GetFrame()

	35 ->GetSettings()

	36 ->SetJavaScriptCanOpenWindowsAutomatically(true);

	37 SimRequest main(kMainFrame, "text/html");

	38 SimRequest target(which_origin == OriginDisposition::CrossOrigin

	39 ? kCrossOriginTarget

	40 : kSameOriginTarget,

	41 "text/html");

	42 const String& document = String::Format(

	43 "<!DOCTYPE html>"

	44 "<script>"

	45 " window.addEventListener('message', e => {"

	46 " window.other = e.source.%s;"

	47 " console.log('yay');"

	48 " });"

	49 " var w = window.open('%s');"

	50 "</script>",

	51 property.Utf8().data(),

	52 which_origin == OriginDisposition::CrossOrigin ? kCrossOriginTarget

	53 : kSameOriginTarget);

	54

	55 LoadURL(kMainFrame);

	56 main.Complete(document);

	57 target.Complete(

	58 "<!DOCTYPE html>"

	59 "<script>window.opener.postMessage('yay', '*');</script>");

	60 testing::RunPendingTasks();

	61 }

	62

	63 void LoadFrameAndAccessProperty(OriginDisposition which_origin,

	64 const String& property) {

	65 GetDocument()

	66 .GetFrame()

	67 ->GetSettings()

	68 ->SetJavaScriptCanOpenWindowsAutomatically(true);

	69 SimRequest main(kMainFrame, "text/html");

	70 SimRequest target(which_origin == OriginDisposition::CrossOrigin

	71 ? kCrossOriginTarget

	72 : kSameOriginTarget,

	73 "text/html");

	74 const String& document = String::Format(

	75 "<!DOCTYPE html>"

	76 "<body>"

	77 "<script>"

	78 " var i = document.createElement('iframe');"

	79 " window.addEventListener('message', e => {"

	80 " window.other = e.source.%s;"

	81 " console.log('yay');"

	82 " });"

	83 " i.src = '%s';"

	84 " document.body.appendChild(i);"

	85 "</script>",

	86 property.Utf8().data(),

	87 which_origin == OriginDisposition::CrossOrigin ? kCrossOriginTarget

	88 : kSameOriginTarget);

	89

	90 LoadURL(kMainFrame);

	91 main.Complete(document);

	92 target.Complete(

	93 "<!DOCTYPE html>"

	94 "<script>window.top.postMessage('yay', '*');</script>");

	95 testing::RunPendingTasks();

	96 }

	97 };

	98

	99 INSTANTIATE_TEST_CASE_P(WindowProperties,

	100 BindingSecurityCounterTest,

	101 ::testing::Values("window",

	102 "self",

	103 "location",

	104 "close",

	105 "closed",

	106 "focus",

	107 "blur",

	108 "frames",

	109 "length",

	110 "top",

	111 "opener",

	112 "parent",

	113 "postMessage"));
	dcheng 2017/05/17 22:10:45 My impression was that the use counter didn't want My impression was that the use counter didn't want to measure when JS does something like crossOriginWindow.abc, but I think the current one will. Is that OK? Do we want to explicitly test for that?
	114

	115 TEST_P(BindingSecurityCounterTest, CrossOriginWindow) {

	116 LoadWindowAndAccessProperty(OriginDisposition::CrossOrigin, GetParam());

	117 EXPECT_TRUE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement(

	118 UseCounter::kCrossOriginPropertyAccess));

	119 EXPECT_TRUE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement(

	120 UseCounter::kCrossOriginPropertyAccessFromOpener));

	121 }

	122

	123 TEST_P(BindingSecurityCounterTest, SameOriginWindow) {

	124 LoadWindowAndAccessProperty(OriginDisposition::SameOrigin, GetParam());

	125 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement(

	126 UseCounter::kCrossOriginPropertyAccess));

	127 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement(

	128 UseCounter::kCrossOriginPropertyAccessFromOpener));

	129 }

	130

	131 TEST_P(BindingSecurityCounterTest, CrossOriginFrame) {

	132 LoadFrameAndAccessProperty(OriginDisposition::CrossOrigin, GetParam());

	133 EXPECT_TRUE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement(

	134 UseCounter::kCrossOriginPropertyAccess));

	135 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement(

	136 UseCounter::kCrossOriginPropertyAccessFromOpener));

	137 }

	138

	139 TEST_P(BindingSecurityCounterTest, SameOriginFrame) {

	140 LoadFrameAndAccessProperty(OriginDisposition::SameOrigin, GetParam());

	141 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement(

	142 UseCounter::kCrossOriginPropertyAccess));

	143 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement(

	144 UseCounter::kCrossOriginPropertyAccessFromOpener));

	145 }

	146

	147 } // namespace

OLD	NEW