OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "bindings/core/v8/BindingSecurity.h" | |
6 | |
7 #include "core/dom/Document.h" | |
8 #include "core/frame/UseCounter.h" | |
9 #include "core/page/Page.h" | |
10 #include "platform/testing/UnitTestHelpers.h" | |
11 #include "testing/gtest/include/gtest/gtest.h" | |
12 #include "web/tests/sim/SimRequest.h" | |
13 #include "web/tests/sim/SimTest.h" | |
14 | |
15 namespace blink { | |
16 | |
17 namespace { | |
18 const char* kMainFrame = "https://example.com/main.html"; | |
dcheng
2017/05/17 22:10:45
Nit: const char kMainFrame[]
(kMainFrame is actua
| |
19 const char* kSameOriginTarget = "https://example.com/target.html"; | |
20 const char* kCrossOriginTarget = "https://not-example.com/target.html"; | |
21 } | |
22 | |
23 class BindingSecurityCounterTest | |
24 : public SimTest, | |
25 public ::testing::WithParamInterface<const char*> { | |
26 public: | |
27 enum class OriginDisposition { CrossOrigin, SameOrigin }; | |
28 | |
29 BindingSecurityCounterTest() {} | |
30 | |
31 void LoadWindowAndAccessProperty(OriginDisposition which_origin, | |
32 const String& property) { | |
33 GetDocument() | |
34 .GetFrame() | |
35 ->GetSettings() | |
36 ->SetJavaScriptCanOpenWindowsAutomatically(true); | |
37 SimRequest main(kMainFrame, "text/html"); | |
38 SimRequest target(which_origin == OriginDisposition::CrossOrigin | |
39 ? kCrossOriginTarget | |
40 : kSameOriginTarget, | |
41 "text/html"); | |
42 const String& document = String::Format( | |
43 "<!DOCTYPE html>" | |
44 "<script>" | |
45 " window.addEventListener('message', e => {" | |
46 " window.other = e.source.%s;" | |
47 " console.log('yay');" | |
48 " });" | |
49 " var w = window.open('%s');" | |
50 "</script>", | |
51 property.Utf8().data(), | |
52 which_origin == OriginDisposition::CrossOrigin ? kCrossOriginTarget | |
53 : kSameOriginTarget); | |
54 | |
55 LoadURL(kMainFrame); | |
56 main.Complete(document); | |
57 target.Complete( | |
58 "<!DOCTYPE html>" | |
59 "<script>window.opener.postMessage('yay', '*');</script>"); | |
60 testing::RunPendingTasks(); | |
61 } | |
62 | |
63 void LoadFrameAndAccessProperty(OriginDisposition which_origin, | |
64 const String& property) { | |
65 GetDocument() | |
66 .GetFrame() | |
67 ->GetSettings() | |
68 ->SetJavaScriptCanOpenWindowsAutomatically(true); | |
69 SimRequest main(kMainFrame, "text/html"); | |
70 SimRequest target(which_origin == OriginDisposition::CrossOrigin | |
71 ? kCrossOriginTarget | |
72 : kSameOriginTarget, | |
73 "text/html"); | |
74 const String& document = String::Format( | |
75 "<!DOCTYPE html>" | |
76 "<body>" | |
77 "<script>" | |
78 " var i = document.createElement('iframe');" | |
79 " window.addEventListener('message', e => {" | |
80 " window.other = e.source.%s;" | |
81 " console.log('yay');" | |
82 " });" | |
83 " i.src = '%s';" | |
84 " document.body.appendChild(i);" | |
85 "</script>", | |
86 property.Utf8().data(), | |
87 which_origin == OriginDisposition::CrossOrigin ? kCrossOriginTarget | |
88 : kSameOriginTarget); | |
89 | |
90 LoadURL(kMainFrame); | |
91 main.Complete(document); | |
92 target.Complete( | |
93 "<!DOCTYPE html>" | |
94 "<script>window.top.postMessage('yay', '*');</script>"); | |
95 testing::RunPendingTasks(); | |
96 } | |
97 }; | |
98 | |
99 INSTANTIATE_TEST_CASE_P(WindowProperties, | |
100 BindingSecurityCounterTest, | |
101 ::testing::Values("window", | |
102 "self", | |
103 "location", | |
104 "close", | |
105 "closed", | |
106 "focus", | |
107 "blur", | |
108 "frames", | |
109 "length", | |
110 "top", | |
111 "opener", | |
112 "parent", | |
113 "postMessage")); | |
dcheng
2017/05/17 22:10:45
My impression was that the use counter didn't want
| |
114 | |
115 TEST_P(BindingSecurityCounterTest, CrossOriginWindow) { | |
116 LoadWindowAndAccessProperty(OriginDisposition::CrossOrigin, GetParam()); | |
117 EXPECT_TRUE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( | |
118 UseCounter::kCrossOriginPropertyAccess)); | |
119 EXPECT_TRUE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( | |
120 UseCounter::kCrossOriginPropertyAccessFromOpener)); | |
121 } | |
122 | |
123 TEST_P(BindingSecurityCounterTest, SameOriginWindow) { | |
124 LoadWindowAndAccessProperty(OriginDisposition::SameOrigin, GetParam()); | |
125 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( | |
126 UseCounter::kCrossOriginPropertyAccess)); | |
127 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( | |
128 UseCounter::kCrossOriginPropertyAccessFromOpener)); | |
129 } | |
130 | |
131 TEST_P(BindingSecurityCounterTest, CrossOriginFrame) { | |
132 LoadFrameAndAccessProperty(OriginDisposition::CrossOrigin, GetParam()); | |
133 EXPECT_TRUE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( | |
134 UseCounter::kCrossOriginPropertyAccess)); | |
135 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( | |
136 UseCounter::kCrossOriginPropertyAccessFromOpener)); | |
137 } | |
138 | |
139 TEST_P(BindingSecurityCounterTest, SameOriginFrame) { | |
140 LoadFrameAndAccessProperty(OriginDisposition::SameOrigin, GetParam()); | |
141 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( | |
142 UseCounter::kCrossOriginPropertyAccess)); | |
143 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( | |
144 UseCounter::kCrossOriginPropertyAccessFromOpener)); | |
145 } | |
146 | |
147 } // namespace | |
OLD | NEW |