OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "bindings/core/v8/BindingSecurity.h" |
| 6 |
| 7 #include "core/dom/Document.h" |
| 8 #include "core/frame/UseCounter.h" |
| 9 #include "core/page/Page.h" |
| 10 #include "platform/testing/UnitTestHelpers.h" |
| 11 #include "testing/gtest/include/gtest/gtest.h" |
| 12 #include "web/tests/sim/SimRequest.h" |
| 13 #include "web/tests/sim/SimTest.h" |
| 14 |
| 15 namespace blink { |
| 16 |
| 17 namespace { |
| 18 const char kMainFrame[] = "https://example.com/main.html"; |
| 19 const char kSameOriginTarget[] = "https://example.com/target.html"; |
| 20 const char kCrossOriginTarget[] = "https://not-example.com/target.html"; |
| 21 } |
| 22 |
| 23 class BindingSecurityCounterTest |
| 24 : public SimTest, |
| 25 public ::testing::WithParamInterface<const char*> { |
| 26 public: |
| 27 enum class OriginDisposition { CrossOrigin, SameOrigin }; |
| 28 |
| 29 BindingSecurityCounterTest() {} |
| 30 |
| 31 void LoadWindowAndAccessProperty(OriginDisposition which_origin, |
| 32 const String& property) { |
| 33 GetDocument() |
| 34 .GetFrame() |
| 35 ->GetSettings() |
| 36 ->SetJavaScriptCanOpenWindowsAutomatically(true); |
| 37 SimRequest main(kMainFrame, "text/html"); |
| 38 SimRequest target(which_origin == OriginDisposition::CrossOrigin |
| 39 ? kCrossOriginTarget |
| 40 : kSameOriginTarget, |
| 41 "text/html"); |
| 42 const String& document = String::Format( |
| 43 "<!DOCTYPE html>" |
| 44 "<script>" |
| 45 " window.addEventListener('message', e => {" |
| 46 " window.other = e.source.%s;" |
| 47 " console.log('yay');" |
| 48 " });" |
| 49 " var w = window.open('%s');" |
| 50 "</script>", |
| 51 property.Utf8().data(), |
| 52 which_origin == OriginDisposition::CrossOrigin ? kCrossOriginTarget |
| 53 : kSameOriginTarget); |
| 54 |
| 55 LoadURL(kMainFrame); |
| 56 main.Complete(document); |
| 57 target.Complete( |
| 58 "<!DOCTYPE html>" |
| 59 "<script>window.opener.postMessage('yay', '*');</script>"); |
| 60 testing::RunPendingTasks(); |
| 61 } |
| 62 |
| 63 void LoadFrameAndAccessProperty(OriginDisposition which_origin, |
| 64 const String& property) { |
| 65 GetDocument() |
| 66 .GetFrame() |
| 67 ->GetSettings() |
| 68 ->SetJavaScriptCanOpenWindowsAutomatically(true); |
| 69 SimRequest main(kMainFrame, "text/html"); |
| 70 SimRequest target(which_origin == OriginDisposition::CrossOrigin |
| 71 ? kCrossOriginTarget |
| 72 : kSameOriginTarget, |
| 73 "text/html"); |
| 74 const String& document = String::Format( |
| 75 "<!DOCTYPE html>" |
| 76 "<body>" |
| 77 "<script>" |
| 78 " var i = document.createElement('iframe');" |
| 79 " window.addEventListener('message', e => {" |
| 80 " window.other = e.source.%s;" |
| 81 " console.log('yay');" |
| 82 " });" |
| 83 " i.src = '%s';" |
| 84 " document.body.appendChild(i);" |
| 85 "</script>", |
| 86 property.Utf8().data(), |
| 87 which_origin == OriginDisposition::CrossOrigin ? kCrossOriginTarget |
| 88 : kSameOriginTarget); |
| 89 |
| 90 LoadURL(kMainFrame); |
| 91 main.Complete(document); |
| 92 target.Complete( |
| 93 "<!DOCTYPE html>" |
| 94 "<script>window.top.postMessage('yay', '*');</script>"); |
| 95 testing::RunPendingTasks(); |
| 96 } |
| 97 }; |
| 98 |
| 99 INSTANTIATE_TEST_CASE_P(WindowProperties, |
| 100 BindingSecurityCounterTest, |
| 101 ::testing::Values("window", |
| 102 "self", |
| 103 "location", |
| 104 "close", |
| 105 "closed", |
| 106 "focus", |
| 107 "blur", |
| 108 "frames", |
| 109 "length", |
| 110 "top", |
| 111 "opener", |
| 112 "parent", |
| 113 "postMessage")); |
| 114 |
| 115 TEST_P(BindingSecurityCounterTest, CrossOriginWindow) { |
| 116 LoadWindowAndAccessProperty(OriginDisposition::CrossOrigin, GetParam()); |
| 117 EXPECT_TRUE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( |
| 118 UseCounter::kCrossOriginPropertyAccess)); |
| 119 EXPECT_TRUE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( |
| 120 UseCounter::kCrossOriginPropertyAccessFromOpener)); |
| 121 } |
| 122 |
| 123 TEST_P(BindingSecurityCounterTest, SameOriginWindow) { |
| 124 LoadWindowAndAccessProperty(OriginDisposition::SameOrigin, GetParam()); |
| 125 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( |
| 126 UseCounter::kCrossOriginPropertyAccess)); |
| 127 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( |
| 128 UseCounter::kCrossOriginPropertyAccessFromOpener)); |
| 129 } |
| 130 |
| 131 TEST_P(BindingSecurityCounterTest, CrossOriginFrame) { |
| 132 LoadFrameAndAccessProperty(OriginDisposition::CrossOrigin, GetParam()); |
| 133 EXPECT_TRUE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( |
| 134 UseCounter::kCrossOriginPropertyAccess)); |
| 135 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( |
| 136 UseCounter::kCrossOriginPropertyAccessFromOpener)); |
| 137 } |
| 138 |
| 139 TEST_P(BindingSecurityCounterTest, SameOriginFrame) { |
| 140 LoadFrameAndAccessProperty(OriginDisposition::SameOrigin, GetParam()); |
| 141 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( |
| 142 UseCounter::kCrossOriginPropertyAccess)); |
| 143 EXPECT_FALSE(GetDocument().GetPage()->GetUseCounter().HasRecordedMeasurement( |
| 144 UseCounter::kCrossOriginPropertyAccessFromOpener)); |
| 145 } |
| 146 |
| 147 } // namespace |
OLD | NEW |