Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(16)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/browser_side_navigation_browsertest.cc

Issue 2905293002: Ensure the renderer doesn't specify base_url_for_data_url in the BeginNavigation IPC. (Closed)
Patch Set: Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/browser/bad_message.h ('k') | content/browser/frame_host/render_frame_host_impl.cc » ('j') | content/browser/frame_host/render_frame_host_impl.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <stdint.h> 5 #include <stdint.h>
6 6
7 #include "base/command_line.h" 7 #include "base/command_line.h"
8 #include "base/strings/stringprintf.h" 8 #include "base/strings/stringprintf.h"
9 #include "base/strings/utf_string_conversions.h" 9 #include "base/strings/utf_string_conversions.h"
10 #include "content/browser/child_process_security_policy_impl.h" 10 #include "content/browser/child_process_security_policy_impl.h"
11 #include "content/browser/frame_host/navigation_handle_impl.h" 11 #include "content/browser/frame_host/navigation_handle_impl.h"
12 #include "content/browser/frame_host/navigation_request.h" 12 #include "content/browser/frame_host/navigation_request.h"
13 #include "content/browser/web_contents/web_contents_impl.h" 13 #include "content/browser/web_contents/web_contents_impl.h"
14 #include "content/common/frame_messages.h"
14 #include "content/common/site_isolation_policy.h" 15 #include "content/common/site_isolation_policy.h"
15 #include "content/public/browser/notification_types.h" 16 #include "content/public/browser/notification_types.h"
16 #include "content/public/browser/web_contents.h" 17 #include "content/public/browser/web_contents.h"
17 #include "content/public/common/content_switches.h" 18 #include "content/public/common/content_switches.h"
18 #include "content/public/common/url_constants.h" 19 #include "content/public/common/url_constants.h"
19 #include "content/public/test/browser_test_utils.h" 20 #include "content/public/test/browser_test_utils.h"
20 #include "content/public/test/content_browser_test.h" 21 #include "content/public/test/content_browser_test.h"
21 #include "content/public/test/content_browser_test_utils.h" 22 #include "content/public/test/content_browser_test_utils.h"
22 #include "content/public/test/navigation_handle_observer.h" 23 #include "content/public/test/navigation_handle_observer.h"
23 #include "content/public/test/test_navigation_observer.h" 24 #include "content/public/test/test_navigation_observer.h"
24 #include "content/shell/browser/shell.h" 25 #include "content/shell/browser/shell.h"
25 #include "content/shell/browser/shell_network_delegate.h" 26 #include "content/shell/browser/shell_network_delegate.h"
26 #include "content/test/content_browser_test_utils_internal.h" 27 #include "content/test/content_browser_test_utils_internal.h"
28 #include "ipc/ipc_security_test_util.h"
29 #include "net/base/load_flags.h"
27 #include "net/dns/mock_host_resolver.h" 30 #include "net/dns/mock_host_resolver.h"
28 #include "net/test/embedded_test_server/embedded_test_server.h" 31 #include "net/test/embedded_test_server/embedded_test_server.h"
29 #include "net/test/url_request/url_request_failed_job.h" 32 #include "net/test/url_request/url_request_failed_job.h"
30 #include "url/gurl.h" 33 #include "url/gurl.h"
31 34
32 namespace content { 35 namespace content {
33 36
34 class BrowserSideNavigationBrowserTest : public ContentBrowserTest { 37 class BrowserSideNavigationBrowserTest : public ContentBrowserTest {
35 public: 38 public:
36 BrowserSideNavigationBrowserTest() {} 39 BrowserSideNavigationBrowserTest() {}
(...skipping 378 matching lines...) Expand 10 before | Expand all | Expand 10 after
415 // to the URL that was blocked. 418 // to the URL that was blocked.
416 EXPECT_EQ(1, controller.GetLastCommittedEntryIndex()); 419 EXPECT_EQ(1, controller.GetLastCommittedEntryIndex());
417 EXPECT_FALSE( 420 EXPECT_FALSE(
418 controller.GetLastCommittedEntry()->GetURL().SchemeIs(url::kDataScheme)); 421 controller.GetLastCommittedEntry()->GetURL().SchemeIs(url::kDataScheme));
419 EXPECT_TRUE(controller.GetLastCommittedEntry()->GetVirtualURL().SchemeIs( 422 EXPECT_TRUE(controller.GetLastCommittedEntry()->GetVirtualURL().SchemeIs(
420 url::kDataScheme)); 423 url::kDataScheme));
421 EXPECT_EQ(url::kAboutBlankURL, 424 EXPECT_EQ(url::kAboutBlankURL,
422 controller.GetLastCommittedEntry()->GetURL().spec()); 425 controller.GetLastCommittedEntry()->GetURL().spec());
423 } 426 }
424 427
428 // Test to verify that an exploited renderer process trying to specify a
429 // non-empty URL for base_url_for_data_url on navigation is correctly
430 // terminated.
431 // TODO(nasko): This test case belongs better in
432 // security_exploit_browsertest.cc, so move it there once PlzNavigate is on
433 // by default.
434 IN_PROC_BROWSER_TEST_F(BrowserSideNavigationBrowserTest,
435 ValidateBaseUrlForDataUrl) {
436 GURL start_url(embedded_test_server()->GetURL("/title1.html"));
437 EXPECT_TRUE(NavigateToURL(shell(), start_url));
438
439 RenderFrameHostImpl* rfh = static_cast<RenderFrameHostImpl*>(
440 shell()->web_contents()->GetMainFrame());
441
442 // Setup a BeginNavigate IPC with non-empty base_url_for_data_url.
443 GURL url(embedded_test_server()->GetURL("/title2.html"));
444 CommonNavigationParams common_params(
445 url, Referrer(), ui::PAGE_TRANSITION_LINK,
446 FrameMsg_Navigate_Type::DIFFERENT_DOCUMENT, true, false,
447 base::TimeTicks(), FrameMsg_UILoadMetricsReportType::NO_REPORT,
448 embedded_test_server()->GetURL("foo.com",
449 "/title3.html"), // base_url_for_data_url
450 GURL(), PREVIEWS_UNSPECIFIED, base::TimeTicks::Now(), "GET", nullptr,
451 base::Optional<SourceLocation>(), CSPDisposition::CHECK);
452 BeginNavigationParams begin_params(
453 std::string(), net::LOAD_NORMAL, false, false,
454 REQUEST_CONTEXT_TYPE_LOCATION,
455 blink::WebMixedContentContextType::kBlockable, false, url::Origin(url));
456 FrameHostMsg_BeginNavigation msg(rfh->GetRoutingID(), common_params,
457 begin_params);
458
459 // Receiving the invalid IPC message should lead to renderer process
460 // termination.
461 RenderProcessHostWatcher process_exit_observer(
462 rfh->GetProcess(), RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
463 IPC::IpcSecurityTestUtil::PwnMessageReceived(rfh->GetProcess()->GetChannel(),
464 msg);
465 process_exit_observer.Wait();
Charlie Reis 2017/05/30 20:49:09 We should add a case to this test where the tab is
466 }
467
425 } // namespace content 468 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/bad_message.h ('k') | content/browser/frame_host/render_frame_host_impl.cc » ('j') | content/browser/frame_host/render_frame_host_impl.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698