Ensure the renderer doesn't specify base_url_for_data_url in the BeginNavigation IPC.

content/browser/browser_side_navigation_browsertest.cc

Index: content/browser/browser_side_navigation_browsertest.cc
diff --git a/content/browser/browser_side_navigation_browsertest.cc b/content/browser/browser_side_navigation_browsertest.cc
index dcfb2c471e1bd87d35a14da9f1bc46e1e0faec16..87347375bd0975c75c00ccbf2c37b5fe694f299b 100644
--- a/content/browser/browser_side_navigation_browsertest.cc
+++ b/content/browser/browser_side_navigation_browsertest.cc
@@ -11,6 +11,7 @@
 #include "content/browser/frame_host/navigation_handle_impl.h"
 #include "content/browser/frame_host/navigation_request.h"
 #include "content/browser/web_contents/web_contents_impl.h"
+#include "content/common/frame_messages.h"
 #include "content/common/site_isolation_policy.h"
 #include "content/public/browser/notification_types.h"
 #include "content/public/browser/web_contents.h"
@@ -24,6 +25,8 @@
 #include "content/shell/browser/shell.h"
 #include "content/shell/browser/shell_network_delegate.h"
 #include "content/test/content_browser_test_utils_internal.h"
+#include "ipc/ipc_security_test_util.h"
+#include "net/base/load_flags.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/url_request/url_request_failed_job.h"
@@ -422,4 +425,44 @@ IN_PROC_BROWSER_TEST_F(BrowserSideNavigationBrowserTest,
             controller.GetLastCommittedEntry()->GetURL().spec());
 }
 
+// Test to verify that an exploited renderer process trying to specify a
+// non-empty URL for base_url_for_data_url on navigation is correctly
+// terminated.
+// TODO(nasko): This test case belongs better in
+// security_exploit_browsertest.cc, so move it there once PlzNavigate is on
+// by default.
+IN_PROC_BROWSER_TEST_F(BrowserSideNavigationBrowserTest,
+                       ValidateBaseUrlForDataUrl) {
+  GURL start_url(embedded_test_server()->GetURL("/title1.html"));
+  EXPECT_TRUE(NavigateToURL(shell(), start_url));
+
+  RenderFrameHostImpl* rfh = static_cast<RenderFrameHostImpl*>(
+      shell()->web_contents()->GetMainFrame());
+
+  // Setup a BeginNavigate IPC with non-empty base_url_for_data_url.
+  GURL url(embedded_test_server()->GetURL("/title2.html"));
+  CommonNavigationParams common_params(
+      url, Referrer(), ui::PAGE_TRANSITION_LINK,
+      FrameMsg_Navigate_Type::DIFFERENT_DOCUMENT, true, false,
+      base::TimeTicks(), FrameMsg_UILoadMetricsReportType::NO_REPORT,
+      embedded_test_server()->GetURL("foo.com",
+                                     "/title3.html"),  // base_url_for_data_url
+      GURL(), PREVIEWS_UNSPECIFIED, base::TimeTicks::Now(), "GET", nullptr,
+      base::Optional<SourceLocation>(), CSPDisposition::CHECK);
+  BeginNavigationParams begin_params(
+      std::string(), net::LOAD_NORMAL, false, false,
+      REQUEST_CONTEXT_TYPE_LOCATION,
+      blink::WebMixedContentContextType::kBlockable, false, url::Origin(url));
+  FrameHostMsg_BeginNavigation msg(rfh->GetRoutingID(), common_params,
+                                   begin_params);
+
+  // Receiving the invalid IPC message should lead to renderer process
+  // termination.
+  RenderProcessHostWatcher process_exit_observer(
+      rfh->GetProcess(), RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+  IPC::IpcSecurityTestUtil::PwnMessageReceived(rfh->GetProcess()->GetChannel(),
+                                               msg);
+  process_exit_observer.Wait();

[Charlie Reis, 2017/05/30 20:49:09]

We should add a case to this test where the tab is reloaded and the renderer
tries to navigate to something illegal in base_url_for_data_url.  It looks like
the request will still succeed due to the early return, when it shouldn't.

+}
+
 }  // namespace content