| Index: chrome/browser/chrome_security_exploit_browsertest.cc
|
| diff --git a/chrome/browser/chrome_security_exploit_browsertest.cc b/chrome/browser/chrome_security_exploit_browsertest.cc
|
| index 789dba1b575e17ae587b8ff135e8d914984c78cf..08cb4a103764980c3a2d0eba9fd1b1a47d488dc2 100644
|
| --- a/chrome/browser/chrome_security_exploit_browsertest.cc
|
| +++ b/chrome/browser/chrome_security_exploit_browsertest.cc
|
| @@ -6,11 +6,11 @@
|
| #include "base/macros.h"
|
| #include "base/strings/utf_string_conversions.h"
|
| #include "base/test/histogram_tester.h"
|
| +#include "chrome/browser/extensions/extension_browsertest.h"
|
| #include "chrome/browser/ui/browser.h"
|
| #include "chrome/browser/ui/browser_commands.h"
|
| #include "chrome/browser/ui/singleton_tabs.h"
|
| #include "chrome/browser/ui/tabs/tab_strip_model.h"
|
| -#include "chrome/test/base/in_process_browser_test.h"
|
| #include "chrome/test/base/ui_test_utils.h"
|
| #include "content/public/browser/notification_observer.h"
|
| #include "content/public/browser/notification_service.h"
|
| @@ -30,23 +30,32 @@
|
| // perform any dangerous operations in such cases.
|
| // This is similar to the security_exploit_browsertest.cc tests, but also
|
| // includes chrome/ layer concepts such as extensions.
|
| -class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest {
|
| +class ChromeSecurityExploitBrowserTest : public ExtensionBrowserTest {
|
| public:
|
| ChromeSecurityExploitBrowserTest() {}
|
| ~ChromeSecurityExploitBrowserTest() override {}
|
|
|
| void SetUpOnMainThread() override {
|
| + ExtensionBrowserTest::SetUpOnMainThread();
|
| +
|
| ASSERT_TRUE(embedded_test_server()->Start());
|
| host_resolver()->AddRule("*", "127.0.0.1");
|
| +
|
| + extension_ = LoadExtension(test_data_dir_.AppendASCII("simple_with_icon"));
|
| }
|
|
|
| void SetUpCommandLine(base::CommandLine* command_line) override {
|
| + ExtensionBrowserTest::SetUpCommandLine(command_line);
|
| // Since we assume exploited renderer process, it can bypass the same origin
|
| // policy at will. Simulate that by passing the disable-web-security flag.
|
| command_line->AppendSwitch(switches::kDisableWebSecurity);
|
| }
|
|
|
| + const extensions::Extension* extension() { return extension_; }
|
| +
|
| private:
|
| + const extensions::Extension* extension_;
|
| +
|
| DISALLOW_COPY_AND_ASSIGN(ChromeSecurityExploitBrowserTest);
|
| };
|
|
|
| @@ -84,9 +93,8 @@ IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest,
|
| std::string blob_contents = "<script>chrome.extensions</script>";
|
| std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd";
|
|
|
| - // Target the bookmark manager extension.
|
| - std::string target_origin =
|
| - "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno";
|
| + // Target an extension.
|
| + std::string target_origin = "chrome-extension://" + extension()->id();
|
|
|
| // Set up a blob ID and populate it with attacker-controlled value. This
|
| // message is allowed, because this data is not in any origin.
|
| @@ -133,9 +141,8 @@ IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest,
|
| std::string payload = "<html><body>pwned.</body></html>";
|
| std::string payload_type = "text/html";
|
|
|
| - // Target the bookmark manager extension.
|
| - std::string target_origin =
|
| - "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno/";
|
| + // Target an extension.
|
| + std::string target_origin = "chrome-extension://" + extension()->id();
|
|
|
| // Set up a blob ID and populate it with the attacker-controlled payload.
|
| // This is allowed, because this data is not in any origin;
|
| @@ -154,7 +161,7 @@ IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest,
|
| // storage::kFileSystemTypeTemporary));
|
|
|
| GURL target_url =
|
| - GURL("filesystem:" + target_origin + "temporary/exploit.html");
|
| + GURL("filesystem:" + target_origin + "/temporary/exploit.html");
|
|
|
| content::PwnMessageHelper::FileSystemCreate(rfh->GetProcess(), 23, target_url,
|
| false, false, false);
|
|
|
Chromium Code Reviews
Issue 2924383003:
[MD Bookmarks] Enable by default. (Closed)
