OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/command_line.h" | 5 #include "base/command_line.h" |
6 #include "base/containers/hash_tables.h" | 6 #include "base/containers/hash_tables.h" |
7 #include "content/browser/dom_storage/dom_storage_context_wrapper.h" | 7 #include "content/browser/dom_storage/dom_storage_context_wrapper.h" |
8 #include "content/browser/dom_storage/session_storage_namespace_impl.h" | 8 #include "content/browser/dom_storage/session_storage_namespace_impl.h" |
9 #include "content/browser/frame_host/navigator.h" | 9 #include "content/browser/frame_host/navigator.h" |
10 #include "content/browser/renderer_host/render_view_host_factory.h" | 10 #include "content/browser/renderer_host/render_view_host_factory.h" |
11 #include "content/browser/renderer_host/render_view_host_impl.h" | 11 #include "content/browser/renderer_host/render_view_host_impl.h" |
12 #include "content/browser/web_contents/web_contents_impl.h" | 12 #include "content/browser/web_contents/web_contents_impl.h" |
| 13 #include "content/common/frame_messages.h" |
13 #include "content/common/view_messages.h" | 14 #include "content/common/view_messages.h" |
14 #include "content/public/browser/browser_context.h" | 15 #include "content/public/browser/browser_context.h" |
| 16 #include "content/public/browser/interstitial_page.h" |
| 17 #include "content/public/browser/interstitial_page_delegate.h" |
15 #include "content/public/browser/storage_partition.h" | 18 #include "content/public/browser/storage_partition.h" |
16 #include "content/public/common/content_switches.h" | 19 #include "content/public/common/content_switches.h" |
17 #include "content/public/test/browser_test_utils.h" | 20 #include "content/public/test/browser_test_utils.h" |
18 #include "content/public/test/content_browser_test.h" | 21 #include "content/public/test/content_browser_test.h" |
19 #include "content/public/test/content_browser_test_utils.h" | 22 #include "content/public/test/content_browser_test_utils.h" |
20 #include "content/public/test/test_utils.h" | 23 #include "content/public/test/test_utils.h" |
21 #include "content/shell/browser/shell.h" | 24 #include "content/shell/browser/shell.h" |
| 25 #include "ipc/ipc_security_test_util.h" |
| 26 |
| 27 using IPC::IpcSecurityTestUtil; |
22 | 28 |
23 namespace content { | 29 namespace content { |
24 | 30 |
25 namespace { | 31 namespace { |
26 | 32 |
27 // This is a helper function for the tests which attempt to create a | 33 // This is a helper function for the tests which attempt to create a |
28 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects | 34 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects |
29 // with the same process and routing ids, which causes a collision. | 35 // with the same process and routing ids, which causes a collision. |
30 // It creates a couple of windows in process 1, which causes a few routing ids | 36 // It creates a couple of windows in process 1, which causes a few routing ids |
31 // to be allocated. Then a cross-process navigation is initiated, which causes a | 37 // to be allocated. Then a cross-process navigation is initiated, which causes a |
(...skipping 127 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
159 | 165 |
160 // Since this test executes on the UI thread and hopping threads might cause | 166 // Since this test executes on the UI thread and hopping threads might cause |
161 // different timing in the test, let's simulate a CreateNewWidget call coming | 167 // different timing in the test, let's simulate a CreateNewWidget call coming |
162 // from the IO thread. Use the existing window routing id to cause a | 168 // from the IO thread. Use the existing window routing id to cause a |
163 // deliberate collision. | 169 // deliberate collision. |
164 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect); | 170 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect); |
165 | 171 |
166 // If the above operation doesn't crash, the test has succeeded! | 172 // If the above operation doesn't crash, the test has succeeded! |
167 } | 173 } |
168 | 174 |
| 175 class SecurityExploitTestInterstitialPage : public InterstitialPageDelegate { |
| 176 public: |
| 177 explicit SecurityExploitTestInterstitialPage(WebContents* contents) { |
| 178 InterstitialPage* interstitial = InterstitialPage::Create( |
| 179 contents, false, contents->GetLastCommittedURL(), this); |
| 180 interstitial->Show(); |
| 181 } |
| 182 |
| 183 // InterstitialPageDelegate implementation. |
| 184 void CommandReceived(const std::string& command) override { |
| 185 last_command_ = command; |
| 186 } |
| 187 |
| 188 std::string GetHTMLContents() override { |
| 189 return "<html><head><script>" |
| 190 "window.domAutomationController.send(\"okay\");" |
| 191 "</script></head>" |
| 192 "<body>like a body wholly body</body></html>"; |
| 193 } |
| 194 |
| 195 std::string last_command() { return last_command_; } |
| 196 |
| 197 private: |
| 198 std::string last_command_; |
| 199 DISALLOW_COPY_AND_ASSIGN(SecurityExploitTestInterstitialPage); |
| 200 }; |
| 201 |
| 202 // The interstitial should not be controllable by the underlying content. |
| 203 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, |
| 204 InterstitialCommandFromContentRenderer) { |
| 205 |
| 206 // Start off with initial navigation, to allocate the process. |
| 207 GURL foo("http://foo.com/files/simple_page.html"); |
| 208 NavigateToURL(shell(), foo); |
| 209 |
| 210 // Install and show an interstitial page. |
| 211 SecurityExploitTestInterstitialPage* interstitial = |
| 212 new SecurityExploitTestInterstitialPage(shell()->web_contents()); |
| 213 ASSERT_EQ("", interstitial->last_command()); |
| 214 |
| 215 // Send an automation message from the current renderer. It should not |
| 216 // be received by the interstitial. |
| 217 content::RenderFrameHost* compromised_renderer = |
| 218 shell()->web_contents()->GetMainFrame(); |
| 219 FrameHostMsg_DomOperationResponse evil(compromised_renderer->GetRoutingID(), |
| 220 "evil", MSG_ROUTING_NONE); |
| 221 IpcSecurityTestUtil::PwnMessageReceived( |
| 222 compromised_renderer->GetProcess()->GetChannel(), evil); |
| 223 |
| 224 ASSERT_EQ("", interstitial->last_command()) |
| 225 << "Interstitial should not be affected"; |
| 226 } |
| 227 |
169 } // namespace content | 228 } // namespace content |
OLD | NEW |