Replicate sandbox flags for OOPIF (Chromium part 2)

content/browser/site_per_process_browsertest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/site_per_process_browsertest.h"
 
 #include "base/command_line.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "content/browser/frame_host/cross_process_frame_connector.h"
@@ skipping 937 matching lines @@
       "window.domAutomationController.send(location.ancestorOrigins[0]);",
       &result));
   EXPECT_EQ(result + "/", foo_url.GetOrigin().spec());
   EXPECT_TRUE(ExecuteScriptAndExtractString(
       bottom_child->current_frame_host(),
       "window.domAutomationController.send(location.ancestorOrigins[1]);",
       &result));
   EXPECT_EQ(result + "/", main_url.GetOrigin().spec());
 }
 
+// Check that iframe sandbox flags are replicated correctly.
+IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest, SandboxFlagsReplication) {
+  GURL main_url(embedded_test_server()->GetURL("/sandboxed_frames.html"));
+  EXPECT_TRUE(NavigateToURL(shell(), main_url));
+
+  // It is safe to obtain the root frame tree node here, as it doesn't change.
+  FrameTreeNode* root = static_cast<WebContentsImpl*>(shell()->web_contents())
+                            ->GetFrameTree()
+                            ->root();
+
+  SitePerProcessWebContentsObserver observer(shell()->web_contents());
+
+  // Navigate the second (sandboxed) subframe to a cross-site page with a
+  // subframe. NavigateFrameToURL can't be used here because it doesn't

[nasko, 2015/01/20 23:26:49]

I think it still can be used, but cannot be the condition for the wait, as it
will return earlier. It might be useful to use it to avoid the code clutter of
calling LoadURLWithParams.

[alexmos, 2015/01/21 02:10:43]

Done.

+  // guarantee that FrameTreeNodes will have been created for child frames when
+  // it returns.
+  RenderFrameHostCreatedObserver frame_observer(shell()->web_contents(), 4);
+  GURL foo_url(
+      embedded_test_server()->GetURL("foo.com", "/frame_tree/1-1.html"));
+  NavigationController::LoadURLParams params(foo_url);
+  params.transition_type = ui::PAGE_TRANSITION_LINK;
+  params.frame_tree_node_id = root->child_at(1)->frame_tree_node_id();
+  root->child_at(1)->navigator()->GetController()->LoadURLWithParams(params);
+  frame_observer.Wait();
+
+  // We can't use a SitePerProcessWebContentsObserver to verify the URL here,
+  // since the frame has children that may have clobbered it in the observer.
+  EXPECT_EQ(foo_url, root->child_at(1)->current_url());
+
+  // Load cross-site page into subframe's subframe.
+  ASSERT_EQ(2U, root->child_at(1)->child_count());
+  GURL bar_url(embedded_test_server()->GetURL("bar.com", "/title1.html"));
+  NavigateFrameToURL(root->child_at(1)->child_at(0), bar_url);
+  EXPECT_TRUE(observer.navigation_succeeded());
+  EXPECT_EQ(bar_url, observer.navigation_url());
+
+  // Opening a popup in the sandboxed foo.com iframe should fail.
+  bool success = false;
+  EXPECT_TRUE(
+      ExecuteScriptAndExtractBool(root->child_at(1)->current_frame_host(),
+                                  "window.domAutomationController.send("
+                                  "!window.open('data:text/html,dataurl'));",
+                                  &success));
+  EXPECT_TRUE(success);

[nasko, 2015/01/20 23:26:49]

Might be useful to install an observer monitoring for new windows created on the
browser side. This way we don't rely only on blink and JS, but double check our
expectations.

[alexmos, 2015/01/21 02:10:43]

Good point.  I added checks that Shell::windows().size() stays at 1 after each
call (see PS7), which seemed a bit simpler than installing an observer.  Would
this be sufficient?

[nasko, 2015/01/21 17:36:37]

Yes, that is totally fine.

+
+  // Opening a popup in a frame whose parent is sandboxed should also fail.
+  // Here, bar.com frame's sandboxed parent frame is a remote frame in
+  // bar.com's process.
+  success = false;
+  EXPECT_TRUE(ExecuteScriptAndExtractBool(
+      root->child_at(1)->child_at(0)->current_frame_host(),
+      "window.domAutomationController.send("
+      "!window.open('data:text/html,dataurl'));",
+      &success));
+  EXPECT_TRUE(success);
+
+  // Same, but now try the case where bar.com frame's sandboxed parent is a
+  // local frame in bar.com's process.
+  success = false;
+  EXPECT_TRUE(ExecuteScriptAndExtractBool(
+      root->child_at(2)->child_at(0)->current_frame_host(),
+      "window.domAutomationController.send("
+      "!window.open('data:text/html,dataurl'));",
+      &success));
+  EXPECT_TRUE(success);
+
+  // Check that foo.com frame's location.ancestorOrigins contains the correct
+  // origin for the parent, which should be unaffected by sandboxing.
+  int ancestor_origins_length = 0;
+  EXPECT_TRUE(ExecuteScriptAndExtractInt(
+      root->child_at(1)->current_frame_host(),
+      "window.domAutomationController.send(location.ancestorOrigins.length);",
+      &ancestor_origins_length));
+  EXPECT_EQ(1, ancestor_origins_length);
+  std::string result;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      root->child_at(1)->current_frame_host(),
+      "window.domAutomationController.send(location.ancestorOrigins[0]);",
+      &result));
+  EXPECT_EQ(result + "/", main_url.GetOrigin().spec());
+
+  // Now check location.ancestorOrigins for the bar.com frame. The middle frame
+  // (foo.com's) origin should be unique, since that frame is sandboxed, and
+  // the top frame should match |main_url|.
+  FrameTreeNode* bottom_child = root->child_at(1)->child_at(0);
+  EXPECT_TRUE(ExecuteScriptAndExtractInt(
+      bottom_child->current_frame_host(),
+      "window.domAutomationController.send(location.ancestorOrigins.length);",
+      &ancestor_origins_length));
+  EXPECT_EQ(2, ancestor_origins_length);
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      bottom_child->current_frame_host(),
+      "window.domAutomationController.send(location.ancestorOrigins[0]);",
+      &result));
+  EXPECT_EQ(result, "null");
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      bottom_child->current_frame_host(),
+      "window.domAutomationController.send(location.ancestorOrigins[1]);",
+      &result));
+  EXPECT_EQ(result + "/", main_url.GetOrigin().spec());
+}
+
 // TODO(lfg): Merge the test below with NavigateRemoteFrame test.
 // TODO(lfg): Disabled because this triggers http://crbug.com/433012, and since
 // the renderer process crashes, it causes the title watcher to never return.
 // Alternatively, this could also be fixed if we could use NavigateIframeToURL
 // and classified the navigation as MANUAL_SUBFRAME (http://crbug.com/441863) or
 // if we waited for DidStopLoading (currently broken -- see comment in
 // NavigateIframeToURL).
 IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest,
                        DISABLED_NavigateRemoteToDataURL) {
   GURL main_url(embedded_test_server()->GetURL("/site_per_process_main.html"));
@@ skipping 114 matching lines @@
   params.frame_tree_node_id = child->frame_tree_node_id();
   child->navigator()->GetController()->LoadURLWithParams(params);
   nav_observer.Wait();
 
   // Verify that the navigation succeeded and the expected URL was loaded.
   EXPECT_TRUE(observer.navigation_succeeded());
   EXPECT_EQ(url, observer.navigation_url());
 }
 
 }  // namespace content