OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "base/command_line.h" |
| 6 #include "base/stringprintf.h" |
| 7 #include "base/utf_string_conversions.h" |
| 8 #include "chrome/browser/ui/browser.h" |
| 9 #include "chrome/browser/ui/browser_commands.h" |
| 10 #include "chrome/browser/ui/singleton_tabs.h" |
| 11 #include "chrome/browser/ui/tabs/tab_strip_model.h" |
| 12 #include "chrome/test/base/in_process_browser_test.h" |
| 13 #include "chrome/test/base/ui_test_utils.h" |
| 14 #include "content/public/browser/notification_observer.h" |
| 15 #include "content/public/browser/notification_service.h" |
| 16 #include "content/public/browser/notification_types.h" |
| 17 #include "content/public/browser/resource_request_details.h" |
| 18 #include "content/public/browser/web_contents_observer.h" |
| 19 #include "content/public/common/content_switches.h" |
| 20 #include "content/public/test/browser_test_utils.h" |
| 21 |
| 22 // The goal of these tests is to "simulate" exploited renderer processes, which |
| 23 // can send arbitrary IPC messages and confuse browser process internal state, |
| 24 // leading to security bugs. We are trying to verify that the browser doesn't |
| 25 // perform any dangerous operations in such cases. |
| 26 // This is similar to the security_exploit_browsertest.cc tests, but also |
| 27 // includes chrome/ layer concepts such as extensions. |
| 28 class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest { |
| 29 public: |
| 30 ChromeSecurityExploitBrowserTest() {} |
| 31 virtual ~ChromeSecurityExploitBrowserTest() {} |
| 32 |
| 33 virtual void SetUpCommandLine(CommandLine* command_line) { |
| 34 ASSERT_TRUE(test_server()->Start()); |
| 35 net::TestServer https_server( |
| 36 net::TestServer::TYPE_HTTPS, |
| 37 net::TestServer::kLocalhost, |
| 38 base::FilePath(FILE_PATH_LITERAL("chrome/test/data"))); |
| 39 ASSERT_TRUE(https_server.Start()); |
| 40 |
| 41 // Add a host resolver rule to map all outgoing requests to the test server. |
| 42 // This allows us to use "real" hostnames in URLs, which we can use to |
| 43 // create arbitrary SiteInstances. |
| 44 command_line->AppendSwitchASCII( |
| 45 switches::kHostResolverRules, |
| 46 "MAP * " + test_server()->host_port_pair().ToString() + |
| 47 ",EXCLUDE localhost"); |
| 48 |
| 49 // Since we assume exploited renderer process, it can bypass the same origin |
| 50 // policy at will. Simulate that by passing the disable-web-security flag. |
| 51 command_line->AppendSwitch(switches::kDisableWebSecurity); |
| 52 } |
| 53 |
| 54 private: |
| 55 DISALLOW_COPY_AND_ASSIGN(ChromeSecurityExploitBrowserTest); |
| 56 }; |
| 57 |
| 58 IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest, |
| 59 ChromeExtensionResources) { |
| 60 // Load a page that requests a chrome-extension:// image through XHR. We |
| 61 // expect this load to fail, as it is an illegal request. |
| 62 GURL foo("http://foo.com/files/chrome_extension_resource.html"); |
| 63 |
| 64 content::DOMMessageQueue msg_queue; |
| 65 |
| 66 ui_test_utils::NavigateToURL(browser(), foo); |
| 67 |
| 68 std::string status; |
| 69 std::string expected_status("0"); |
| 70 EXPECT_TRUE(msg_queue.WaitForMessage(&status)); |
| 71 EXPECT_STREQ(status.c_str(), expected_status.c_str()); |
| 72 } |
OLD | NEW |