| Index: chrome/browser/chrome_security_exploit_browsertest.cc
|
| diff --git a/chrome/browser/chrome_security_exploit_browsertest.cc b/chrome/browser/chrome_security_exploit_browsertest.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..fd9bdc5c745db1af9c6084c3a2c4f0f42f602e0d
|
| --- /dev/null
|
| +++ b/chrome/browser/chrome_security_exploit_browsertest.cc
|
| @@ -0,0 +1,72 @@
|
| +// Copyright (c) 2013 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "base/command_line.h"
|
| +#include "base/stringprintf.h"
|
| +#include "base/utf_string_conversions.h"
|
| +#include "chrome/browser/ui/browser.h"
|
| +#include "chrome/browser/ui/browser_commands.h"
|
| +#include "chrome/browser/ui/singleton_tabs.h"
|
| +#include "chrome/browser/ui/tabs/tab_strip_model.h"
|
| +#include "chrome/test/base/in_process_browser_test.h"
|
| +#include "chrome/test/base/ui_test_utils.h"
|
| +#include "content/public/browser/notification_observer.h"
|
| +#include "content/public/browser/notification_service.h"
|
| +#include "content/public/browser/notification_types.h"
|
| +#include "content/public/browser/resource_request_details.h"
|
| +#include "content/public/browser/web_contents_observer.h"
|
| +#include "content/public/common/content_switches.h"
|
| +#include "content/public/test/browser_test_utils.h"
|
| +
|
| +// The goal of these tests is to "simulate" exploited renderer processes, which
|
| +// can send arbitrary IPC messages and confuse browser process internal state,
|
| +// leading to security bugs. We are trying to verify that the browser doesn't
|
| +// perform any dangerous operations in such cases.
|
| +// This is similar to the security_exploit_browsertest.cc tests, but also
|
| +// includes chrome/ layer concepts such as extensions.
|
| +class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest {
|
| + public:
|
| + ChromeSecurityExploitBrowserTest() {}
|
| + virtual ~ChromeSecurityExploitBrowserTest() {}
|
| +
|
| + virtual void SetUpCommandLine(CommandLine* command_line) {
|
| + ASSERT_TRUE(test_server()->Start());
|
| + net::TestServer https_server(
|
| + net::TestServer::TYPE_HTTPS,
|
| + net::TestServer::kLocalhost,
|
| + base::FilePath(FILE_PATH_LITERAL("chrome/test/data")));
|
| + ASSERT_TRUE(https_server.Start());
|
| +
|
| + // Add a host resolver rule to map all outgoing requests to the test server.
|
| + // This allows us to use "real" hostnames in URLs, which we can use to
|
| + // create arbitrary SiteInstances.
|
| + command_line->AppendSwitchASCII(
|
| + switches::kHostResolverRules,
|
| + "MAP * " + test_server()->host_port_pair().ToString() +
|
| + ",EXCLUDE localhost");
|
| +
|
| + // Since we assume exploited renderer process, it can bypass the same origin
|
| + // policy at will. Simulate that by passing the disable-web-security flag.
|
| + command_line->AppendSwitch(switches::kDisableWebSecurity);
|
| + }
|
| +
|
| + private:
|
| + DISALLOW_COPY_AND_ASSIGN(ChromeSecurityExploitBrowserTest);
|
| +};
|
| +
|
| +IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest,
|
| + ChromeExtensionResources) {
|
| + // Load a page that requests a chrome-extension:// image through XHR. We
|
| + // expect this load to fail, as it is an illegal request.
|
| + GURL foo("http://foo.com/files/chrome_extension_resource.html");
|
| +
|
| + content::DOMMessageQueue msg_queue;
|
| +
|
| + ui_test_utils::NavigateToURL(browser(), foo);
|
| +
|
| + std::string status;
|
| + std::string expected_status("0");
|
| + EXPECT_TRUE(msg_queue.WaitForMessage(&status));
|
| + EXPECT_STREQ(status.c_str(), expected_status.c_str());
|
| +}
|
|
|
Chromium Code Reviews
Issue 12457042:
Non-web-accessible extension URLs should not load in non-extension processes (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src