OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "base/command_line.h" |
| 6 #include "content/public/common/content_switches.h" |
| 7 #include "content/public/test/browser_test_utils.h" |
| 8 #include "content/test/content_browser_test.h" |
| 9 #include "content/test/content_browser_test_utils.h" |
| 10 |
| 11 namespace content { |
| 12 |
| 13 // These tests simulate exploited renderer processes, which can fetch arbitrary |
| 14 // resources from other websites, not constrained by the Same Origin Policy. We |
| 15 // are trying to verify that the renderer cannot fetch any cross-site document |
| 16 // responses even when the Same Origin Policy is turned off inside the renderer. |
| 17 class SiteIsolationPolicyBrowserTest : public ContentBrowserTest { |
| 18 public: |
| 19 SiteIsolationPolicyBrowserTest() {} |
| 20 virtual ~SiteIsolationPolicyBrowserTest() {} |
| 21 |
| 22 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE { |
| 23 ASSERT_TRUE(test_server()->Start()); |
| 24 net::SpawnedTestServer https_server( |
| 25 net::SpawnedTestServer::TYPE_HTTPS, |
| 26 net::SpawnedTestServer::kLocalhost, |
| 27 base::FilePath(FILE_PATH_LITERAL("content/test/data"))); |
| 28 ASSERT_TRUE(https_server.Start()); |
| 29 |
| 30 // Add a host resolver rule to map all outgoing requests to the test server. |
| 31 // This allows us to use "real" hostnames in URLs, which we can use to |
| 32 // create arbitrary SiteInstances. |
| 33 command_line->AppendSwitchASCII( |
| 34 switches::kHostResolverRules, |
| 35 "MAP * " + test_server()->host_port_pair().ToString() + |
| 36 ",EXCLUDE localhost"); |
| 37 |
| 38 // Since we assume exploited renderer process, it can bypass the same origin |
| 39 // policy at will. Simulate that by passing the disable-web-security flag. |
| 40 command_line->AppendSwitch(switches::kDisableWebSecurity); |
| 41 |
| 42 // We assume that we're using our cross-site document blocking logic which |
| 43 // is turned on even when the Same Origin Policy is turned off. |
| 44 command_line->AppendSwitch(switches::kBlockCrossSiteDocuments); |
| 45 } |
| 46 |
| 47 private: |
| 48 DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicyBrowserTest); |
| 49 }; |
| 50 |
| 51 // TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine() |
| 52 // is executed before the I/O thread is created on Android. After this bug |
| 53 // (crbug.com/278425) is resolved, we can enable this test case on Android. |
| 54 #if defined(OS_ANDROID) |
| 55 #define MAYBE_CrossSiteDocumentBlockingForMimeType \ |
| 56 DISABLED_CrossSiteDocumentBlockingForMimeType |
| 57 #else |
| 58 #define MAYBE_CrossSiteDocumentBlockingForMimeType \ |
| 59 CrossSiteDocumentBlockingForMimeType |
| 60 #endif |
| 61 |
| 62 IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest, |
| 63 MAYBE_CrossSiteDocumentBlockingForMimeType) { |
| 64 // Load a page that issues illegal cross-site document requests to bar.com. |
| 65 // The page uses XHR to request HTML/XML/JSON documents from bar.com, and |
| 66 // inspects if any of them were successfully received. The XHR requests will |
| 67 // get a one character string ' ' for a blocked response. This test is only |
| 68 // possible since we run the browser without the same origin policy. |
| 69 GURL foo("http://foo.com/files/cross_site_document_request.html"); |
| 70 |
| 71 content::DOMMessageQueue msg_queue; |
| 72 |
| 73 NavigateToURL(shell(), foo); |
| 74 |
| 75 std::string status; |
| 76 // The page will return 1 from the DOMAutomationController if it succeeds, |
| 77 // otherwise it will return 0. |
| 78 std::string expected_status("1"); |
| 79 EXPECT_TRUE(msg_queue.WaitForMessage(&status)); |
| 80 EXPECT_STREQ(status.c_str(), expected_status.c_str()); |
| 81 } |
| 82 |
| 83 // TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine() |
| 84 // is executed before the I/O thread is created on Android. After this bug |
| 85 // (crbug.com/278425) is resolved, we can enable this test case on Android. |
| 86 #if defined(OS_ANDROID) |
| 87 #define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \ |
| 88 DISABLED_CrossSiteDocumentBlockingForDifferentTargets |
| 89 #else |
| 90 #define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \ |
| 91 CrossSiteDocumentBlockingForDifferentTargets |
| 92 #endif |
| 93 |
| 94 IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest, |
| 95 MAYBE_CrossSiteDocumentBlockingForDifferentTargets) { |
| 96 // This webpage loads a cross-site HTML page in different targets such as |
| 97 // <img>,<link>,<embed>, etc. Since the requested document is blocked, and one |
| 98 // character string (' ') is returned instead, this tests that the renderer |
| 99 // does not crash even when it receives a response body which is " ", whose |
| 100 // length is different from what's described in "content-length" for such |
| 101 // different targets. |
| 102 GURL foo("http://foo.com/files/cross_site_document_request_target.html"); |
| 103 NavigateToURL(shell(), foo); |
| 104 } |
| 105 |
| 106 } |
OLD | NEW |