| Index: content/child/site_isolation_policy_browsertest.cc
|
| diff --git a/content/child/site_isolation_policy_browsertest.cc b/content/child/site_isolation_policy_browsertest.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..da13eb293cc422e567d7514c0db3b73cf52856cc
|
| --- /dev/null
|
| +++ b/content/child/site_isolation_policy_browsertest.cc
|
| @@ -0,0 +1,106 @@
|
| +// Copyright (c) 2013 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "base/command_line.h"
|
| +#include "content/public/common/content_switches.h"
|
| +#include "content/public/test/browser_test_utils.h"
|
| +#include "content/test/content_browser_test.h"
|
| +#include "content/test/content_browser_test_utils.h"
|
| +
|
| +namespace content {
|
| +
|
| +// These tests simulate exploited renderer processes, which can fetch arbitrary
|
| +// resources from other websites, not constrained by the Same Origin Policy. We
|
| +// are trying to verify that the renderer cannot fetch any cross-site document
|
| +// responses even when the Same Origin Policy is turned off inside the renderer.
|
| +class SiteIsolationPolicyBrowserTest : public ContentBrowserTest {
|
| + public:
|
| + SiteIsolationPolicyBrowserTest() {}
|
| + virtual ~SiteIsolationPolicyBrowserTest() {}
|
| +
|
| + virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
|
| + ASSERT_TRUE(test_server()->Start());
|
| + net::SpawnedTestServer https_server(
|
| + net::SpawnedTestServer::TYPE_HTTPS,
|
| + net::SpawnedTestServer::kLocalhost,
|
| + base::FilePath(FILE_PATH_LITERAL("content/test/data")));
|
| + ASSERT_TRUE(https_server.Start());
|
| +
|
| + // Add a host resolver rule to map all outgoing requests to the test server.
|
| + // This allows us to use "real" hostnames in URLs, which we can use to
|
| + // create arbitrary SiteInstances.
|
| + command_line->AppendSwitchASCII(
|
| + switches::kHostResolverRules,
|
| + "MAP * " + test_server()->host_port_pair().ToString() +
|
| + ",EXCLUDE localhost");
|
| +
|
| + // Since we assume exploited renderer process, it can bypass the same origin
|
| + // policy at will. Simulate that by passing the disable-web-security flag.
|
| + command_line->AppendSwitch(switches::kDisableWebSecurity);
|
| +
|
| + // We assume that we're using our cross-site document blocking logic which
|
| + // is turned on even when the Same Origin Policy is turned off.
|
| + command_line->AppendSwitch(switches::kBlockCrossSiteDocuments);
|
| + }
|
| +
|
| + private:
|
| + DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicyBrowserTest);
|
| +};
|
| +
|
| +// TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine()
|
| +// is executed before the I/O thread is created on Android. After this bug
|
| +// (crbug.com/278425) is resolved, we can enable this test case on Android.
|
| +#if defined(OS_ANDROID)
|
| +#define MAYBE_CrossSiteDocumentBlockingForMimeType \
|
| + DISABLED_CrossSiteDocumentBlockingForMimeType
|
| +#else
|
| +#define MAYBE_CrossSiteDocumentBlockingForMimeType \
|
| + CrossSiteDocumentBlockingForMimeType
|
| +#endif
|
| +
|
| +IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest,
|
| + MAYBE_CrossSiteDocumentBlockingForMimeType) {
|
| + // Load a page that issues illegal cross-site document requests to bar.com.
|
| + // The page uses XHR to request HTML/XML/JSON documents from bar.com, and
|
| + // inspects if any of them were successfully received. The XHR requests will
|
| + // get a one character string ' ' for a blocked response. This test is only
|
| + // possible since we run the browser without the same origin policy.
|
| + GURL foo("http://foo.com/files/cross_site_document_request.html");
|
| +
|
| + content::DOMMessageQueue msg_queue;
|
| +
|
| + NavigateToURL(shell(), foo);
|
| +
|
| + std::string status;
|
| + // The page will return 1 from the DOMAutomationController if it succeeds,
|
| + // otherwise it will return 0.
|
| + std::string expected_status("1");
|
| + EXPECT_TRUE(msg_queue.WaitForMessage(&status));
|
| + EXPECT_STREQ(status.c_str(), expected_status.c_str());
|
| +}
|
| +
|
| +// TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine()
|
| +// is executed before the I/O thread is created on Android. After this bug
|
| +// (crbug.com/278425) is resolved, we can enable this test case on Android.
|
| +#if defined(OS_ANDROID)
|
| +#define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \
|
| + DISABLED_CrossSiteDocumentBlockingForDifferentTargets
|
| +#else
|
| +#define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \
|
| + CrossSiteDocumentBlockingForDifferentTargets
|
| +#endif
|
| +
|
| +IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest,
|
| + MAYBE_CrossSiteDocumentBlockingForDifferentTargets) {
|
| + // This webpage loads a cross-site HTML page in different targets such as
|
| + // <img>,<link>,<embed>, etc. Since the requested document is blocked, and one
|
| + // character string (' ') is returned instead, this tests that the renderer
|
| + // does not crash even when it receives a response body which is " ", whose
|
| + // length is different from what's described in "content-length" for such
|
| + // different targets.
|
| + GURL foo("http://foo.com/files/cross_site_document_request_target.html");
|
| + NavigateToURL(shell(), foo);
|
| +}
|
| +
|
| +}
|
|
|
Chromium Code Reviews
Issue 22254005:
UMA data collector for cross-site documents(XSD) (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@lkgr