content/child/site_isolation_policy_browsertest.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/command_line.h"
   6 #include "content/public/common/content_switches.h"
   7 #include "content/public/test/browser_test_utils.h"
   8 #include "content/public/test/content_browser_test.h"
   9 #include "content/public/test/content_browser_test_utils.h"
  10
  11 namespace content {
  12
  13 // These tests simulate exploited renderer processes, which can fetch arbitrary
  14 // resources from other websites, not constrained by the Same Origin Policy.  We
  15 // are trying to verify that the renderer cannot fetch any cross-site document
  16 // responses even when the Same Origin Policy is turned off inside the renderer.
  17 class SiteIsolationPolicyBrowserTest : public ContentBrowserTest {
  18  public:
  19   SiteIsolationPolicyBrowserTest() {}
  20   ~SiteIsolationPolicyBrowserTest() override {}
  21
  22   void SetUpCommandLine(base::CommandLine* command_line) override {
  23     ASSERT_TRUE(test_server()->Start());
  24     net::SpawnedTestServer https_server(
  25         net::SpawnedTestServer::TYPE_HTTPS,
  26         net::SpawnedTestServer::kLocalhost,
  27         base::FilePath(FILE_PATH_LITERAL("content/test/data")));
  28     ASSERT_TRUE(https_server.Start());
  29
  30     // Add a host resolver rule to map all outgoing requests to the test server.
  31     // This allows us to use "real" hostnames in URLs, which we can use to
  32     // create arbitrary SiteInstances.
  33     command_line->AppendSwitchASCII(
  34         switches::kHostResolverRules,
  35         "MAP * " + test_server()->host_port_pair().ToString() +
  36             ",EXCLUDE localhost");
  37
  38     // Since we assume exploited renderer process, it can bypass the same origin
  39     // policy at will. Simulate that by passing the disable-web-security flag.
  40     command_line->AppendSwitch(switches::kDisableWebSecurity);
  41
  42     // We assume that we're using our cross-site document blocking logic which
  43     // is turned on even when the Same Origin Policy is turned off.
  44     command_line->AppendSwitch(switches::kBlockCrossSiteDocuments);
  45   }
  46
  47  private:
  48   DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicyBrowserTest);
  49 };
  50
  51 // TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine()
  52 // is executed before the I/O thread is created on Android. After this bug
  53 // (crbug.com/278425) is resolved, we can enable this test case on Android.
  54 #if defined(OS_ANDROID)
  55 #define MAYBE_CrossSiteDocumentBlockingForMimeType \
  56   DISABLED_CrossSiteDocumentBlockingForMimeType
  57 #else
  58 #define MAYBE_CrossSiteDocumentBlockingForMimeType \
  59   CrossSiteDocumentBlockingForMimeType
  60 #endif
  61
  62 IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest,
  63                        MAYBE_CrossSiteDocumentBlockingForMimeType) {
  64   // Load a page that issues illegal cross-site document requests to bar.com.
  65   // The page uses XHR to request HTML/XML/JSON documents from bar.com, and
  66   // inspects if any of them were successfully received. The XHR requests will
  67   // get a one character string ' ' for a blocked response. This test is only
  68   // possible since we run the browser without the same origin policy.
  69   GURL foo("http://foo.com/files/cross_site_document_request.html");
  70
  71   content::DOMMessageQueue msg_queue;
  72
  73   NavigateToURL(shell(), foo);
  74
  75   std::string status;
  76   // The page will return 1 from the DOMAutomationController if it succeeds,
  77   // otherwise it will return 0.
  78   std::string expected_status("1");
  79   EXPECT_TRUE(msg_queue.WaitForMessage(&status));
  80   EXPECT_STREQ(status.c_str(), expected_status.c_str());
  81 }
  82
  83 // TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine()
  84 // is executed before the I/O thread is created on Android. After this bug
  85 // (crbug.com/278425) is resolved, we can enable this test case on Android.
  86 #if defined(OS_ANDROID)
  87 #define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \
  88   DISABLED_CrossSiteDocumentBlockingForDifferentTargets
  89 #else
  90 #define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \
  91   CrossSiteDocumentBlockingForDifferentTargets
  92 #endif
  93
  94 IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest,
  95                        MAYBE_CrossSiteDocumentBlockingForDifferentTargets) {
  96   // TODO(creis): Re-enable this test in --site-per-process mode once we support
  97   // sibling frames from the same site with correct DidStopLoading behavior.
  98   // See http://crbug.com/419087 and http://crbug.com/436250.
  99   if (base::CommandLine::ForCurrentProcess()->HasSwitch(
 100           switches::kSitePerProcess))
 101     return;
 102
 103   // This webpage loads a cross-site HTML page in different targets such as
 104   // <img>,<link>,<embed>, etc. Since the requested document is blocked, and one
 105   // character string (' ') is returned instead, this tests that the renderer
 106   // does not crash even when it receives a response body which is " ", whose
 107   // length is different from what's described in "content-length" for such
 108   // different targets.
 109   GURL foo("http://foo.com/files/cross_site_document_request_target.html");
 110   NavigateToURL(shell(), foo);
 111 }
 112
 113 }