1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "base/command_line.h" 6#include "base/strings/stringprintf.h" 7#include "base/strings/utf_string_conversions.h" 8#include "chrome/browser/ui/browser.h" 9#include "chrome/browser/ui/browser_commands.h" 10#include "chrome/browser/ui/singleton_tabs.h" 11#include "chrome/browser/ui/tabs/tab_strip_model.h" 12#include "chrome/test/base/in_process_browser_test.h" 13#include "chrome/test/base/ui_test_utils.h" 14#include "content/public/browser/notification_observer.h" 15#include "content/public/browser/notification_service.h" 16#include "content/public/browser/notification_types.h" 17#include "content/public/browser/resource_request_details.h" 18#include "content/public/browser/web_contents_observer.h" 19#include "content/public/common/content_switches.h" 20#include "content/public/test/browser_test_utils.h" 21 22// The goal of these tests is to "simulate" exploited renderer processes, which 23// can send arbitrary IPC messages and confuse browser process internal state, 24// leading to security bugs. We are trying to verify that the browser doesn't 25// perform any dangerous operations in such cases. 26// This is similar to the security_exploit_browsertest.cc tests, but also 27// includes chrome/ layer concepts such as extensions. 28class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest { 29 public: 30 ChromeSecurityExploitBrowserTest() {} 31 virtual ~ChromeSecurityExploitBrowserTest() {} 32 33 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE { 34 ASSERT_TRUE(test_server()->Start()); 35 net::SpawnedTestServer https_server( 36 net::SpawnedTestServer::TYPE_HTTPS, 37 net::SpawnedTestServer::kLocalhost, 38 base::FilePath(FILE_PATH_LITERAL("chrome/test/data"))); 39 ASSERT_TRUE(https_server.Start()); 40 41 // Add a host resolver rule to map all outgoing requests to the test server. 42 // This allows us to use "real" hostnames in URLs, which we can use to 43 // create arbitrary SiteInstances. 44 command_line->AppendSwitchASCII( 45 switches::kHostResolverRules, 46 "MAP * " + test_server()->host_port_pair().ToString() + 47 ",EXCLUDE localhost"); 48 49 // Since we assume exploited renderer process, it can bypass the same origin 50 // policy at will. Simulate that by passing the disable-web-security flag. 51 command_line->AppendSwitch(switches::kDisableWebSecurity); 52 } 53 54 private: 55 DISALLOW_COPY_AND_ASSIGN(ChromeSecurityExploitBrowserTest); 56}; 57 58IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest, 59 ChromeExtensionResources) { 60 // Load a page that requests a chrome-extension:// image through XHR. We 61 // expect this load to fail, as it is an illegal request. 62 GURL foo("http://foo.com/files/chrome_extension_resource.html"); 63 64 content::DOMMessageQueue msg_queue; 65 66 ui_test_utils::NavigateToURL(browser(), foo); 67 68 std::string status; 69 std::string expected_status("0"); 70 EXPECT_TRUE(msg_queue.WaitForMessage(&status)); 71 EXPECT_STREQ(status.c_str(), expected_status.c_str()); 72} 73