site_isolation_policy_browsertest.cc revision 424c4d7b64af9d0d8fd9624f381f469654d5e3d2
1424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// Copyright 2013 The Chromium Authors. All rights reserved. 2424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 3424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// found in the LICENSE file. 4424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 5424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#include "base/command_line.h" 6424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#include "content/public/common/content_switches.h" 7424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#include "content/public/test/browser_test_utils.h" 8424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#include "content/test/content_browser_test.h" 9424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#include "content/test/content_browser_test_utils.h" 10424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 11424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)namespace content { 12424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 13424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// These tests simulate exploited renderer processes, which can fetch arbitrary 14424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// resources from other websites, not constrained by the Same Origin Policy. We 15424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// are trying to verify that the renderer cannot fetch any cross-site document 16424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// responses even when the Same Origin Policy is turned off inside the renderer. 17424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)class SiteIsolationPolicyBrowserTest : public ContentBrowserTest { 18424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) public: 19424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) SiteIsolationPolicyBrowserTest() {} 20424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) virtual ~SiteIsolationPolicyBrowserTest() {} 21424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 22424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE { 23424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) ASSERT_TRUE(test_server()->Start()); 24424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) net::SpawnedTestServer https_server( 25424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) net::SpawnedTestServer::TYPE_HTTPS, 26424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) net::SpawnedTestServer::kLocalhost, 27424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) base::FilePath(FILE_PATH_LITERAL("content/test/data"))); 28424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) ASSERT_TRUE(https_server.Start()); 29424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 30424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // Add a host resolver rule to map all outgoing requests to the test server. 31424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // This allows us to use "real" hostnames in URLs, which we can use to 32424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // create arbitrary SiteInstances. 33424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) command_line->AppendSwitchASCII( 34424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) switches::kHostResolverRules, 35424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) "MAP * " + test_server()->host_port_pair().ToString() + 36424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) ",EXCLUDE localhost"); 37424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 38424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // Since we assume exploited renderer process, it can bypass the same origin 39424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // policy at will. Simulate that by passing the disable-web-security flag. 40424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) command_line->AppendSwitch(switches::kDisableWebSecurity); 41424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 42424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // We assume that we're using our cross-site document blocking logic which 43424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // is turned on even when the Same Origin Policy is turned off. 44424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) command_line->AppendSwitch(switches::kBlockCrossSiteDocuments); 45424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) } 46424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 47424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) private: 48424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicyBrowserTest); 49424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)}; 50424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 51424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine() 52424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// is executed before the I/O thread is created on Android. After this bug 53424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// (crbug.com/278425) is resolved, we can enable this test case on Android. 54424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#if defined(OS_ANDROID) 55424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#define MAYBE_CrossSiteDocumentBlockingForMimeType \ 56424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) DISABLED_CrossSiteDocumentBlockingForMimeType 57424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#else 58424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#define MAYBE_CrossSiteDocumentBlockingForMimeType \ 59424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) CrossSiteDocumentBlockingForMimeType 60424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#endif 61424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 62424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest, 63424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) MAYBE_CrossSiteDocumentBlockingForMimeType) { 64424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // Load a page that issues illegal cross-site document requests to bar.com. 65424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // The page uses XHR to request HTML/XML/JSON documents from bar.com, and 66424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // inspects if any of them were successfully received. The XHR requests will 67424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // get a one character string ' ' for a blocked response. This test is only 68424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // possible since we run the browser without the same origin policy. 69424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) GURL foo("http://foo.com/files/cross_site_document_request.html"); 70424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 71424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) content::DOMMessageQueue msg_queue; 72424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 73424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) NavigateToURL(shell(), foo); 74424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 75424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) std::string status; 76424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // The page will return 1 from the DOMAutomationController if it succeeds, 77424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // otherwise it will return 0. 78424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) std::string expected_status("1"); 79424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) EXPECT_TRUE(msg_queue.WaitForMessage(&status)); 80424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) EXPECT_STREQ(status.c_str(), expected_status.c_str()); 81424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)} 82424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 83424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine() 84424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// is executed before the I/O thread is created on Android. After this bug 85424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)// (crbug.com/278425) is resolved, we can enable this test case on Android. 86424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#if defined(OS_ANDROID) 87424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \ 88424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) DISABLED_CrossSiteDocumentBlockingForDifferentTargets 89424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#else 90424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \ 91424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) CrossSiteDocumentBlockingForDifferentTargets 92424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#endif 93424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 94424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest, 95424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) MAYBE_CrossSiteDocumentBlockingForDifferentTargets) { 96424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // This webpage loads a cross-site HTML page in different targets such as 97424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // <img>,<link>,<embed>, etc. Since the requested document is blocked, and one 98424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // character string (' ') is returned instead, this tests that the renderer 99424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // does not crash even when it receives a response body which is " ", whose 100424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // length is different from what's described in "content-length" for such 101424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // different targets. 102424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) GURL foo("http://foo.com/files/cross_site_document_request_target.html"); 103424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) NavigateToURL(shell(), foo); 104424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)} 105424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 106424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)} 107