diff options
| author | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-13 16:45:12 +0000 |
|---|---|---|
| committer | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-13 16:45:12 +0000 |
| commit | 2fb95db2941727bb10a6eedaee3a1bef0af00a1c (patch) | |
| tree | db6ada547274d0ccb5a571ced56f6283d97f5f05 /chrome/browser/ui/login | |
| parent | 6a8f51186bb732bbeb40ef39eb87fb2ba7d882bb (diff) | |
| download | chromium_src-2fb95db2941727bb10a6eedaee3a1bef0af00a1c.zip chromium_src-2fb95db2941727bb10a6eedaee3a1bef0af00a1c.tar.gz chromium_src-2fb95db2941727bb10a6eedaee3a1bef0af00a1c.tar.bz2 | |
Block HTTP basic auth from cross-orgin third-party content.
BUG=81251
TEST=browser_tests
Review URL: http://codereview.chromium.org/6918001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@85281 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/ui/login')
| -rw-r--r-- | chrome/browser/ui/login/login_prompt_browsertest.cc | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/chrome/browser/ui/login/login_prompt_browsertest.cc b/chrome/browser/ui/login/login_prompt_browsertest.cc index d8b29d3..ba2bd8c 100644 --- a/chrome/browser/ui/login/login_prompt_browsertest.cc +++ b/chrome/browser/ui/login/login_prompt_browsertest.cc @@ -17,6 +17,7 @@ #include "content/browser/renderer_host/resource_dispatcher_host.h" #include "content/common/notification_service.h" #include "net/base/auth.h" +#include "net/base/mock_host_resolver.h" namespace { @@ -474,4 +475,71 @@ IN_PROC_BROWSER_TEST_F(LoginPromptBrowserTest, NoLoginPromptForFavicon) { EXPECT_TRUE(test_server()->Stop()); } +// Block crossdomain subresource login prompting as a phishing defense. +IN_PROC_BROWSER_TEST_F(LoginPromptBrowserTest, BlockCrossdomainPrompt) { + const char* kTestPage = "files/login/load_img_from_b.html"; + + host_resolver()->AddRule("www.a.com", "127.0.0.1"); + host_resolver()->AddRule("www.b.com", "127.0.0.1"); + ASSERT_TRUE(test_server()->Start()); + + TabContentsWrapper* contents = browser()->GetSelectedTabContentsWrapper(); + ASSERT_TRUE(contents); + + NavigationController* controller = &contents->controller(); + LoginPromptBrowserTestObserver observer; + observer.Register(Source<NavigationController>(controller)); + + // Load a page that has a cross-domain sub-resource authentication. + // There should be no login prompt. + { + GURL test_page = test_server()->GetURL(kTestPage); + ASSERT_EQ("127.0.0.1", test_page.host()); + + // Change the host from 127.0.0.1 to www.a.com so that when the + // page tries to load from b, it will be cross-origin. + std::string new_host("www.a.com"); + GURL::Replacements replacements; + replacements.SetHostStr(new_host); + test_page = test_page.ReplaceComponents(replacements); + + WindowedLoadStopObserver load_stop_waiter(controller); + browser()->OpenURL(test_page, GURL(), CURRENT_TAB, PageTransition::TYPED); + load_stop_waiter.Wait(); + } + + EXPECT_EQ(0, observer.auth_needed_count_); + + // Now request the same page, but from the same origin. + // There should be one login prompt. + { + GURL test_page = test_server()->GetURL(kTestPage); + ASSERT_EQ("127.0.0.1", test_page.host()); + + // Change the host from 127.0.0.1 to www.b.com so that when the + // page tries to load from b, it will be same-origin. + std::string new_host("www.b.com"); + GURL::Replacements replacements; + replacements.SetHostStr(new_host); + test_page = test_page.ReplaceComponents(replacements); + + WindowedAuthNeededObserver auth_needed_waiter(controller); + browser()->OpenURL(test_page, GURL(), CURRENT_TAB, PageTransition::TYPED); + auth_needed_waiter.Wait(); + ASSERT_EQ(1u, observer.handlers_.size()); + + while (!observer.handlers_.empty()) { + WindowedAuthCancelledObserver auth_cancelled_waiter(controller); + LoginHandler* handler = *observer.handlers_.begin(); + + ASSERT_TRUE(handler); + handler->CancelAuth(); + auth_cancelled_waiter.Wait(); + } + } + + EXPECT_EQ(1, observer.auth_needed_count_); + EXPECT_TRUE(test_server()->Stop()); +} + } // namespace |