diff options
| author | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-09-20 18:44:18 +0000 |
|---|---|---|
| committer | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-09-20 18:44:18 +0000 |
| commit | 3f45ab560e3f15ac086d86ec3ae91cf52b062765 (patch) | |
| tree | 912230a1473f2a972de9679ef624b8be94447492 /chrome/test | |
| parent | 09cce462153d6b99d4bc1555a5e6545599b96c09 (diff) | |
| download | chromium_src-3f45ab560e3f15ac086d86ec3ae91cf52b062765.zip chromium_src-3f45ab560e3f15ac086d86ec3ae91cf52b062765.tar.gz chromium_src-3f45ab560e3f15ac086d86ec3ae91cf52b062765.tar.bz2 | |
Ensure webstore URLs always have X-frame-options headers.
This covers at least one known case where GFE returns an error page without ever consulting the webstore itself where the header is lacking, as well as potential misconfiguraitons down the road.
Review URL: https://chromiumcodereview.appspot.com/10913117
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@157802 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/test')
| -rw-r--r-- | chrome/test/data/extensions/api_test/webstore_private/noframe.html | 44 | ||||
| -rw-r--r-- | chrome/test/data/extensions/api_test/webstore_private/noframe.html.mock-http-headers | 4 |
2 files changed, 48 insertions, 0 deletions
diff --git a/chrome/test/data/extensions/api_test/webstore_private/noframe.html b/chrome/test/data/extensions/api_test/webstore_private/noframe.html new file mode 100644 index 0000000..0d89f61 --- /dev/null +++ b/chrome/test/data/extensions/api_test/webstore_private/noframe.html @@ -0,0 +1,44 @@ +<!DOCTYPE html> +<body onload="dropFrame()"> +This represents not an extension, but an HTML page within the test harness +webstore origin (www.example.com), for which the response headers have been +misconfigured to allow framing by the 127.0.0.1 origin. +<script> +var interval_id = -1; +var check_count = 0; +function dropFrame() { + var s = location.href.toString(); + if (s.indexOf('127.0.0.1') > 0) { + // try to frame a copy of ourselves from the webstore origin. + var f = document.createElement('iframe'); + f.src = s.replace('127.0.0.1', 'www.example.com'); + f.onload = checkFrame; + f.onerror = checkFrame; + document.body.appendChild(f); + // There's an open issue in WK where neither onload or onerror fires + // when interrupted by XFO, so use a setInterval() workaround. Remove + // this workaround when resolved, but in the mean time, mark the test + // FLAKY, because there is no reason to believe the server will respond + // within the time frame. + interval_id = setInterval("checkFrame()", 500); + } +} + +function checkFrame() { + try { + // If the frame was blocked, we instead have an about:blank frame which we + // can access. + x = window.frames[0].document.location.href; + document.title = 'PASS: ' + x; + clearInterval(interval_id); + } + catch (e) { + // Frame was not yet blocked, so we have no access. + if (++check_count > 40) { + document.title = 'FAIL'; + clearInterval(interval_id); + } + } +} +</script> +</html> diff --git a/chrome/test/data/extensions/api_test/webstore_private/noframe.html.mock-http-headers b/chrome/test/data/extensions/api_test/webstore_private/noframe.html.mock-http-headers new file mode 100644 index 0000000..7a90991 --- /dev/null +++ b/chrome/test/data/extensions/api_test/webstore_private/noframe.html.mock-http-headers @@ -0,0 +1,4 @@ +HTTP/1.1 200 OK +Cache-Control: no-cache +Content-Type: text/html +X-Frame-Options: allow-from http://127.0.0.1 |