diff options
author | creis <creis@chromium.org> | 2015-08-17 17:12:15 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-08-18 00:12:54 +0000 |
commit | 3710b238717b14967922263070cac76257a55ac5 (patch) | |
tree | 2d445ded948042875beac31305164d84bb4a2a42 /content/browser/child_process_security_policy_unittest.cc | |
parent | 23db20448ae0c908a1a55fb7bcd2791f37826051 (diff) | |
download | chromium_src-3710b238717b14967922263070cac76257a55ac5.zip chromium_src-3710b238717b14967922263070cac76257a55ac5.tar.gz chromium_src-3710b238717b14967922263070cac76257a55ac5.tar.bz2 |
Validate the Origin HTTP header in the browser process.
Web renderer processes should not be able to set the Origin header
to WebUI, Chrome App, or invalid origins. (Note that Chrome App
origins may be allowed in some cases if they have guest processes
with accessible_resources.)
Most of these checks can be enforced by ChildProcessSecurityPolicy,
but we call out to ContentBrowserClient for the extension/app checks.
BUG=513502
TEST=Should only affect compromised renderer processes.
Review URL: https://codereview.chromium.org/1270663002
Cr-Commit-Position: refs/heads/master@{#343778}
Diffstat (limited to 'content/browser/child_process_security_policy_unittest.cc')
-rw-r--r-- | content/browser/child_process_security_policy_unittest.cc | 68 |
1 files changed, 62 insertions, 6 deletions
diff --git a/content/browser/child_process_security_policy_unittest.cc b/content/browser/child_process_security_policy_unittest.cc index 678e3d2..beb85b6 100644 --- a/content/browser/child_process_security_policy_unittest.cc +++ b/content/browser/child_process_security_policy_unittest.cc @@ -155,21 +155,35 @@ TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) { p->Add(kRendererID); - // Safe + // Safe to request or commit. EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/"))); EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/"))); EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/"))); EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, - GURL("view-source:http://www.google.com/"))); EXPECT_TRUE(p->CanRequestURL( kRendererID, GURL("filesystem:http://localhost/temporary/a.gif"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("http://www.google.com/"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("https://www.paypal.com/"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("ftp://ftp.gnu.org/"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("data:text/html,<b>Hi</b>"))); + EXPECT_TRUE(p->CanCommitURL( + kRendererID, GURL("filesystem:http://localhost/temporary/a.gif"))); - // Dangerous + // Safe to request but not commit. + EXPECT_TRUE(p->CanRequestURL(kRendererID, + GURL("view-source:http://www.google.com/"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, + GURL("view-source:http://www.google.com/"))); + + // Dangerous to request or commit. EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("chrome://foo/bar"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, + GURL("file:///etc/passwd"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, + GURL("chrome://foo/bar"))); p->Remove(kRendererID); } @@ -184,24 +198,37 @@ TEST_F(ChildProcessSecurityPolicyTest, AboutTest) { EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:BlAnK"))); EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK"))); EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:blank"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:BlAnK"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("aBouT:BlAnK"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("aBouT:blank"))); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:memory"))); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash"))); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache"))); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:memory"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:cache"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:hang"))); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:memory"))); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh"))); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBoUt:memory"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:CrASh"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("abOuT:cAChe"))); // Requests for about: pages should be denied. p->GrantRequestURL(kRendererID, GURL("about:crash")); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash"))); // These requests for chrome:// pages should be granted. GURL chrome_url("chrome://foo"); p->GrantRequestURL(kRendererID, chrome_url); EXPECT_TRUE(p->CanRequestURL(kRendererID, chrome_url)); + EXPECT_TRUE(p->CanCommitURL(kRendererID, chrome_url)); p->Remove(kRendererID); } @@ -213,8 +240,10 @@ TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) { p->Add(kRendererID); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')"))); p->GrantRequestURL(kRendererID, GURL("javascript:alert('xss')")); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')"))); p->Remove(kRendererID); } @@ -225,16 +254,20 @@ TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) { p->Add(kRendererID); - // Currently, "asdf" is destined for ShellExecute, so it is allowed. + // Currently, "asdf" is destined for ShellExecute, so it is allowed to be + // requested but not committed. EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers"))); // Once we register "asdf", we default to deny. RegisterTestScheme("asdf"); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers"))); // We can allow new schemes by adding them to the whitelist. p->RegisterWebSafeScheme("asdf"); EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("asdf:rockers"))); // Cleanup. p->Remove(kRendererID); @@ -247,13 +280,16 @@ TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) { p->Add(kRendererID); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); p->GrantRequestURL(kRendererID, GURL("file:///etc/passwd")); EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); // We should forget our state if we repeat a renderer id. p->Remove(kRendererID); p->Add(kRendererID); EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); p->Remove(kRendererID); } @@ -272,11 +308,25 @@ TEST_F(ChildProcessSecurityPolicyTest, ViewSource) { EXPECT_FALSE(p->CanRequestURL( kRendererID, GURL("view-source:view-source:http://www.google.com/"))); + // View source URLs don't actually commit; the renderer is put into view + // source mode, and the inner URL commits. + EXPECT_FALSE(p->CanCommitURL(kRendererID, + GURL("view-source:http://www.google.com/"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, + GURL("view-source:file:///etc/passwd"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); + EXPECT_FALSE(p->CanCommitURL( + kRendererID, GURL("view-source:view-source:http://www.google.com/"))); + + p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd")); // View source needs to be able to request the embedded scheme. + EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); + EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); + EXPECT_FALSE(p->CanCommitURL(kRendererID, + GURL("view-source:file:///etc/passwd"))); p->Remove(kRendererID); } @@ -291,14 +341,20 @@ TEST_F(ChildProcessSecurityPolicyTest, SpecificFile) { GURL sensitive_url("file:///etc/passwd"); EXPECT_FALSE(p->CanRequestURL(kRendererID, icon_url)); EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url)); + EXPECT_FALSE(p->CanCommitURL(kRendererID, icon_url)); + EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url)); p->GrantRequestSpecificFileURL(kRendererID, icon_url); EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url)); EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url)); + EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url)); + EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url)); p->GrantRequestURL(kRendererID, icon_url); EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url)); EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url)); + EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url)); + EXPECT_TRUE(p->CanCommitURL(kRendererID, sensitive_url)); p->Remove(kRendererID); } |