Home | History | Annotate | Download | only in browser 
      1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "base/command_line.h"
      6 #include "content/browser/renderer_host/render_view_host_impl.h"
      7 #include "content/browser/web_contents/web_contents_impl.h"
      8 #include "content/public/browser/notification_service.h"
      9 #include "content/public/browser/notification_types.h"
     10 #include "content/public/common/content_switches.h"
     11 #include "content/public/test/test_utils.h"
     12 #include "content/shell/shell.h"
     13 #include "content/test/content_browser_test.h"
     14 #include "content/test/content_browser_test_utils.h"
     15 
     16 namespace content {
     17 
     18 // The goal of these tests will be to "simulate" exploited renderer processes,
     19 // which can send arbitrary IPC messages and confuse browser process internal
     20 // state, leading to security bugs. We are trying to verify that the browser
     21 // doesn't perform any dangerous operations in such cases.
     22 class SecurityExploitBrowserTest : public ContentBrowserTest {
     23  public:
     24   SecurityExploitBrowserTest() {}
     25   virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
     26     ASSERT_TRUE(test_server()->Start());
     27 
     28     // Add a host resolver rule to map all outgoing requests to the test server.
     29     // This allows us to use "real" hostnames in URLs, which we can use to
     30     // create arbitrary SiteInstances.
     31     command_line->AppendSwitchASCII(
     32         switches::kHostResolverRules,
     33         "MAP * " + test_server()->host_port_pair().ToString() +
     34             ",EXCLUDE localhost");
     35   }
     36 };
     37 
     38 // Ensure that we kill the renderer process if we try to give it WebUI
     39 // properties and it doesn't have enabled WebUI bindings.
     40 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
     41   GURL foo("http://foo.com/files/simple_page.html");
     42 
     43   NavigateToURL(shell(), foo);
     44   EXPECT_EQ(0,
     45       shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
     46 
     47   content::WindowedNotificationObserver terminated(
     48       content::NOTIFICATION_RENDERER_PROCESS_CLOSED,
     49       content::NotificationService::AllSources());
     50   shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
     51       "toolkit", "views");
     52   terminated.Wait();
     53 }
     54 
     55 }
     56