Home | History | Annotate | Download | only in browser 
      1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "base/command_line.h"
      6 #include "base/strings/stringprintf.h"
      7 #include "base/strings/utf_string_conversions.h"
      8 #include "chrome/browser/ui/browser.h"
      9 #include "chrome/browser/ui/browser_commands.h"
     10 #include "chrome/browser/ui/singleton_tabs.h"
     11 #include "chrome/browser/ui/tabs/tab_strip_model.h"
     12 #include "chrome/test/base/in_process_browser_test.h"
     13 #include "chrome/test/base/ui_test_utils.h"
     14 #include "content/public/browser/notification_observer.h"
     15 #include "content/public/browser/notification_service.h"
     16 #include "content/public/browser/notification_types.h"
     17 #include "content/public/browser/resource_request_details.h"
     18 #include "content/public/browser/web_contents_observer.h"
     19 #include "content/public/common/content_switches.h"
     20 #include "content/public/test/browser_test_utils.h"
     21 
     22 // The goal of these tests is to "simulate" exploited renderer processes, which
     23 // can send arbitrary IPC messages and confuse browser process internal state,
     24 // leading to security bugs. We are trying to verify that the browser doesn't
     25 // perform any dangerous operations in such cases.
     26 // This is similar to the security_exploit_browsertest.cc tests, but also
     27 // includes chrome/ layer concepts such as extensions.
     28 class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest {
     29  public:
     30   ChromeSecurityExploitBrowserTest() {}
     31   virtual ~ChromeSecurityExploitBrowserTest() {}
     32 
     33   virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
     34     ASSERT_TRUE(test_server()->Start());
     35     net::SpawnedTestServer https_server(
     36         net::SpawnedTestServer::TYPE_HTTPS,
     37         net::SpawnedTestServer::kLocalhost,
     38         base::FilePath(FILE_PATH_LITERAL("chrome/test/data")));
     39     ASSERT_TRUE(https_server.Start());
     40 
     41     // Add a host resolver rule to map all outgoing requests to the test server.
     42     // This allows us to use "real" hostnames in URLs, which we can use to
     43     // create arbitrary SiteInstances.
     44     command_line->AppendSwitchASCII(
     45         switches::kHostResolverRules,
     46         "MAP * " + test_server()->host_port_pair().ToString() +
     47             ",EXCLUDE localhost");
     48 
     49     // Since we assume exploited renderer process, it can bypass the same origin
     50     // policy at will. Simulate that by passing the disable-web-security flag.
     51     command_line->AppendSwitch(switches::kDisableWebSecurity);
     52   }
     53 
     54  private:
     55   DISALLOW_COPY_AND_ASSIGN(ChromeSecurityExploitBrowserTest);
     56 };
     57 
     58 IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest,
     59                        ChromeExtensionResources) {
     60   // Load a page that requests a chrome-extension:// image through XHR. We
     61   // expect this load to fail, as it is an illegal request.
     62   GURL foo("http://foo.com/files/chrome_extension_resource.html");
     63 
     64   content::DOMMessageQueue msg_queue;
     65 
     66   ui_test_utils::NavigateToURL(browser(), foo);
     67 
     68   std::string status;
     69   std::string expected_status("0");
     70   EXPECT_TRUE(msg_queue.WaitForMessage(&status));
     71   EXPECT_STREQ(status.c_str(), expected_status.c_str());
     72 }
     73