Test for Sec-Fetch-Site in same-origin XHR from content scripts.

This CL adds a test with incorrect/undesirable expectations that will be tweaked by a (big and therefore separate) follow-up CL for https://crbug.com/998247 (see https://crrev.com/c/1633232). Bug: 998247 Change-Id: I496af280e41173a3c02908a385c544180c1a1d97 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1773453 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#692274}

Test for Sec-Fetch-Site in same-origin XHR from content scripts.
This CL adds a test with incorrect/undesirable expectations that will be tweaked by a (big and therefore separate) follow-up CL for https://crbug.com/998247 (see https://crrev.com/c/1633232). Bug: 998247 Change-Id: I496af280e41173a3c02908a385c544180c1a1d97 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1773453 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#692274}
34d05142 · Lukasz Anforowicz · Commit Bot · a30ed2ec · 34d05142
Commit 34d05142 authored Aug 30, 2019 by Lukasz Anforowicz Committed by Commit Bot Aug 30, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 0 deletions

chrome/browser/extensions/cross_origin_read_blocking_browsertest.cc ...wser/extensions/cross_origin_read_blocking_browsertest.cc +52 -0

No files found.
--- a/chrome/browser/extensions/cross_origin_read_blocking_browsertest.cc
+++ b/chrome/browser/extensions/cross_origin_read_blocking_browsertest.cc
@@ -34,7 +34,9 @@
 #include "extensions/browser/url_loader_factory_manager.h"
 #include "extensions/test/test_extension_dir.h"
 #include "net/dns/mock_host_resolver.h"
+#include "net/test/embedded_test_server/controllable_http_response.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
+#include "net/test/embedded_test_server/http_request.h"
 #include "services/network/cross_origin_read_blocking.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -1207,6 +1209,56 @@ IN_PROC_BROWSER_TEST_P(CrossOriginReadBlockingExtensionAllowlistingTest,
              ::testing::Not(::testing::HasSubstr("Origin: chrome-extension")));
 }

+IN_PROC_BROWSER_TEST_P(CrossOriginReadBlockingExtensionAllowlistingTest,
+                       RequestHeaders_InSameOriginXhr_FromContentScript) {
+  // Sec-Fetch-Site only works on secure origins - setting up a https test
+  // server to help with this.
+  net::EmbeddedTestServer https_server(net::EmbeddedTestServer::TYPE_HTTPS);
+  https_server.AddDefaultHandlers(GetChromeTestDataDir());
+  https_server.SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
+  net::test_server::ControllableHttpResponse subresource_request(
+      &https_server, "/subresource");
+  ASSERT_TRUE(https_server.Start());
+
+  // Load the test extension.
+  ASSERT_TRUE(InstallExtension());
+
+  // Navigate to https test page.
+  GURL page_url = https_server.GetURL("/title1.html");
+  ui_test_utils::NavigateToURL(browser(), page_url);
+  ASSERT_EQ(page_url,
+            active_web_contents()->GetMainFrame()->GetLastCommittedURL());
+  ASSERT_EQ(url::Origin::Create(page_url),
+            active_web_contents()->GetMainFrame()->GetLastCommittedOrigin());
+
+  // Inject a content script that performs a same-origin GET XHR.
+  GURL same_origin_resource(https_server.GetURL("/subresource"));
+  EXPECT_EQ(url::Origin::Create(page_url),
+            url::Origin::Create(same_origin_resource));
+  const char* kScriptTemplate = R"(
+      fetch($1, {method: 'GET', mode: 'no-cors'}) )";
+  ExecuteContentScript(
+      active_web_contents(),
+      content::JsReplace(kScriptTemplate, same_origin_resource));
+
+  // Verify the Referrer and Sec-Fetch-* header values.
+  subresource_request.WaitForRequest();
+  const char* expected_sec_fetch_site = "same-origin";
+  if (IsExtensionAllowlisted()) {
+    expected_sec_fetch_site = "cross-site";
+  } else {
+    // TODO(lukasza): https://crbug.com/998247: Once the default factory uses
+    // request_initiator=website, we should get the desired behavior below -
+    // 'same-origin'.
+    expected_sec_fetch_site = "cross-site";
+  }
+  EXPECT_THAT(subresource_request.http_request()->headers,
+              testing::IsSupersetOf(
+                  {testing::Pair("Referer", page_url.spec().c_str()),
+                   testing::Pair("Sec-Fetch-Mode", "no-cors"),
+                   testing::Pair("Sec-Fetch-Site", expected_sec_fetch_site)}));
+}
+
 INSTANTIATE_TEST_SUITE_P(Allowlisted,
                         CrossOriginReadBlockingExtensionAllowlistingTest,
                         ::testing::Values(AllowlistingParam::kAllowlisted));