Add a test for WebUI document trying to commit a web URL.

WebUI process should never be allowed to commit a web URL. This is guaranteed by site isolation, which places the web navigation in a separate process. The goal of this CL is to verify that even in the case of renderer bugs, browser-side code correctly terminates a WebUI renderer process attempting to send a DidCommitNavigation message for a web URL. Bug: 1002276 Change-Id: Ib3179e1ef41ccd867b62c8ee95d87ec44b99504f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2051300 Commit-Queue: Nasko Oskov <nasko@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#740873}

Add a test for WebUI document trying to commit a web URL.
WebUI process should never be allowed to commit a web URL. This is guaranteed by site isolation, which places the web navigation in a separate process. The goal of this CL is to verify that even in the case of renderer bugs, browser-side code correctly terminates a WebUI renderer process attempting to send a DidCommitNavigation message for a web URL. Bug: 1002276 Change-Id: Ib3179e1ef41ccd867b62c8ee95d87ec44b99504f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2051300 Commit-Queue: Nasko Oskov <nasko@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#740873}
a4acefac · Nasko Oskov · Commit Bot · 89c8ef8d · a4acefac
Commit a4acefac authored Feb 12, 2020 by Nasko Oskov Committed by Commit Bot Feb 12, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 0 deletions

content/browser/security_exploit_browsertest.cc content/browser/security_exploit_browsertest.cc +23 -0

No files found.
--- a/content/browser/security_exploit_browsertest.cc
+++ b/content/browser/security_exploit_browsertest.cc
@@ -1364,6 +1364,29 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, DidCommitInvalidURL) {
  EXPECT_EQ(bad_message::RFH_CAN_COMMIT_URL_BLOCKED, kill_waiter.Wait());
 }

+// Test which verifies that a WebUI process cannot send a commit message with
+// URL for a web document.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
+                       WebUIProcessDidCommitWebURL) {
+  // Navigate to a WebUI document.
+  GURL webui_url(GetWebUIURL(kChromeUIGpuHost));
+  EXPECT_TRUE(NavigateToURL(shell(), webui_url));
+
+  // Create the interceptor object which will replace the URL of the subsequent
+  // navigation with |web_url|.
+  GURL web_url(embedded_test_server()->GetURL("foo.com", "/title3.html"));
+  DidCommitUrlReplacer url_replacer(shell()->web_contents(), web_url);
+
+  // Navigate to another URL within the WebUI, which would usually be committed
+  // successfully, but when the URL is modified it should result in the
+  // termination of the renderer process.
+  RenderProcessHostKillWaiter kill_waiter(
+      shell()->web_contents()->GetMainFrame()->GetProcess());
+  GURL second_webui_url(webui_url.Resolve("/foo"));
+  EXPECT_FALSE(NavigateToURL(shell(), second_webui_url));
+  EXPECT_EQ(bad_message::RFH_CAN_COMMIT_URL_BLOCKED, kill_waiter.Wait());
+}
+
 class BeginNavigationTransitionReplacer : public FrameHostInterceptor {
 public:
  BeginNavigationTransitionReplacer(WebContents* web_contents,