[Media Feeds] Discover on HTTPS only

Limit Media Feed discovery to HTTPS. BUG=1066252 Change-Id: I34130ca7c9d4c5643c4d9fc3315db06132c969a6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2130669Reviewed-by: Tommy Steimel <steimel@chromium.org> Commit-Queue: Becca Hughes <beccahughes@chromium.org> Cr-Commit-Position: refs/heads/master@{#756851}

[Media Feeds] Discover on HTTPS only
Limit Media Feed discovery to HTTPS. BUG=1066252 Change-Id: I34130ca7c9d4c5643c4d9fc3315db06132c969a6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2130669Reviewed-by: Tommy Steimel <steimel@chromium.org> Commit-Queue: Becca Hughes <beccahughes@chromium.org> Cr-Commit-Position: refs/heads/master@{#756851}
befe2fce · Becca Hughes · Commit Bot · 7db862c2 · befe2fce · befe2fce
Commit befe2fce authored Apr 06, 2020 by Becca Hughes Committed by Commit Bot Apr 06, 2020
4 changed files
--- a/chrome/browser/media/feeds/media_feeds_browsertest.cc
+++ b/chrome/browser/media/feeds/media_feeds_browsertest.cc
@@ -36,6 +36,7 @@ const char kMediaFeedsTestHTML[] =
 struct TestData {
  std::string head_html;
  bool discovered;
+  bool https = true;
 };

 }  // namespace
@@ -43,7 +44,8 @@ struct TestData {
 class MediaFeedsBrowserTest : public InProcessBrowserTest,
                              public ::testing::WithParamInterface<TestData> {
 public:
-  MediaFeedsBrowserTest() = default;
+  MediaFeedsBrowserTest()
+      : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {}
  ~MediaFeedsBrowserTest() override = default;

  void SetUp() override {
@@ -55,9 +57,15 @@ class MediaFeedsBrowserTest : public InProcessBrowserTest,
  void SetUpOnMainThread() override {
    host_resolver()->AddRule("*", "127.0.0.1");

-    embedded_test_server()->RegisterRequestHandler(base::BindRepeating(
+    // The HTTPS server serves the test page using HTTPS.
+    https_server_.SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
+    https_server_.RegisterRequestHandler(base::BindRepeating(
        &MediaFeedsBrowserTest::HandleRequest, base::Unretained(this)));
+    ASSERT_TRUE(https_server_.Start());

+    // The embedded test server will serve the test page using HTTP.
+    embedded_test_server()->RegisterRequestHandler(base::BindRepeating(
+        &MediaFeedsBrowserTest::HandleRequest, base::Unretained(this)));
    ASSERT_TRUE(embedded_test_server()->Start());

    InProcessBrowserTest::SetUpOnMainThread();
@@ -87,6 +95,10 @@ class MediaFeedsBrowserTest : public InProcessBrowserTest,
        browser()->profile());
  }

+  net::EmbeddedTestServer* GetServer() {
+    return GetParam().https ? &https_server_ : embedded_test_server();
+  }
+
 private:
  std::unique_ptr<net::test_server::HttpResponse> HandleRequest(
      const net::test_server::HttpRequest& request) {
@@ -99,6 +111,8 @@ class MediaFeedsBrowserTest : public InProcessBrowserTest,
    return response;
  }

+  net::EmbeddedTestServer https_server_;
+
  base::test::ScopedFeatureList scoped_feature_list_;
 };

@@ -108,6 +122,8 @@ INSTANTIATE_TEST_SUITE_P(
    ::testing::Values(
        TestData{"<link rel=feed type=\"application/ld+json\" href=\"/test\"/>",
                 true},
+        TestData{"<link rel=feed type=\"application/ld+json\" href=\"/test\"/>",
+                 false, false},
        TestData{"", false},
        TestData{"<link rel=feed type=\"application/ld+json\" "
                 "href=\"/test\"/><link rel=feed "
@@ -130,7 +146,7 @@ IN_PROC_BROWSER_TEST_P(MediaFeedsBrowserTest, Discover) {
      static_cast<MediaFeedsContentsObserver*>(
          MediaFeedsContentsObserver::FromWebContents(GetWebContents()));

-  GURL test_url(embedded_test_server()->GetURL(kMediaFeedsTestURL));
+  GURL test_url(GetServer()->GetURL(kMediaFeedsTestURL));

  // The contents observer will call this closure when it has checked for a
  // media feed.
@@ -150,7 +166,7 @@ IN_PROC_BROWSER_TEST_P(MediaFeedsBrowserTest, Discover) {
  std::set<GURL> expected_urls;

  if (GetParam().discovered)
-    expected_urls.insert(embedded_test_server()->GetURL("/test"));
+    expected_urls.insert(GetServer()->GetURL("/test"));

  EXPECT_EQ(expected_urls, GetDiscoveredFeedURLs());
 }

--- a/chrome/browser/media/feeds/media_feeds_contents_observer.cc
+++ b/chrome/browser/media/feeds/media_feeds_contents_observer.cc
@@ -35,6 +35,13 @@ void MediaFeedsContentsObserver::DidFinishLoad(
  if (render_frame_host->GetParent() || !GetService())
    return;

+  // We should only discover Media Feeds on secure origins.
+  if (!validated_url.SchemeIsCryptographic()) {
+    if (test_closure_)
+      std::move(test_closure_).Run();
+    return;
+  }
+
  render_frame_host->GetRemoteAssociatedInterfaces()->GetInterface(
      &render_frame_);

@@ -61,6 +68,7 @@ void MediaFeedsContentsObserver::DidFindMediaFeed(
      return;
    }

+    CHECK(url->SchemeIsCryptographic());
    service->DiscoverMediaFeed(*url);
  }


--- a/chrome/browser/media/history/media_history_store.cc
+++ b/chrome/browser/media/history/media_history_store.cc
@@ -899,6 +899,8 @@ void MediaHistoryStore::GetURLsInTableForTest(
 }

 void MediaHistoryStore::DiscoverMediaFeed(const GURL& url) {
+  CHECK(url.SchemeIsCryptographic());
+
  db_->db_task_runner_->PostTask(
      FROM_HERE,
      base::BindOnce(&MediaHistoryStoreInternal::DiscoverMediaFeed, db_, url));

--- a/chrome/test/data/webui/media/media_feeds_webui_browsertest.js
+++ b/chrome/test/data/webui/media/media_feeds_webui_browsertest.js
@@ -6,7 +6,7 @@
 * @fileoverview Test suite for the Media Feeds WebUI.
 */

-const EXAMPLE_URL_1 = 'http://example.com/feed.json';
+const EXAMPLE_URL_1 = 'https://example.com/feed.json';

 GEN('#include "base/run_loop.h"');
 GEN('#include "chrome/browser/media/history/media_history_keyed_service.h"');