Fix OpenURLInterceptor for InvalidRemoteNavigationInitiator test

OpenURLInterceptor introduced by crrev.com/c/2259537 couldn't intercept OpenURL method because OpenURLInterceptor should intercept the message of RenderFrameProxyHost interface instead of FrameHost interface. This CL makes OpenURLInterceptor intercept OpenURL method via RenderFrameProxyHost interface. TEST: SecurityExploitBrowserTest.InvalidRemoteNavigationInitiator Bug: 1093920 Change-Id: I64b7039e07186f9728e0d69ee6c4ba5298d98600 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2387548Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Gyuyoung Kim <gyuyoung@igalia.com> Cr-Commit-Position: refs/heads/master@{#803850}

Fix OpenURLInterceptor for InvalidRemoteNavigationInitiator test
OpenURLInterceptor introduced by crrev.com/c/2259537 couldn't intercept OpenURL method because OpenURLInterceptor should intercept the message of RenderFrameProxyHost interface instead of FrameHost interface. This CL makes OpenURLInterceptor intercept OpenURL method via RenderFrameProxyHost interface. TEST: SecurityExploitBrowserTest.InvalidRemoteNavigationInitiator Bug: 1093920 Change-Id: I64b7039e07186f9728e0d69ee6c4ba5298d98600 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2387548Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Gyuyoung Kim <gyuyoung@igalia.com> Cr-Commit-Position: refs/heads/master@{#803850}
bfcb9fc4 · Gyuyoung Kim · Commit Bot · 1b96d2a6 · bfcb9fc4 · bfcb9fc4
Commit bfcb9fc4 authored Sep 02, 2020 by Gyuyoung Kim Committed by Commit Bot Sep 02, 2020
Showing with 31 additions and 9 deletions

content/browser/frame_host/render_frame_proxy_host.h content/browser/frame_host/render_frame_proxy_host.h +7 -0

content/browser/security_exploit_browsertest.cc content/browser/security_exploit_browsertest.cc +24 -9

No files found.
--- a/content/browser/frame_host/render_frame_proxy_host.h
+++ b/content/browser/frame_host/render_frame_proxy_host.h
@@ -206,6 +206,7 @@ class CONTENT_EXPORT RenderFrameProxyHost
 private:
  // The interceptor needs access to frame_host_receiver_for_testing().
  friend class RouteMessageEventInterceptor;
+  friend class OpenURLInterceptor;
  // IPC::Listener
  void OnAssociatedInterfaceRequest(
@@ -220,6 +221,12 @@ class CONTENT_EXPORT RenderFrameProxyHost
    return remote_frame_host_receiver_;
  }
+  // Needed for tests to be able to swap the implementation and intercept calls.
+  mojo::AssociatedReceiver<mojom::RenderFrameProxyHost>&
+  frame_proxy_host_receiver_for_testing() {
+    return frame_proxy_host_associated_receiver_;
+  }
  // This RenderFrameProxyHost's routing id.
  int routing_id_;

--- a/content/browser/security_exploit_browsertest.cc
+++ b/content/browser/security_exploit_browsertest.cc
@@ -26,9 +26,9 @@
 #include "content/browser/renderer_host/render_view_host_impl.h"
 #include "content/browser/web_contents/file_chooser_impl.h"
 #include "content/browser/web_contents/web_contents_impl.h"
-#include "content/common/frame.mojom-test-utils.h"
 #include "content/common/frame.mojom.h"
 #include "content/common/frame_messages.h"
+#include "content/common/frame_proxy.mojom-test-utils.h"
 #include "content/common/render_message_filter.mojom.h"
 #include "content/common/view_messages.h"
 #include "content/public/browser/blob_handle.h"
@@ -990,16 +990,21 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, PostMessageSourceOrigin) {
 // Intercepts calls to RenderFramHost's OpenURL mojo method, and
 // store the passed parameter.
-class OpenURLInterceptor : public mojom::FrameHostInterceptorForTesting {
+class OpenURLInterceptor
+    : public mojom::RenderFrameProxyHostInterceptorForTesting {
 public:
-  explicit OpenURLInterceptor(RenderFrameHostImpl* render_frame_host)
+  explicit OpenURLInterceptor(
-      : render_frame_host_(render_frame_host),
+      content::RenderFrameProxyHost* render_frame_proxy_host)
-        intercepted_params_(mojom::OpenURLParams::New()) {}
+      : render_frame_proxy_host_(render_frame_proxy_host),
+        intercepted_params_(mojom::OpenURLParams::New()) {
+    render_frame_proxy_host_->frame_proxy_host_receiver_for_testing()
+        .SwapImplForTesting(this);
+  }
  ~OpenURLInterceptor() override = default;
-  mojom::FrameHost* GetForwardingInterface() override {
+  mojom::RenderFrameProxyHost* GetForwardingInterface() override {
-    return render_frame_host_;
+    return render_frame_proxy_host_;
  }
  void OpenURL(mojom::OpenURLParamsPtr params) override {
@@ -1011,7 +1016,7 @@ class OpenURLInterceptor : public mojom::FrameHostInterceptorForTesting {
  }
 private:
-  RenderFrameHostImpl* render_frame_host_;
+  content::RenderFrameProxyHost* render_frame_proxy_host_;
  mojom::OpenURLParamsPtr intercepted_params_;
  DISALLOW_COPY_AND_ASSIGN(OpenURLInterceptor);
@@ -1037,7 +1042,17 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
  // Prepare to intercept OpenURL Mojo message that will come from
  // the main frame.
-  OpenURLInterceptor interceptor(static_cast<RenderFrameHostImpl*>(main_frame));
+  FrameTreeNode* main_frame_node =
+      static_cast<WebContentsImpl*>(shell()->web_contents())
+          ->GetFrameTree()
+          ->root();
+  FrameTreeNode* child_node = main_frame_node->child_at(0);
+  SiteInstance* a_com_instance =
+      main_frame_node->current_frame_host()->GetSiteInstance();
+  RenderFrameProxyHost* proxy =
+      child_node->render_manager()->GetRenderFrameProxyHost(a_com_instance);
+  OpenURLInterceptor interceptor(proxy);
  // Have the main frame request navigation in the "remote" subframe.  This will
  // result in OpenURL Mojo message being sent to the RenderFrameProxyHost.