Anti-URL-spoofing test for invalid URL committed with an opaque origin.

This CL verifies that the browser process will reject attempts that a
comprimised foo.com renderer can make in an attempt to show a bar.com
URL in the Omnibox.

Before this CL, there was already a
SecurityExploitBrowserTest.DidCommitInvalidURL test: committing A)
bar.com URL with B) origin set to foo.com, C) in a process locked to
foo.com.

This CL adds DidCommitInvalidURLWithOpaqueOrigin test which tests
committing A) bar.com URL, B) with opaque origin derived from foo.com,
C) in a process locked to foo.com.

Fixed: 918565
Change-Id: I332349e889b83d1cd298050adbf9dca2f55125ba
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2368288
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#800786}

content/browser/security_exploit_browsertest.cc

@@ -1219,6 +1219,51 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, DidCommitInvalidURL) {
   EXPECT_EQ(bad_message::RFH_CAN_COMMIT_URL_BLOCKED, kill_waiter.Wait());
 }
 
+// Test which verifies that when an exploited renderer process sends a commit
+// message with URL that the process is not allowed to commit.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
+                       DidCommitInvalidURLWithOpaqueOrigin) {
+  // Explicitly isolating foo.com helps ensure that this test is applicable on
+  // platforms without site-per-process.
+  IsolateOrigin("foo.com");
+
+  RenderFrameDeletedObserver initial_frame_deleted_observer(
+      shell()->web_contents()->GetMainFrame());
+
+  // Test assumes the initial RenderFrameHost to be deleted. Disable
+  // back-forward cache to ensure that it doesn't get preserved in the cache.
+  DisableBackForwardCacheForTesting(shell()->web_contents(),
+                                    BackForwardCache::TEST_ASSUMES_NO_CACHING);
+
+  // Navigate to foo.com initially.
+  GURL foo_url(embedded_test_server()->GetURL("foo.com",
+                                              "/page_with_blank_iframe.html"));
+  EXPECT_TRUE(NavigateToURL(shell(), foo_url));
+
+  // Wait for the RenderFrameHost which was current before the navigation to
+  // foo.com to be deleted. This is necessary, since on a slow system the
+  // UnloadACK event can arrive after the DidCommitUrlReplacer instance below
+  // is created. The replacer code has checks to ensure that all frames being
+  // deleted it has seen being created, which with delayed UnloadACK is
+  // violated.
+  initial_frame_deleted_observer.WaitUntilDeleted();
+
+  // Create the interceptor object which will replace the URL of the subsequent
+  // navigation with bar.com based URL.
+  GURL bar_url(embedded_test_server()->GetURL("bar.com", "/title3.html"));
+  DidCommitUrlReplacer url_replacer(shell()->web_contents(), bar_url);
+
+  // Navigate the subframe to a data URL, which would usually be committed
+  // successfully in the same process as foo.com, but when the URL is modified
+  // it should result in the termination of the renderer process.
+  RenderProcessHostBadIpcMessageWaiter kill_waiter(
+      shell()->web_contents()->GetMainFrame()->GetProcess());
+  GURL data_url(R"(data:text/html,%3Ch1%3EHello%2C%20World!%3C%2Fh1%3E)");
+  EXPECT_TRUE(
+      NavigateIframeToURL(shell()->web_contents(), "test_iframe", data_url));
+  EXPECT_EQ(bad_message::RFH_CAN_COMMIT_URL_BLOCKED, kill_waiter.Wait());
+}
+
 // Test which verifies that a WebUI process cannot send a commit message with
 // URL for a web document.
 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,