OOR-CORS: tests and documents for webRequest response header injections

This patch adds test cases that an Extension injects response headers to deceive CORS checks. If OOR-CORS is enabled, such injections need 'extraHeaders' option to work in expected ways. Bug: 1000554 Change-Id: Ieef9223b1abd798bea215cfec1fb706aabd0a610 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1792207Reviewed-by: Karan Bhatia <karandeepb@chromium.org> Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#695522}

OOR-CORS: tests and documents for webRequest response header injections
This patch adds test cases that an Extension injects response headers to deceive CORS checks. If OOR-CORS is enabled, such injections need 'extraHeaders' option to work in expected ways. Bug: 1000554 Change-Id: Ieef9223b1abd798bea215cfec1fb706aabd0a610 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1792207Reviewed-by: Karan Bhatia <karandeepb@chromium.org> Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#695522}
e702ebbb · Takashi Toyoshima · Commit Bot · f8648bfe · e702ebbb · e702ebbb
Commit e702ebbb authored Sep 11, 2019 by Takashi Toyoshima Committed by Commit Bot Sep 11, 2019
5 changed files
--- a/chrome/common/extensions/docs/templates/intros/webRequest.html
+++ b/chrome/common/extensions/docs/templates/intros/webRequest.html
@@ -119,12 +119,15 @@ complete nor stable.
 </p>

 <p>
-<span class="availability">Starting from Chrome 79</span>, header modifications
-affect Cross-Origin Resource Sharing (CORS) checks. If modified headers for
-cross-origin requests do not meet the criteria, it will result in sending a CORS
-preflight to ask the server if such headers can be accepted. If you really need
-to modify headers in a way to violate the CORS protocol, you need to specify
-<code>'extraHeaders'</code> in <code>opt_extraInfoSpec</code>.
+<span class="availability">Starting from Chrome 79</span>, request header
+modifications affect Cross-Origin Resource Sharing (CORS) checks. If modified
+headers for cross-origin requests do not meet the criteria, it will result in
+sending a CORS preflight to ask the server if such headers can be accepted.
+If you really need to modify headers in a way to violate the CORS protocol, you
+need to specify <code>'extraHeaders'</code> in <code>opt_extraInfoSpec</code>.
+On the other hand, response header modifications do not work to deceive CORS
+checks. If you need to deceive the CORS protocol, you also need to specify
+<code>'extraHeaders'</code> for the response modifications.
 </p>

 <p>

--- a/chrome/test/data/extensions/api_test/webrequest/cors/fetch.html
+++ b/chrome/test/data/extensions/api_test/webrequest/cors/fetch.html
@@ -6,8 +6,8 @@
 <script>
 const hostname = 'cors.example.com';
 const origin = location.protocol + '//' + hostname + ':' + location.port;
-const path = '/extensions/api_test/webrequest/cors/accept';
-const url = origin + path;
+const path = location.search.substr('?path='.length);
+const url = origin + '/extensions/api_test/webrequest/cors/' + path;

 fetch(url);
 </script>
--- a/chrome/test/data/extensions/api_test/webrequest/cors/reject
+++ b/chrome/test/data/extensions/api_test/webrequest/cors/reject
+ERR
--- a/chrome/test/data/extensions/api_test/webrequest/cors/reject.mock-http-headers
+++ b/chrome/test/data/extensions/api_test/webrequest/cors/reject.mock-http-headers
+HTTP/1.1 200 OK
+Content-Type: text/plain
--- a/chrome/test/data/extensions/api_test/webrequest/test_cors.js
+++ b/chrome/test/data/extensions/api_test/webrequest/test_cors.js
@@ -35,13 +35,13 @@ function registerOriginListeners(
      onCompletedListener, {urls: [listeningUrlPattern]});
 }

-function registerHeaderInjectionListeners(extraInfoSpec) {
+function registerRequestHeaderInjectionListeners(extraInfoSpec) {
  const beforeSendHeadersListener = callbackPass(details => {
    details.requestHeaders.push({name: 'x-foo', value: 'trigger-preflight'});
-    return { requestHeaders: details.requestHeaders };
+    return {requestHeaders: details.requestHeaders};
  });
  chrome.webRequest.onBeforeSendHeaders.addListener(
-    beforeSendHeadersListener, {urls: [listeningUrlPattern]}, extraInfoSpec);
+      beforeSendHeadersListener, {urls: [listeningUrlPattern]}, extraInfoSpec);

  // If the 'x-foo' header is injected by |beforeSendHeadersListener| without
  // 'extraHeaders' and with OOR-CORS being enabled, it triggers CORS
@@ -66,6 +66,32 @@ function registerHeaderInjectionListeners(extraInfoSpec) {
  event.addListener(
      onCompletedOrErrorOccurredListener, {urls: [listeningUrlPattern]});
 }
+function registerResponseHeaderInjectionListeners(extraInfoSpec) {
+  const headersReceivedListener = details => {
+    details.responseHeaders.push(
+        {name: 'Access-Control-Allow-Origin', value: '*'});
+    return { responseHeaders: details.responseHeaders };
+  };
+  chrome.webRequest.onHeadersReceived.addListener(
+      headersReceivedListener, {urls: [listeningUrlPattern]}, extraInfoSpec);
+
+  // If the 'extraHeaders' is not specified and OOR-CORS is enabled, Chrome
+  // detects CORS failures before |headerReceivedListener| is called and injects
+  // fake headers to deceive the CORS checks.
+  const canInjectFakeCorsResponse =
+      extraInfoSpec.includes('extraHeaders') || getCorsMode() == 'blink';
+
+  const event = canInjectFakeCorsResponse ? chrome.webRequest.onCompleted :
+                                            chrome.webRequest.onErrorOccurred;
+
+  // Wait for the CORS request from the fetch.html to complete.
+  const onCompletedOrErrorOccurredListener = callbackPass(details => {
+    chrome.webRequest.onHeadersReceived.removeListener(headersReceivedListener);
+    event.removeListener(onCompletedOrErrorOccurredListener);
+  });
+  event.addListener(
+      onCompletedOrErrorOccurredListener, {urls: [listeningUrlPattern]});
+}

 runTests([
  function testOriginHeader() {
@@ -80,22 +106,38 @@ runTests([
    registerOriginListeners(['origin'], [], ['requestHeaders', 'extraHeaders']);

    // Wait for the navigation to complete.
-    navigateAndWait(
-        getServerURL('extensions/api_test/webrequest/cors/fetch.html'));
+    navigateAndWait(getServerURL(
+        'extensions/api_test/webrequest/cors/fetch.html?path=accept'));
  },
  function testCorsSensitiveHeaderInjectionWithoutExtraHeaders() {
-    registerHeaderInjectionListeners(['blocking', 'requestHeaders']);
+    registerRequestHeaderInjectionListeners(['blocking', 'requestHeaders']);

    // Wait for the navigation to complete.
-    navigateAndWait(
-        getServerURL('extensions/api_test/webrequest/cors/fetch.html'));
+    navigateAndWait(getServerURL(
+        'extensions/api_test/webrequest/cors/fetch.html?path=accept'));
  },
  function testCorsSensitiveHeaderInjectionWithExtraHeaders() {
-    registerHeaderInjectionListeners(
+    registerRequestHeaderInjectionListeners(
        ['blocking', 'requestHeaders', 'extraHeaders']);

    // Wait for the navigation to complete.
-    navigateAndWait(
-        getServerURL('extensions/api_test/webrequest/cors/fetch.html'));
+    navigateAndWait(getServerURL(
+        'extensions/api_test/webrequest/cors/fetch.html?path=accept'));
+  },
+  function testCorsResponseHeaderInjectionWithoutExtraHeaders() {
+    registerResponseHeaderInjectionListeners(
+        ['blocking', 'responseHeaders']);
+
+    // Wait for the navigation to complete.
+    navigateAndWait(getServerURL(
+        'extensions/api_test/webrequest/cors/fetch.html?path=reject'));
+  },
+  function testCorsResponseHeaderInjectionWithExtraHeaders() {
+    registerResponseHeaderInjectionListeners(
+        ['blocking', 'responseHeaders', 'extraHeaders']);
+
+    // Wait for the navigation to complete.
+    navigateAndWait(getServerURL(
+        'extensions/api_test/webrequest/cors/fetch.html?path=reject'));
  },
 ]);