Extensions: Add test coverage for an extensions ability to embed file iframes.

This CL adds test coverage regarding an extension frame's ability to embed a
file frame. This ensures than an extension can only embed a file frame if it has
explicit file access and host permissions to the file scheme.

BUG=816685

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I8d167d9a8629ffece29d44bee4bd6db2ef988b02
Reviewed-on: https://chromium-review.googlesource.com/1003762
Commit-Queue: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551267}

chrome/browser/extensions/active_tab_apitest.cc

@@ -14,6 +14,7 @@
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
 #include "chrome/test/base/ui_test_utils.h"
+#include "content/public/test/browser_test_utils.h"
 #include "content/public/test/test_utils.h"
 #include "extensions/browser/extension_registry.h"
 #include "extensions/browser/test_extension_registry_observer.h"
@@ -152,6 +153,36 @@ IN_PROC_BROWSER_TEST_F(ExtensionApiTest, FileURLs) {
     return result == "true";
   };
 
+  auto can_load_file_iframe = [this, &extension_id]() {
+    const Extension* extension =
+        extension_service()->GetExtensionById(extension_id, false);
+
+    // Load an extension page with a file iframe.
+    GURL page = extension->GetResourceURL("file_iframe.html");
+    ExtensionTestMessageListener listener(false /*will_reply*/);
+    ui_test_utils::NavigateToURLWithDisposition(
+        browser(), page, WindowOpenDisposition::NEW_FOREGROUND_TAB,
+        ui_test_utils::BROWSER_TEST_WAIT_FOR_NAVIGATION);
+    EXPECT_TRUE(listener.WaitUntilSatisfied());
+
+    EXPECT_TRUE(listener.message() == "allowed" ||
+                listener.message() == "denied")
+        << "Unexpected message " << listener.message();
+    bool allowed = listener.message() == "allowed";
+
+    // Sanity check the last committed url on the |file_iframe|.
+    content::RenderFrameHost* file_iframe = content::FrameMatchingPredicate(
+        browser()->tab_strip_model()->GetActiveWebContents(),
+        base::Bind(&content::FrameMatchesName, "file_iframe"));
+    bool is_file_url = file_iframe->GetLastCommittedURL() == GURL("file:///");
+    EXPECT_EQ(allowed, is_file_url)
+        << "Unexpected committed url: "
+        << file_iframe->GetLastCommittedURL().spec();
+
+    browser()->tab_strip_model()->CloseSelectedTabs();
+    return allowed;
+  };
+
   auto can_script_tab = [this, &extension_id](int tab_id) {
     constexpr char script[] = R"(
       var tabID = %d;
@@ -212,14 +243,15 @@ IN_PROC_BROWSER_TEST_F(ExtensionApiTest, FileURLs) {
   // By default the extension should have file access enabled. However, since it
   // does not have host permissions to the localhost on the file scheme, it
   // should not be able to xhr file urls. For the same reason, it should not be
-  // able to execute script in the two tabs.
+  // able to execute script in the two tabs or embed file iframes.
   EXPECT_TRUE(util::AllowFileAccess(extension_id, profile()));
   EXPECT_FALSE(can_xhr_file_urls());
   EXPECT_FALSE(can_script_tab(active_tab_id));
   EXPECT_FALSE(can_script_tab(inactive_tab_id));
+  EXPECT_FALSE(can_load_file_iframe());
 
   // First don't grant the tab permission. Verify that the extension can't xhr
-  // file urls and can't script the two tabs.
+  // file urls, can't script the two tabs and can't embed file iframes.
   content::WebContents* web_contents =
       browser()->tab_strip_model()->GetActiveWebContents();
   ExtensionActionRunner::GetForWebContents(web_contents)
@@ -227,14 +259,16 @@ IN_PROC_BROWSER_TEST_F(ExtensionApiTest, FileURLs) {
   EXPECT_FALSE(can_xhr_file_urls());
   EXPECT_FALSE(can_script_tab(active_tab_id));
   EXPECT_FALSE(can_script_tab(inactive_tab_id));
+  EXPECT_FALSE(can_load_file_iframe());
 
-  // Now grant the tab permission. Ensure the extension can now xhr file urls
-  // and script the active tab. It should still not be able to script the
-  // background tab.
+  // Now grant the tab permission. Ensure the extension can now xhr file urls ,
+  // script the active tab and embed file iframes. It should still not be able
+  // to script the background tab.
   ExtensionActionRunner::GetForWebContents(web_contents)
       ->RunAction(extension, true /*grant_tab_permissions*/);
   EXPECT_TRUE(can_xhr_file_urls());
   EXPECT_TRUE(can_script_tab(active_tab_id));
+  EXPECT_TRUE(can_load_file_iframe());
   EXPECT_FALSE(can_script_tab(inactive_tab_id));
 
   // Revoke extension's access to file urls. This will cause the extension to
@@ -251,13 +285,14 @@ IN_PROC_BROWSER_TEST_F(ExtensionApiTest, FileURLs) {
   EXPECT_TRUE(background_page_ready.WaitUntilSatisfied());
 
   // Grant the tab permission for the active url to the extension. Ensure it
-  // still can't xhr file urls and script the active tab (since it does not
-  // have file access).
+  // still can't xhr file urls, script the active tab or embed file iframes
+  // (since it does not have file access).
   ExtensionActionRunner::GetForWebContents(web_contents)
       ->RunAction(extension, true /*grant_tab_permissions*/);
   EXPECT_FALSE(can_xhr_file_urls());
   EXPECT_FALSE(can_script_tab(active_tab_id));
   EXPECT_FALSE(can_script_tab(inactive_tab_id));
+  EXPECT_FALSE(can_load_file_iframe());
 }
 
 }  // namespace

chrome/browser/extensions/file_iframe_apitest.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/files/file_util.h"
+#include "base/macros.h"
+#include "base/threading/thread_restrictions.h"
+#include "chrome/browser/extensions/extension_browsertest.h"
+#include "content/public/test/browser_test_utils.h"
+#include "extensions/browser/extension_host.h"
+#include "extensions/browser/process_manager.h"
+#include "extensions/test/extension_test_message_listener.h"
+#include "extensions/test/test_extension_dir.h"
+#include "net/base/filename_util.h"
+
+class FileIFrameAPITest : public ExtensionBrowserTest {
+ public:
+  FileIFrameAPITest() {}
+  void set_has_all_urls(bool val) { has_all_urls_ = val; }
+  void set_has_file_access(bool val) { has_file_access_ = val; }
+
+  // Loads the extension and determines if the background page was able to load
+  // a file iframe.
+  void RunTest(bool expect_will_load_file_iframe) {
+    WriteManifest();
+    WriteBackgroundPage();
+
+    ExtensionTestMessageListener listener(false /*will_reply*/);
+    int flags = has_file_access_ ? kFlagEnableFileAccess : kFlagNone;
+    ASSERT_TRUE(LoadExtensionWithFlags(extension_dir_.UnpackedPath(), flags));
+    EXPECT_TRUE(listener.WaitUntilSatisfied());
+
+    EXPECT_TRUE(listener.message() == "allowed" ||
+                listener.message() == "denied")
+        << "Unexpected message " << listener.message();
+    bool allowed = listener.message() == "allowed";
+    EXPECT_EQ(expect_will_load_file_iframe, allowed);
+
+    // Sanity check the last committed url on the |file_iframe|.
+    extensions::ExtensionHost* background_host =
+        extensions::ProcessManager::Get(profile())
+            ->GetBackgroundHostForExtension(last_loaded_extension_id());
+    ASSERT_TRUE(background_host);
+    content::RenderFrameHost* file_iframe = content::FrameMatchingPredicate(
+        background_host->host_contents(),
+        base::Bind(&content::FrameMatchesName, "file_iframe"));
+    bool is_file_url = file_iframe->GetLastCommittedURL() == GURL("file:///");
+    EXPECT_EQ(expect_will_load_file_iframe, is_file_url)
+        << "Unexpected committed url: "
+        << file_iframe->GetLastCommittedURL().spec();
+  }
+
+ private:
+  void WriteManifest() {
+    constexpr char manifest[] = R"(
+      {
+         "name": "Test extension",
+         "version": "1",
+         "manifest_version": 2,
+         "permissions" : [%s],
+         "background" : {
+            "page" : "background.html"
+         }
+      }
+    )";
+    extension_dir_.WriteManifest(
+        base::StringPrintf(manifest, has_all_urls_ ? "\"<all_urls>\"" : ""));
+  }
+
+  void WriteBackgroundPage() {
+    base::ScopedAllowBlockingForTesting allow_blocking;
+    CHECK(base::CopyDirectory(test_data_dir_.AppendASCII("file_iframe"),
+                              extension_dir_.UnpackedPath(),
+                              false /*recursive*/));
+  }
+
+  bool has_all_urls_ = false;
+  bool has_file_access_ = false;
+  extensions::TestExtensionDir extension_dir_;
+
+  DISALLOW_COPY_AND_ASSIGN(FileIFrameAPITest);
+};
+
+// Tests that an extension frame can embed a file iframe if it has file access
+// and "<all_urls>" host permissions.
+IN_PROC_BROWSER_TEST_F(FileIFrameAPITest, FileAccessAllURLs) {
+  set_has_all_urls(true);
+  set_has_file_access(true);
+  RunTest(true);
+}
+
+// Tests that an extension frame can't embed a file iframe if it has no file
+// access even with the "<all_urls>" host permissions.
+IN_PROC_BROWSER_TEST_F(FileIFrameAPITest, NoFileAccessAllURLs) {
+  set_has_all_urls(true);
+  set_has_file_access(false);
+  RunTest(false);
+}
+
+// Tests that an extension frame can't embed a file iframe if it does not have
+// host permissions to the file scheme even though it has file access.
+IN_PROC_BROWSER_TEST_F(FileIFrameAPITest, FileAccessNoHosts) {
+  set_has_all_urls(false);
+  set_has_file_access(true);
+  RunTest(false);
+}

chrome/test/BUILD.gn

@@ -1298,6 +1298,7 @@ test("browser_tests") {
         "../browser/extensions/extension_with_management_policy_apitest.h",
         "../browser/extensions/external_install_error_browsertest.cc",
         "../browser/extensions/fetch_apitest.cc",
+        "../browser/extensions/file_iframe_apitest.cc",
         "../browser/extensions/gpu_browsertest.cc",
         "../browser/extensions/isolated_app_browsertest.cc",
         "../browser/extensions/lazy_background_page_apitest.cc",

chrome/test/data/extensions/api_test/active_tab_file_urls/file_iframe.html

+<!DOCTYPE html>
+<html>
+<head>
+  <title></title>
+  <script type="text/javascript" src="window_onload.js"></script>
+</head>
+<body>
+  <iframe src="file:///" name="file_iframe" id="file_iframe"></iframe>
+</body>
+</html>

chrome/test/data/extensions/api_test/active_tab_file_urls/window_onload.js

+window.onload = function() {
+  var iframe = document.getElementById('file_iframe');
+  try {
+    var url = iframe.contentWindow.location.href
+    if (url === 'about:blank')
+      chrome.test.sendMessage('denied');
+  } catch (e) {
+    var expectedError =
+        `Blocked a frame with origin "${window.location.origin}" from ` +
+        `accessing a cross-origin frame.`;
+    if (e.message === expectedError)
+      chrome.test.sendMessage('allowed');
+  }
+};

chrome/test/data/extensions/file_iframe/background.html

+<!DOCTYPE html>
+<html>
+<head>
+  <title></title>
+  <script type="text/javascript" src="window_onload.js"></script>
+</head>
+<body>
+  <iframe src="file:///" name="file_iframe" id="file_iframe"></iframe>
+</body>
+</html>

chrome/test/data/extensions/file_iframe/window_onload.js

+window.onload = function() {
+  var iframe = document.getElementById('file_iframe');
+  try {
+    var url = iframe.contentWindow.location.href
+    if (url === 'about:blank')
+      chrome.test.sendMessage('denied');
+  } catch (e) {
+    var expectedError =
+        `Blocked a frame with origin "${window.location.origin}" from ` +
+        `accessing a cross-origin frame.`;
+    if (e.message === expectedError)
+      chrome.test.sendMessage('allowed');
+  }
+};