[CORS-RFC1918] Add tests checking `file:` targets.

These tests prove that no additional handling is required to block insecure private network requests targeting `file:` URLs. Indeed these requests are already blocked for a different reason: pages loaded over http and https are forbidden from accessing `file:` URLs. Bug: chromium:1142505 Change-Id: I606672978c286d450cdee796aa821c07c7911c7b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2498526Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Arthur Hemery <ahemery@chromium.org> Commit-Queue: Titouan Rigoudy <titouan@chromium.org> Cr-Commit-Position: refs/heads/master@{#821655}

[CORS-RFC1918] Add tests checking `file:` targets.
These tests prove that no additional handling is required to block insecure private network requests targeting `file:` URLs. Indeed these requests are already blocked for a different reason: pages loaded over http and https are forbidden from accessing `file:` URLs. Bug: chromium:1142505 Change-Id: I606672978c286d450cdee796aa821c07c7911c7b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2498526Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Arthur Hemery <ahemery@chromium.org> Commit-Queue: Titouan Rigoudy <titouan@chromium.org> Cr-Commit-Position: refs/heads/master@{#821655}
f3eacb83 · Titouan Rigoudy · Commit Bot · 78ca012b · f3eacb83
Commit f3eacb83 authored Oct 28, 2020 by Titouan Rigoudy Committed by Commit Bot Oct 28, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 0 deletions

content/browser/renderer_host/render_frame_host_impl_browsertest.cc ...owser/renderer_host/render_frame_host_impl_browsertest.cc +32 -0

No files found.
--- a/content/browser/renderer_host/render_frame_host_impl_browsertest.cc
+++ b/content/browser/renderer_host/render_frame_host_impl_browsertest.cc
@@ -4276,6 +4276,38 @@ IN_PROC_BROWSER_TEST_F(
  EXPECT_EQ("public", EvalJs(root_frame_host(), "document.addressSpace"));
 }

+// This test verifies that even with the blocking feature disabled, an insecure
+// page in the `local` address space cannot fetch a `file:` URL.
+//
+// This is relevant to CORS-RFC1918, since `file:` URLs are considered `local`.
+IN_PROC_BROWSER_TEST_F(RenderFrameHostImplBrowserTest,
+                       InsecurePageCannotRequestFile) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), InsecureDefaultURL(*embedded_test_server())));
+
+  // Check that the page cannot load a `file:` URL.
+  EXPECT_EQ(
+      false,
+      EvalJs(root_frame_host(),
+             FetchSubresourceScript(GetTestUrl("", "empty.html").spec())));
+}
+
+// This test verifies that even with the blocking feature disabled, a secure
+// page in the `local` address space cannot fetch a `file:` URL.
+//
+// This is relevant to CORS-RFC1918, since `file:` URLs are considered `local`.
+IN_PROC_BROWSER_TEST_F(RenderFrameHostImplBrowserTest,
+                       SecurePageCannotRequestFile) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  // Check that the page cannot load a `file:` URL.
+  EXPECT_EQ(
+      false,
+      EvalJs(root_frame_host(),
+             FetchSubresourceScript(GetTestUrl("", "empty.html").spec())));
+}
+
 // This test mimics the tests below, with the blocking feature disabled. It
 // verifies that by default requests:
 //  - from an insecure page with the "treat-as-public-address" CSP directive