content/child/site_isolation_stats_gatherer_browsertest.cc

   1 // Copyright 2015 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/command_line.h"
   6 #include "base/strings/string_util.h"
   7 #include "base/strings/stringprintf.h"
   8 #include "base/test/histogram_tester.h"
   9 #include "content/public/common/content_switches.h"
  10 #include "content/public/common/resource_type.h"
  11 #include "content/public/test/browser_test_utils.h"
  12 #include "content/public/test/content_browser_test.h"
  13 #include "content/public/test/content_browser_test_utils.h"
  14 #include "content/shell/browser/shell.h"
  15 #include "net/test/spawned_test_server/spawned_test_server.h"
  16
  17 namespace content {
  18
  19 // These tests simulate exploited renderer processes, which can fetch arbitrary
  20 // resources from other websites, not constrained by the Same Origin Policy.  We
  21 // are trying to verify that the renderer cannot fetch any cross-site document
  22 // responses even when the Same Origin Policy is turned off inside the renderer.
  23 class SiteIsolationStatsGathererBrowserTest : public ContentBrowserTest {
  24  public:
  25   SiteIsolationStatsGathererBrowserTest() {}
  26   ~SiteIsolationStatsGathererBrowserTest() override {}
  27
  28   void SetUpCommandLine(base::CommandLine* command_line) override {
  29     ASSERT_TRUE(test_server()->Start());
  30     // Add a host resolver rule to map all outgoing requests to the test server.
  31     // This allows us to use "real" hostnames in URLs, which we can use to
  32     // create arbitrary SiteInstances.
  33     command_line->AppendSwitchASCII(
  34         switches::kHostResolverRules,
  35         "MAP * " + test_server()->host_port_pair().ToString() +
  36             ",EXCLUDE localhost");
  37
  38     // Since we assume exploited renderer process, it can bypass the same origin
  39     // policy at will. Simulate that by passing the disable-web-security flag.
  40     command_line->AppendSwitch(switches::kDisableWebSecurity);
  41   }
  42
  43   void InspectHistograms(const base::HistogramTester& histograms,
  44                          bool should_be_blocked,
  45                          const std::string& resource_name) {
  46     std::string bucket;
  47     int mime_type = 0;  // Hardcoded because histogram enums mustn't change.
  48     if (MatchPattern(resource_name, "*.html")) {
  49       bucket = "HTML";
  50       mime_type = 0;
  51     } else if (MatchPattern(resource_name, "*.xml")) {
  52       bucket = "XML";
  53       mime_type = 1;
  54     } else if (MatchPattern(resource_name, "*.json")) {
  55       bucket = "JSON";
  56       mime_type = 2;
  57     } else if (MatchPattern(resource_name, "*.txt")) {
  58       bucket = "Plain";
  59       mime_type = 3;
  60       if (MatchPattern(resource_name, "json*")) {
  61         bucket += ".JSON";
  62       } else if (MatchPattern(resource_name, "html*")) {
  63         bucket += ".HTML";
  64       } else if (MatchPattern(resource_name, "xml*")) {
  65         bucket += ".XML";
  66       }
  67     } else {
  68       FAIL();
  69     }
  70     FetchHistogramsFromChildProcesses();
  71
  72     // A few histograms are incremented unconditionally.
  73     histograms.ExpectUniqueSample("SiteIsolation.AllResponses", 1, 1);
  74     histograms.ExpectTotalCount("SiteIsolation.XSD.DataLength", 1);
  75     histograms.ExpectUniqueSample("SiteIsolation.XSD.MimeType", mime_type, 1);
  76
  77     // Inspect the appropriate conditionally-incremented histogram[s].
  78     std::set<std::string> expected_metrics;
  79     std::string base_metric = "SiteIsolation.XSD." + bucket;
  80     base_metric += should_be_blocked ? ".Blocked" : ".NotBlocked";
  81     expected_metrics.insert(base_metric);
  82     if (should_be_blocked) {
  83       expected_metrics.insert(base_metric + ".RenderableStatusCode");
  84     } else if (MatchPattern(resource_name, "*js.*")) {
  85       expected_metrics.insert(base_metric + ".MaybeJS");
  86     }
  87
  88     for (std::string metric : expected_metrics) {
  89       if (MatchPattern(metric, "*.RenderableStatusCode")) {
  90         histograms.ExpectUniqueSample(metric, RESOURCE_TYPE_XHR, 1);
  91       } else {
  92         histograms.ExpectUniqueSample(metric, 1, 1);
  93       }
  94     }
  95
  96     // Make sure no other conditionally-incremented histograms were touched.
  97     const char* all_metrics[] = {
  98         "SiteIsolation.XSD.HTML.Blocked",
  99         "SiteIsolation.XSD.HTML.Blocked.NonRenderableStatusCode",
 100         "SiteIsolation.XSD.HTML.Blocked.RenderableStatusCode",
 101         "SiteIsolation.XSD.HTML.NoSniffBlocked",
 102         "SiteIsolation.XSD.HTML.NoSniffBlocked.NonRenderableStatusCode",
 103         "SiteIsolation.XSD.HTML.NoSniffBlocked.RenderableStatusCode",
 104         "SiteIsolation.XSD.HTML.NotBlocked",
 105         "SiteIsolation.XSD.HTML.NotBlocked.MaybeJS",
 106         "SiteIsolation.XSD.JSON.Blocked",
 107         "SiteIsolation.XSD.JSON.Blocked.NonRenderableStatusCode",
 108         "SiteIsolation.XSD.JSON.Blocked.RenderableStatusCode",
 109         "SiteIsolation.XSD.JSON.NoSniffBlocked",
 110         "SiteIsolation.XSD.JSON.NoSniffBlocked.NonRenderableStatusCode",
 111         "SiteIsolation.XSD.JSON.NoSniffBlocked.RenderableStatusCode",
 112         "SiteIsolation.XSD.JSON.NotBlocked",
 113         "SiteIsolation.XSD.JSON.NotBlocked.MaybeJS",
 114         "SiteIsolation.XSD.Plain.HTML.Blocked",
 115         "SiteIsolation.XSD.Plain.HTML.Blocked.NonRenderableStatusCode",
 116         "SiteIsolation.XSD.Plain.HTML.Blocked.RenderableStatusCode",
 117         "SiteIsolation.XSD.Plain.JSON.Blocked",
 118         "SiteIsolation.XSD.Plain.JSON.Blocked.NonRenderableStatusCode",
 119         "SiteIsolation.XSD.Plain.JSON.Blocked.RenderableStatusCode",
 120         "SiteIsolation.XSD.Plain.NoSniffBlocked",
 121         "SiteIsolation.XSD.Plain.NoSniffBlocked.NonRenderableStatusCode",
 122         "SiteIsolation.XSD.Plain.NoSniffBlocked.RenderableStatusCode",
 123         "SiteIsolation.XSD.Plain.NotBlocked",
 124         "SiteIsolation.XSD.Plain.NotBlocked.MaybeJS",
 125         "SiteIsolation.XSD.Plain.XML.Blocked",
 126         "SiteIsolation.XSD.Plain.XML.Blocked.NonRenderableStatusCode",
 127         "SiteIsolation.XSD.Plain.XML.Blocked.RenderableStatusCode",
 128         "SiteIsolation.XSD.XML.Blocked",
 129         "SiteIsolation.XSD.XML.Blocked.NonRenderableStatusCode",
 130         "SiteIsolation.XSD.XML.Blocked.RenderableStatusCode",
 131         "SiteIsolation.XSD.XML.NoSniffBlocked",
 132         "SiteIsolation.XSD.XML.NoSniffBlocked.NonRenderableStatusCode",
 133         "SiteIsolation.XSD.XML.NoSniffBlocked.RenderableStatusCode",
 134         "SiteIsolation.XSD.XML.NotBlocked",
 135         "SiteIsolation.XSD.XML.NotBlocked.MaybeJS"};
 136
 137     for (const char* metric : all_metrics) {
 138       if (!expected_metrics.count(metric)) {
 139         histograms.ExpectTotalCount(metric, 0);
 140       }
 141     }
 142   }
 143
 144  private:
 145   DISALLOW_COPY_AND_ASSIGN(SiteIsolationStatsGathererBrowserTest);
 146 };
 147
 148 // TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine()
 149 // is executed before the I/O thread is created on Android. After this bug
 150 // (crbug.com/278425) is resolved, we can enable this test case on Android.
 151 #if defined(OS_ANDROID)
 152 #define MAYBE_CrossSiteDocumentBlockingForMimeType \
 153   DISABLED_CrossSiteDocumentBlockingForMimeType
 154 #else
 155 #define MAYBE_CrossSiteDocumentBlockingForMimeType \
 156   CrossSiteDocumentBlockingForMimeType
 157 #endif
 158
 159 IN_PROC_BROWSER_TEST_F(SiteIsolationStatsGathererBrowserTest,
 160                        MAYBE_CrossSiteDocumentBlockingForMimeType) {
 161   // Load a page that issues illegal cross-site document requests to bar.com.
 162   // The page uses XHR to request HTML/XML/JSON documents from bar.com, and
 163   // inspects if any of them were successfully received. Currently, on illegal
 164   // access, the XHR requests should succeed, but the UMA histograms should
 165   // record that they would have been blocked. This test is only possible since
 166   // we run the browser without the same origin policy.
 167   GURL foo("http://foo.com/files/cross_site_document_request.html");
 168
 169   NavigateToURL(shell(), foo);
 170
 171   // Flush out existing histogram activity.
 172   FetchHistogramsFromChildProcesses();
 173
 174   // The following are files under content/test/data/site_isolation. All
 175   // should be disallowed for cross site XHR under the document blocking policy.
 176   const char* blocked_resources[] = {
 177       "comment_valid.html",
 178       "html.txt",
 179       "html4_dtd.html",
 180       "html4_dtd.txt",
 181       "html5_dtd.html",
 182       "html5_dtd.txt",
 183       "json.txt",
 184       "valid.html",
 185       "valid.json",
 186       "valid.xml",
 187       "xml.txt",
 188   };
 189
 190   for (const char* resource : blocked_resources) {
 191     SCOPED_TRACE(base::StringPrintf("... while testing page: %s", resource));
 192     base::HistogramTester histograms;
 193
 194     bool was_blocked;
 195     ASSERT_TRUE(ExecuteScriptAndExtractBool(
 196         shell()->web_contents(),
 197         base::StringPrintf("sendRequest(\"%s\");", resource), &was_blocked));
 198     ASSERT_FALSE(was_blocked);
 199
 200     InspectHistograms(histograms, true, resource);
 201   }
 202
 203   // These files should be allowed for XHR under the document blocking policy.
 204   const char* allowed_resources[] = {"js.html",
 205                                      "comment_js.html",
 206                                      "js.xml",
 207                                      "js.json",
 208                                      "js.txt",
 209                                      "img.html",
 210                                      "img.xml",
 211                                      "img.json",
 212                                      "img.txt",
 213                                      "comment_js.html"};
 214   for (const char* resource : allowed_resources) {
 215     SCOPED_TRACE(base::StringPrintf("... while testing page: %s", resource));
 216     base::HistogramTester histograms;
 217
 218     bool was_blocked;
 219     ASSERT_TRUE(ExecuteScriptAndExtractBool(
 220         shell()->web_contents(),
 221         base::StringPrintf("sendRequest(\"%s\");", resource), &was_blocked));
 222     ASSERT_FALSE(was_blocked);
 223
 224     InspectHistograms(histograms, false, resource);
 225   }
 226 }
 227
 228 // TODO(dsjang): we cannot run these tests on Android since SetUpCommandLine()
 229 // is executed before the I/O thread is created on Android. After this bug
 230 // (crbug.com/278425) is resolved, we can enable this test case on Android.
 231 #if defined(OS_ANDROID)
 232 #define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \
 233   DISABLED_CrossSiteDocumentBlockingForDifferentTargets
 234 #else
 235 #define MAYBE_CrossSiteDocumentBlockingForDifferentTargets \
 236   CrossSiteDocumentBlockingForDifferentTargets
 237 #endif
 238
 239 IN_PROC_BROWSER_TEST_F(SiteIsolationStatsGathererBrowserTest,
 240                        MAYBE_CrossSiteDocumentBlockingForDifferentTargets) {
 241   // This webpage loads a cross-site HTML page in different targets such as
 242   // <img>,<link>,<embed>, etc. Since the requested document is blocked, and one
 243   // character string (' ') is returned instead, this tests that the renderer
 244   // does not crash even when it receives a response body which is " ", whose
 245   // length is different from what's described in "content-length" for such
 246   // different targets.
 247
 248   // TODO(nick): Split up these cases, and add positive assertions here about
 249   // what actually happens in these various resource-block cases.
 250   GURL foo("http://foo.com/files/cross_site_document_request_target.html");
 251   NavigateToURL(shell(), foo);
 252 }
 253
 254 }  // namespace content