File: iframe_csp_browsertest.cc

package info (click to toggle)
chromium 138.0.7204.157-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 6,071,864 kB
  • sloc: cpp: 34,936,859; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,953; asm: 946,768; xml: 739,967; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,806; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (106 lines) | stat: -rw-r--r-- 4,254 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "base/functional/bind.h"
#include "chrome/test/payments/payment_request_platform_browsertest_base.h"
#include "content/public/browser/render_frame_host.h"
#include "content/public/browser/web_contents.h"
#include "content/public/test/browser_test.h"
#include "content/public/test/browser_test_utils.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace payments {

class IframeCspTest : public PaymentRequestPlatformBrowserTestBase {
 public:
  IframeCspTest() = default;
  ~IframeCspTest() override = default;

  void SetUpOnMainThread() override {
    PaymentRequestPlatformBrowserTestBase::SetUpOnMainThread();

    // kylepay.test is a payment app that supports just-in-time installation.
    app_server_.ServeFilesFromSourceDirectory(
        "components/test/data/payments/kylepay.test");
    ASSERT_TRUE(app_server_.Start());
  }

 protected:
  net::EmbeddedTestServer app_server_{net::EmbeddedTestServer::TYPE_HTTPS};
};

IN_PROC_BROWSER_TEST_F(IframeCspTest, Show) {
  NavigateTo("/csp_test_main.html");

  content::WebContentsConsoleObserver console_observer(GetActiveWebContents());
  // Filter for console messages related to the CSP failure. There should be
  // none.
  console_observer.SetPattern(
      "Refused to load the image 'https://kylepay.test:*/icon.png *");

  GURL iframe_url =
      https_server()->GetURL("other.example", "/csp_test_iframe.html");
  EXPECT_TRUE(
      content::NavigateIframeToURL(GetActiveWebContents(), "test", iframe_url));

  content::RenderFrameHost* iframe = content::FrameMatchingPredicate(
      GetActiveWebContents()->GetPrimaryPage(),
      base::BindRepeating(&content::FrameHasSourceUrl, iframe_url));
  EXPECT_EQ(iframe_url, iframe->GetLastCommittedURL());

  // Set up test manifest downloader that knows how to fake origin.
  const std::string method_name = "kylepay.test";
  SetDownloaderAndIgnorePortInOriginComparisonForTestingInFrame(
      {{method_name, &app_server_}}, iframe);

  EXPECT_EQ(
      "RangeError: Failed to construct 'PaymentRequest': "
      "https://kylepay.test/webpay payment method identifier violates "
      "Content Security Policy.",
      content::EvalJs(iframe, "checkCanMakePayment()"));

  EXPECT_TRUE(console_observer.messages().empty());
}

// Verify that a page's CSP can deny connections to a payment app's manifest
// files.
IN_PROC_BROWSER_TEST_F(IframeCspTest, PageCSPDeniesPayments) {
  NavigateTo("/csp/deny_csp.html");

  // The payment method identifier for an app that can be installed just in time
  // (JIT), unless CSP blocks connections to it.
  std::string payment_method =
      https_server()->GetURL("nickpay.test", "/nickpay.test/pay").spec();

  // The test page's CSP denies connections to all payment manifests.
  EXPECT_EQ(
      "RangeError: Failed to construct 'PaymentRequest': " + payment_method +
          " payment method identifier violates Content Security Policy.",
      content::EvalJs(
          GetActiveWebContents(),
          content::JsReplace("checkCanMakePayment($1)", payment_method)));
}

// Verify that CSP can deny redirects for payment method manifests.
IN_PROC_BROWSER_TEST_F(IframeCspTest, PageCSPDeniesRedirectedPaymentDownloads) {
  NavigateTo("/csp/deny_csp_after_redirect.html");

  // "https://test.example/redirect/pay" redirects to
  // "https://subdomain.test.example/redirect/destination/pay". CSP denies
  // access to the subdomain.
  std::string domain = "test.example";
  std::string subdomain = "subdomain." + domain;
  SetDownloaderAndIgnorePortInOriginComparisonForTesting(
      {{domain, https_server()}, {subdomain, https_server()}});
  std::string payment_method = "https://" + domain + "/redirect/pay";

  // The test page's CSP denies connections to the redirect destination.
  EXPECT_EQ(false, content::EvalJs(GetActiveWebContents(),
                                   content::JsReplace("checkCanMakePayment($1)",
                                                      payment_method)))
      << "Expected canMakePayment to fail due to CSP connect-src directive, "
         "but it succeeded.";
}

}  // namespace payments