File: webstore_domain_browsertest.cc

package info (click to toggle)
chromium 139.0.7258.127-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 6,122,156 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (255 lines) | stat: -rw-r--r-- 11,686 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chrome/browser/extensions/extension_apitest.h"
#include "chrome/browser/profiles/profile.h"
#include "chrome/browser/ui/browser.h"
#include "chrome/browser/ui/tabs/tab_strip_model.h"
#include "chrome/common/chrome_switches.h"
#include "chrome/test/base/ui_test_utils.h"
#include "components/network_session_configurator/common/network_switches.h"
#include "content/public/browser/web_contents.h"
#include "content/public/test/browser_test.h"
#include "content/public/test/browser_test_utils.h"
#include "content/public/test/test_navigation_observer.h"
#include "extensions/browser/event_router.h"
#include "extensions/browser/extension_event_histogram_value.h"
#include "extensions/common/api/management.h"
#include "net/dns/mock_host_resolver.h"
#include "net/test/embedded_test_server/embedded_test_server.h"
#include "services/network/public/cpp/network_switches.h"
#include "services/network/public/mojom/url_response_head.mojom.h"

namespace extensions {
namespace {

// URL the new webstore is associated with in production.
constexpr char kNewWebstoreURL[] = "https://chromewebstore.google.com/";
// URL the webstore hosted app is associated with in production, minus the
// /webstore/ path which is added in the tests themselves.
constexpr char kWebstoreAppBaseURL[] = "https://chrome.google.com/";
// URL to test the command line override for the webstore.
constexpr char kWebstoreOverrideURL[] = "https://chrome.webstore.test.com/";
constexpr char kNonWebstoreURL1[] = "https://foo.com/";
constexpr char kNonWebstoreURL2[] = "https://bar.com/";

}  // namespace

class WebstoreDomainBrowserTest : public ExtensionApiTest,
                                  public testing::WithParamInterface<GURL> {
 public:
  WebstoreDomainBrowserTest() {
    UseHttpsTestServer();
    // Override the test server SSL config with the webstore domain under test
    // and two other non-webstore domains used in the tests.
    net::EmbeddedTestServer::ServerCertificateConfig cert_config;
    cert_config.dns_names = {GetParam().host(), "foo.com", "bar.com"};
    embedded_test_server()->SetSSLConfig(cert_config);
    // Add the extensions directory to the test server as it has a /webstore/
    // directory to serve files from, which the webstore hosted app requires as
    // part of the URL it is associated with.
    embedded_test_server()->ServeFilesFromSourceDirectory(
        "chrome/test/data/extensions");
    EXPECT_TRUE(embedded_test_server()->Start());
  }
  ~WebstoreDomainBrowserTest() override = default;

  void SetUpCommandLine(base::CommandLine* command_line) override {
    // Add a host resolver rule to map all outgoing requests to the test server.
    // This allows us to use "real" hostnames and standard ports in URLs (i.e.,
    // without having to inject the port number into all URLs).
    command_line->AppendSwitchASCII(
        network::switches::kHostResolverRules,
        "MAP * " + embedded_test_server()->host_port_pair().ToString());

    // Only override the webstore URL if this test case is testing the override.
    if (GetParam().spec() == kWebstoreOverrideURL) {
      command_line->AppendSwitchASCII(::switches::kAppsGalleryURL,
                                      kWebstoreOverrideURL);
    }

    ExtensionApiTest::SetUpCommandLine(command_line);
  }
};

// Tests that webstorePrivate, management and runtime are exposed to the
// webstore domain, but not to a non-webstore domain.
// Note: Although we don't explicitly provide runtime to the webstore domain in
// the case of it being a "web page" context, it is granted implicitly by the
// NativeExtensionBindingsSystem due to other extension APIs (webstorePrivate
// and management) being exposed to the web page.
IN_PROC_BROWSER_TEST_P(WebstoreDomainBrowserTest, ExpectedAvailability) {
  const GURL webstore_url = GetParam().Resolve("/webstore/mock_store.html");
  const GURL not_webstore_url = GURL(kNonWebstoreURL1).Resolve("/empty.html");

  content::WebContents* web_contents =
      browser()->tab_strip_model()->GetActiveWebContents();

  auto is_api_available = [web_contents](const std::string& api_name) {
    constexpr char kScript[] = "chrome.hasOwnProperty($1);";
    return content::EvalJs(web_contents, content::JsReplace(kScript, api_name))
        .ExtractBool();
  };

  ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), webstore_url));
  EXPECT_EQ(web_contents->GetPrimaryMainFrame()->GetLastCommittedURL(),
            webstore_url);
  EXPECT_TRUE(is_api_available("webstorePrivate"));
  EXPECT_TRUE(is_api_available("management"));
  EXPECT_TRUE(is_api_available("runtime"));

  ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), not_webstore_url));
  EXPECT_EQ(web_contents->GetPrimaryMainFrame()->GetLastCommittedURL(),
            not_webstore_url);
  EXPECT_FALSE(is_api_available("management"));
  EXPECT_FALSE(is_api_available("webstorePrivate"));
  EXPECT_FALSE(is_api_available("runtime"));
}

// Test that the webstore can register and receive management events. Normally
// we have a check that the receiver of an extension event can never be a
// webpage context. The old webstore gets around this by appearing as a hosted
// app extension context, but the new webstore has the APIs exposed directly to
// the webpage context it uses. Regression test for crbug.com/1441136.
IN_PROC_BROWSER_TEST_P(WebstoreDomainBrowserTest, CanReceiveEvents) {
  const GURL webstore_url = GetParam().Resolve("/webstore/mock_store.html");

  content::WebContents* web_contents =
      browser()->tab_strip_model()->GetActiveWebContents();

  ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), webstore_url));
  EXPECT_EQ(web_contents->GetPrimaryMainFrame()->GetLastCommittedURL(),
            webstore_url);
  constexpr char kAddListener[] = R"(
    chrome.management.onInstalled.addListener(() => {
      domAutomationController.send('received event');
    });
    'listener added';
  )";
  ASSERT_EQ("listener added", content::EvalJs(web_contents, kAddListener));

  content::DOMMessageQueue message_queue(
      browser()->tab_strip_model()->GetActiveWebContents());
  // Directly broadcast the management.onInstalled event from the EventRouter
  // and verify it arrived to the page without causing a crash.
  EventRouter* event_router = EventRouter::Get(profile());
  api::management::ExtensionInfo info;
  info.install_type = api::management::ExtensionInstallType::kNormal;
  info.type = api::management::ExtensionType::kExtension;
  event_router->BroadcastEvent(std::make_unique<Event>(
      events::FOR_TEST, api::management::OnInstalled::kEventName,
      api::management::OnInstalled::Create(info)));

  std::string message;
  EXPECT_TRUE(message_queue.WaitForMessage(&message));
  EXPECT_EQ("\"received event\"", message);
}

// Tests that a webstore page with misconfigured or missing X-Frame-Options
// headers that is embedded in an iframe has the headers adjusted to SAMEORIGIN
// and that the subframe navigation is subsequently blocked.
IN_PROC_BROWSER_TEST_P(WebstoreDomainBrowserTest, FrameWebstorePageBlocked) {
  GURL outer_frame_url = GURL(kNonWebstoreURL1).Resolve("/empty.html");

  content::WebContents* web_contents =
      browser()->tab_strip_model()->GetActiveWebContents();
  ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), outer_frame_url));
  EXPECT_EQ(outer_frame_url, web_contents->GetLastCommittedURL());

  constexpr char kScript[] =
      R"({
           var f = document.createElement('iframe');
           f.src = $1;
           !!document.body.appendChild(f);
         })";

  // Embedding a non-webstore page with a misconfigured X-Frame-Options header
  // will just have the header ignored and load fine.
  {
    GURL non_webstore_url =
        GURL(kNonWebstoreURL2)
            .Resolve("/webstore/xfo_header_misconfigured.html");
    content::TestNavigationObserver observer(web_contents);
    EXPECT_TRUE(content::EvalJs(web_contents,
                                content::JsReplace(kScript, non_webstore_url))
                    .ExtractBool());
    EXPECT_TRUE(WaitForLoadStop(web_contents));
    content::RenderFrameHost* subframe =
        content::ChildFrameAt(web_contents->GetPrimaryMainFrame(), 0);
    ASSERT_TRUE(subframe);
    const network::mojom::URLResponseHead* response_head =
        subframe->GetLastResponseHead();
    ASSERT_TRUE(response_head);
    ASSERT_TRUE(response_head->headers);
    EXPECT_TRUE(
        response_head->headers->HasHeaderValue("X-Frame-Options", "foo"));

    // The subframe should have loaded fine.
    EXPECT_EQ(non_webstore_url, subframe->GetLastCommittedURL());
    EXPECT_TRUE(observer.last_navigation_succeeded());
  }

  // Embedding a webstore page with a misconfigured X-Frame-Options header
  // should have the header replaced and the frame load should fail.
  {
    GURL webstore_url =
        GetParam().Resolve("/webstore/xfo_header_misconfigured.html");
    content::TestNavigationObserver observer(web_contents);
    EXPECT_TRUE(
        content::EvalJs(web_contents, content::JsReplace(kScript, webstore_url))
            .ExtractBool());
    EXPECT_TRUE(WaitForLoadStop(web_contents));
    content::RenderFrameHost* subframe =
        content::ChildFrameAt(web_contents->GetPrimaryMainFrame(), 1);
    ASSERT_TRUE(subframe);
    const network::mojom::URLResponseHead* response_head =
        subframe->GetLastResponseHead();
    ASSERT_TRUE(response_head);
    ASSERT_TRUE(response_head->headers);
    EXPECT_TRUE(response_head->headers->HasHeaderValue("X-Frame-Options",
                                                       "SAMEORIGIN"));

    // The subframe load should fail due to XFO.
    EXPECT_EQ(webstore_url, subframe->GetLastCommittedURL());
    EXPECT_FALSE(observer.last_navigation_succeeded());
    EXPECT_EQ(net::ERR_BLOCKED_BY_RESPONSE, observer.last_net_error_code());
  }

  // Loading a webstore page that doesn't exist and results in a 404 should
  // have the X-Frame-Options SAMEORIGIN added and the load should fail.
  {
    GURL webstore_url = GetParam().Resolve("/webstore/not_an_actual_file.html");
    content::TestNavigationObserver observer(web_contents);
    EXPECT_TRUE(
        content::EvalJs(web_contents, content::JsReplace(kScript, webstore_url))
            .ExtractBool());
    EXPECT_TRUE(WaitForLoadStop(web_contents));
    content::RenderFrameHost* subframe =
        content::ChildFrameAt(web_contents->GetPrimaryMainFrame(), 2);
    ASSERT_TRUE(subframe);
    const network::mojom::URLResponseHead* response_head =
        subframe->GetLastResponseHead();
    ASSERT_TRUE(response_head);
    ASSERT_TRUE(response_head->headers);
    EXPECT_TRUE(response_head->headers->HasHeaderValue("X-Frame-Options",
                                                       "SAMEORIGIN"));

    // The subframe load should fail due to XFO.
    EXPECT_EQ(webstore_url, subframe->GetLastCommittedURL());
    EXPECT_FALSE(observer.last_navigation_succeeded());
    EXPECT_EQ(net::ERR_BLOCKED_BY_RESPONSE, observer.last_net_error_code());
  }
}

INSTANTIATE_TEST_SUITE_P(WebstoreNewURL,
                         WebstoreDomainBrowserTest,
                         testing::Values(GURL(kNewWebstoreURL)));
INSTANTIATE_TEST_SUITE_P(WebstoreHostedAppURL,
                         WebstoreDomainBrowserTest,
                         testing::Values(GURL(kWebstoreAppBaseURL)));
INSTANTIATE_TEST_SUITE_P(WebstoreOverrideURL,
                         WebstoreDomainBrowserTest,
                         testing::Values(GURL(kWebstoreOverrideURL)));

}  // namespace extensions