1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255
|
// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/extensions/extension_apitest.h"
#include "chrome/browser/profiles/profile.h"
#include "chrome/browser/ui/browser.h"
#include "chrome/browser/ui/tabs/tab_strip_model.h"
#include "chrome/common/chrome_switches.h"
#include "chrome/test/base/ui_test_utils.h"
#include "components/network_session_configurator/common/network_switches.h"
#include "content/public/browser/web_contents.h"
#include "content/public/test/browser_test.h"
#include "content/public/test/browser_test_utils.h"
#include "content/public/test/test_navigation_observer.h"
#include "extensions/browser/event_router.h"
#include "extensions/browser/extension_event_histogram_value.h"
#include "extensions/common/api/management.h"
#include "net/dns/mock_host_resolver.h"
#include "net/test/embedded_test_server/embedded_test_server.h"
#include "services/network/public/cpp/network_switches.h"
#include "services/network/public/mojom/url_response_head.mojom.h"
namespace extensions {
namespace {
// URL the new webstore is associated with in production.
constexpr char kNewWebstoreURL[] = "https://chromewebstore.google.com/";
// URL the webstore hosted app is associated with in production, minus the
// /webstore/ path which is added in the tests themselves.
constexpr char kWebstoreAppBaseURL[] = "https://chrome.google.com/";
// URL to test the command line override for the webstore.
constexpr char kWebstoreOverrideURL[] = "https://chrome.webstore.test.com/";
constexpr char kNonWebstoreURL1[] = "https://foo.com/";
constexpr char kNonWebstoreURL2[] = "https://bar.com/";
} // namespace
class WebstoreDomainBrowserTest : public ExtensionApiTest,
public testing::WithParamInterface<GURL> {
public:
WebstoreDomainBrowserTest() {
UseHttpsTestServer();
// Override the test server SSL config with the webstore domain under test
// and two other non-webstore domains used in the tests.
net::EmbeddedTestServer::ServerCertificateConfig cert_config;
cert_config.dns_names = {GetParam().host(), "foo.com", "bar.com"};
embedded_test_server()->SetSSLConfig(cert_config);
// Add the extensions directory to the test server as it has a /webstore/
// directory to serve files from, which the webstore hosted app requires as
// part of the URL it is associated with.
embedded_test_server()->ServeFilesFromSourceDirectory(
"chrome/test/data/extensions");
EXPECT_TRUE(embedded_test_server()->Start());
}
~WebstoreDomainBrowserTest() override = default;
void SetUpCommandLine(base::CommandLine* command_line) override {
// Add a host resolver rule to map all outgoing requests to the test server.
// This allows us to use "real" hostnames and standard ports in URLs (i.e.,
// without having to inject the port number into all URLs).
command_line->AppendSwitchASCII(
network::switches::kHostResolverRules,
"MAP * " + embedded_test_server()->host_port_pair().ToString());
// Only override the webstore URL if this test case is testing the override.
if (GetParam().spec() == kWebstoreOverrideURL) {
command_line->AppendSwitchASCII(::switches::kAppsGalleryURL,
kWebstoreOverrideURL);
}
ExtensionApiTest::SetUpCommandLine(command_line);
}
};
// Tests that webstorePrivate, management and runtime are exposed to the
// webstore domain, but not to a non-webstore domain.
// Note: Although we don't explicitly provide runtime to the webstore domain in
// the case of it being a "web page" context, it is granted implicitly by the
// NativeExtensionBindingsSystem due to other extension APIs (webstorePrivate
// and management) being exposed to the web page.
IN_PROC_BROWSER_TEST_P(WebstoreDomainBrowserTest, ExpectedAvailability) {
const GURL webstore_url = GetParam().Resolve("/webstore/mock_store.html");
const GURL not_webstore_url = GURL(kNonWebstoreURL1).Resolve("/empty.html");
content::WebContents* web_contents =
browser()->tab_strip_model()->GetActiveWebContents();
auto is_api_available = [web_contents](const std::string& api_name) {
constexpr char kScript[] = "chrome.hasOwnProperty($1);";
return content::EvalJs(web_contents, content::JsReplace(kScript, api_name))
.ExtractBool();
};
ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), webstore_url));
EXPECT_EQ(web_contents->GetPrimaryMainFrame()->GetLastCommittedURL(),
webstore_url);
EXPECT_TRUE(is_api_available("webstorePrivate"));
EXPECT_TRUE(is_api_available("management"));
EXPECT_TRUE(is_api_available("runtime"));
ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), not_webstore_url));
EXPECT_EQ(web_contents->GetPrimaryMainFrame()->GetLastCommittedURL(),
not_webstore_url);
EXPECT_FALSE(is_api_available("management"));
EXPECT_FALSE(is_api_available("webstorePrivate"));
EXPECT_FALSE(is_api_available("runtime"));
}
// Test that the webstore can register and receive management events. Normally
// we have a check that the receiver of an extension event can never be a
// webpage context. The old webstore gets around this by appearing as a hosted
// app extension context, but the new webstore has the APIs exposed directly to
// the webpage context it uses. Regression test for crbug.com/1441136.
IN_PROC_BROWSER_TEST_P(WebstoreDomainBrowserTest, CanReceiveEvents) {
const GURL webstore_url = GetParam().Resolve("/webstore/mock_store.html");
content::WebContents* web_contents =
browser()->tab_strip_model()->GetActiveWebContents();
ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), webstore_url));
EXPECT_EQ(web_contents->GetPrimaryMainFrame()->GetLastCommittedURL(),
webstore_url);
constexpr char kAddListener[] = R"(
chrome.management.onInstalled.addListener(() => {
domAutomationController.send('received event');
});
'listener added';
)";
ASSERT_EQ("listener added", content::EvalJs(web_contents, kAddListener));
content::DOMMessageQueue message_queue(
browser()->tab_strip_model()->GetActiveWebContents());
// Directly broadcast the management.onInstalled event from the EventRouter
// and verify it arrived to the page without causing a crash.
EventRouter* event_router = EventRouter::Get(profile());
api::management::ExtensionInfo info;
info.install_type = api::management::ExtensionInstallType::kNormal;
info.type = api::management::ExtensionType::kExtension;
event_router->BroadcastEvent(std::make_unique<Event>(
events::FOR_TEST, api::management::OnInstalled::kEventName,
api::management::OnInstalled::Create(info)));
std::string message;
EXPECT_TRUE(message_queue.WaitForMessage(&message));
EXPECT_EQ("\"received event\"", message);
}
// Tests that a webstore page with misconfigured or missing X-Frame-Options
// headers that is embedded in an iframe has the headers adjusted to SAMEORIGIN
// and that the subframe navigation is subsequently blocked.
IN_PROC_BROWSER_TEST_P(WebstoreDomainBrowserTest, FrameWebstorePageBlocked) {
GURL outer_frame_url = GURL(kNonWebstoreURL1).Resolve("/empty.html");
content::WebContents* web_contents =
browser()->tab_strip_model()->GetActiveWebContents();
ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), outer_frame_url));
EXPECT_EQ(outer_frame_url, web_contents->GetLastCommittedURL());
constexpr char kScript[] =
R"({
var f = document.createElement('iframe');
f.src = $1;
!!document.body.appendChild(f);
})";
// Embedding a non-webstore page with a misconfigured X-Frame-Options header
// will just have the header ignored and load fine.
{
GURL non_webstore_url =
GURL(kNonWebstoreURL2)
.Resolve("/webstore/xfo_header_misconfigured.html");
content::TestNavigationObserver observer(web_contents);
EXPECT_TRUE(content::EvalJs(web_contents,
content::JsReplace(kScript, non_webstore_url))
.ExtractBool());
EXPECT_TRUE(WaitForLoadStop(web_contents));
content::RenderFrameHost* subframe =
content::ChildFrameAt(web_contents->GetPrimaryMainFrame(), 0);
ASSERT_TRUE(subframe);
const network::mojom::URLResponseHead* response_head =
subframe->GetLastResponseHead();
ASSERT_TRUE(response_head);
ASSERT_TRUE(response_head->headers);
EXPECT_TRUE(
response_head->headers->HasHeaderValue("X-Frame-Options", "foo"));
// The subframe should have loaded fine.
EXPECT_EQ(non_webstore_url, subframe->GetLastCommittedURL());
EXPECT_TRUE(observer.last_navigation_succeeded());
}
// Embedding a webstore page with a misconfigured X-Frame-Options header
// should have the header replaced and the frame load should fail.
{
GURL webstore_url =
GetParam().Resolve("/webstore/xfo_header_misconfigured.html");
content::TestNavigationObserver observer(web_contents);
EXPECT_TRUE(
content::EvalJs(web_contents, content::JsReplace(kScript, webstore_url))
.ExtractBool());
EXPECT_TRUE(WaitForLoadStop(web_contents));
content::RenderFrameHost* subframe =
content::ChildFrameAt(web_contents->GetPrimaryMainFrame(), 1);
ASSERT_TRUE(subframe);
const network::mojom::URLResponseHead* response_head =
subframe->GetLastResponseHead();
ASSERT_TRUE(response_head);
ASSERT_TRUE(response_head->headers);
EXPECT_TRUE(response_head->headers->HasHeaderValue("X-Frame-Options",
"SAMEORIGIN"));
// The subframe load should fail due to XFO.
EXPECT_EQ(webstore_url, subframe->GetLastCommittedURL());
EXPECT_FALSE(observer.last_navigation_succeeded());
EXPECT_EQ(net::ERR_BLOCKED_BY_RESPONSE, observer.last_net_error_code());
}
// Loading a webstore page that doesn't exist and results in a 404 should
// have the X-Frame-Options SAMEORIGIN added and the load should fail.
{
GURL webstore_url = GetParam().Resolve("/webstore/not_an_actual_file.html");
content::TestNavigationObserver observer(web_contents);
EXPECT_TRUE(
content::EvalJs(web_contents, content::JsReplace(kScript, webstore_url))
.ExtractBool());
EXPECT_TRUE(WaitForLoadStop(web_contents));
content::RenderFrameHost* subframe =
content::ChildFrameAt(web_contents->GetPrimaryMainFrame(), 2);
ASSERT_TRUE(subframe);
const network::mojom::URLResponseHead* response_head =
subframe->GetLastResponseHead();
ASSERT_TRUE(response_head);
ASSERT_TRUE(response_head->headers);
EXPECT_TRUE(response_head->headers->HasHeaderValue("X-Frame-Options",
"SAMEORIGIN"));
// The subframe load should fail due to XFO.
EXPECT_EQ(webstore_url, subframe->GetLastCommittedURL());
EXPECT_FALSE(observer.last_navigation_succeeded());
EXPECT_EQ(net::ERR_BLOCKED_BY_RESPONSE, observer.last_net_error_code());
}
}
INSTANTIATE_TEST_SUITE_P(WebstoreNewURL,
WebstoreDomainBrowserTest,
testing::Values(GURL(kNewWebstoreURL)));
INSTANTIATE_TEST_SUITE_P(WebstoreHostedAppURL,
WebstoreDomainBrowserTest,
testing::Values(GURL(kWebstoreAppBaseURL)));
INSTANTIATE_TEST_SUITE_P(WebstoreOverrideURL,
WebstoreDomainBrowserTest,
testing::Values(GURL(kWebstoreOverrideURL)));
} // namespace extensions
|