// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <set> #include <string> #include <string_view> #include "base/containers/contains.h" #include "base/files/file_path.h" #include "base/functional/callback_helpers.h" #include "base/logging.h" #include "base/memory/raw_ptr.h" #include "base/memory/ref_counted.h" #include "base/ranges/algorithm.h" #include "base/synchronization/waitable_event.h" #include "base/test/bind.h" #include "base/test/gtest_util.h" #include "base/test/mock_log.h" #include "base/test/scoped_command_line.h" #include "base/test/scoped_feature_list.h" #include "build/build_config.h" #include "content/browser/child_process_security_policy_impl.h" #include "content/browser/isolated_origin_util.h" #include "content/browser/origin_agent_cluster_isolation_state.h" #include "content/browser/process_lock.h" #include "content/browser/site_info.h" #include "content/browser/site_instance_impl.h" #include "content/common/content_navigation_policy.h" #include "content/common/features.h" #include "content/public/browser/browser_task_traits.h" #include "content/public/browser/browser_thread.h" #include "content/public/browser/site_isolation_policy.h" #include "content/public/common/bindings_policy.h" #include "content/public/common/content_client.h" #include "content/public/common/content_features.h" #include "content/public/common/content_switches.h" #include "content/public/common/url_constants.h" #include "content/public/test/browser_task_environment.h" #include "content/public/test/test_browser_context.h" #include "content/public/test/test_utils.h" #include "content/test/storage_partition_test_helpers.h" #include "content/test/test_content_browser_client.h" #include "storage/browser/file_system/file_permission_policy.h" #include "storage/browser/file_system/file_system_url.h" #include "storage/browser/file_system/isolated_context.h" #include "storage/common/file_system/file_system_types.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" #include "third_party/blink/public/common/storage_key/storage_key.h" #include "url/gurl.h" #include "url/origin.h" namespace content { namespace { IsolatedOriginSource; const int kRendererID = …; #if defined(FILE_PATH_USES_DRIVE_LETTERS) #define TEST_PATH … #else #define TEST_PATH(x) … #endif class ChildProcessSecurityPolicyTestBrowserClient : public TestContentBrowserClient { … }; bool IsCitadelProtectionEnabled() { … } void LockProcessIfNeeded(int process_id, BrowserContext* browser_context, const GURL& url) { … } } // namespace enum class ChildProcessSecurityPolicyTestCase { … }; class ChildProcessSecurityPolicyTest : public testing::Test, public ::testing::WithParamInterface<ChildProcessSecurityPolicyTestCase> { … }; // A test class that forces kOriginKeyedProcessesByDefault off in // ChildProcessSecurityPolicyTest. Used for tests that are trying to verify // behavior that is inconsistent with Origin Isolation. class ChildProcessSecurityPolicyTest_NoOriginKeyedProcessesByDefault : public ChildProcessSecurityPolicyTest { … }; TEST_P(ChildProcessSecurityPolicyTest, ChildID) { … } TEST_P(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) { … } TEST_P(ChildProcessSecurityPolicyTest, IsPseudoSchemeTest) { … } TEST_P(ChildProcessSecurityPolicyTest, StandardSchemesTest) { … } TEST_P(ChildProcessSecurityPolicyTest, BlobSchemeTest) { … } TEST_P(ChildProcessSecurityPolicyTest, AboutTest) { … } TEST_P(ChildProcessSecurityPolicyTest, JavaScriptTest) { … } TEST_P(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) { … } TEST_P(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) { … } TEST_P(ChildProcessSecurityPolicyTest, ViewSource) { … } TEST_P(ChildProcessSecurityPolicyTest, GoogleChromeScheme) { … } TEST_P(ChildProcessSecurityPolicyTest, GrantCommitURLToNonStandardScheme) { … } TEST_P(ChildProcessSecurityPolicyTest, SpecificFile) { … } TEST_P(ChildProcessSecurityPolicyTest, FileSystemGrantsTest) { … } TEST_P(ChildProcessSecurityPolicyTest, FilePermissionGrantingAndRevoking) { … } TEST_P(ChildProcessSecurityPolicyTest, FilePermissions) { … } TEST_P(ChildProcessSecurityPolicyTest, CanServiceWebUIBindings) { … } TEST_P(ChildProcessSecurityPolicyTest, RemoveRace) { … } // Tests behavior of CanAccessDataForOrigin() during race conditions that // can occur during Remove(). It verifies that permissions for a child ID are // preserved after a Remove() call until the task, that Remove() has posted to // the IO thread, has run. // // We use a combination of waitable events and extra tasks posted to the // threads to capture permission state from the UI & IO threads during the // removal process. It is intended to simulate pending tasks that could be // run on each thread during removal. // // TODO(crbug.com/40210893): Refactor the test to avoid calls to // CanAccessDataForOrigin on the IO thread, by checking for the presence of // security state instead. TEST_P(ChildProcessSecurityPolicyTest, RemoveRace_CanAccessDataForOrigin) { … } // This test is similar to the one above that verifies CanAccessDataForOrigin() // behavior during process shutdown. This particular test verifies that a // ChildProcessSecurityPolicyImpl::Handle extends the lifetime of the security // state beyond the Remove() call. This represents the case where a Mojo service // on the IO thread still receives calls after the RPHI that created it has // been destroyed. // // We use a combination of waitable events and extra tasks posted to the // threads to capture permission state from the UI & IO threads during the // removal process. It is intended to simulate pending tasks that could be // run on each thread during removal. // // TODO(crbug.com/40210893): Refactor the test to avoid calls to // CanAccessDataForOrigin on the IO thread, by checking for the presence of // security state instead. TEST_P(ChildProcessSecurityPolicyTest, HandleExtendsSecurityStateLifetime) { … } TEST_P(ChildProcessSecurityPolicyTest, HandleDuplicate) { … } TEST_P(ChildProcessSecurityPolicyTest, CanAccessDataForOrigin_URL) { … } TEST_P(ChildProcessSecurityPolicyTest, CanAccessDataForOrigin_Origin) { … } TEST_P(ChildProcessSecurityPolicyTest, SandboxedProcessEnforcements) { … } TEST_P(ChildProcessSecurityPolicyTest, PdfProcessEnforcements) { … } // Test the granting of origin permissions, and their interactions with // granting scheme permissions. TEST_P(ChildProcessSecurityPolicyTest, OriginGranting) { … } #define LOCKED_EXPECT_THAT(lock, value, matcher) … // Verifies ChildProcessSecurityPolicyImpl::AddFutureIsolatedOrigins method. TEST_P(ChildProcessSecurityPolicyTest, AddFutureIsolatedOrigins) { … } TEST_P(ChildProcessSecurityPolicyTest, IsolateAllSuborigins) { … } // Verify that the isolation behavior for wildcard and non-wildcard origins, // singly or in concert, behaves correctly via calls to GetSiteForURL(). TEST_P(ChildProcessSecurityPolicyTest_NoOriginKeyedProcessesByDefault, WildcardAndNonWildcardOrigins) { … } TEST_P(ChildProcessSecurityPolicyTest_NoOriginKeyedProcessesByDefault, WildcardAndNonWildcardEmbedded) { … } // Verifies that isolated origins only apply to future BrowsingInstances. TEST_P(ChildProcessSecurityPolicyTest, DynamicIsolatedOrigins) { … } // Check that an unsuccessful isolated origin lookup for a URL with an empty // host doesn't crash. See https://crbug.com/882686. TEST_P(ChildProcessSecurityPolicyTest, IsIsolatedOriginWithEmptyHost) { … } // Verifies the API for restricting isolated origins to a specific // BrowserContext (profile). Namely, the same origin may be added for // different BrowserContexts, possibly with different BrowsingInstanceId // cutoffs. Attempts to re-add an origin for the same profile should be // ignored. Also, once an isolated origin is added globally for all profiles, // future attempts to re-add it (for any profile) should also be ignored. TEST_P(ChildProcessSecurityPolicyTest, IsolatedOriginsForSpecificBrowserContexts) { … } // This test ensures that isolated origins associated with a specific // BrowserContext are removed when that BrowserContext is destroyed. TEST_P(ChildProcessSecurityPolicyTest, IsolatedOriginsRemovedWhenBrowserContextDestroyed) { … } TEST_P(ChildProcessSecurityPolicyTest, IsolatedOriginPattern) { … } // This test adds isolated origins from various sources and verifies that // GetIsolatedOrigins() properly restricts lookups by source. TEST_P(ChildProcessSecurityPolicyTest, GetIsolatedOrigins) { … } // This test adds isolated origins from various sources as well as restricted // to particular profiles, and verifies that GetIsolatedOrigins() properly // restricts lookups by both source and profile. TEST_P(ChildProcessSecurityPolicyTest, GetIsolatedOriginsWithProfile) { … } TEST_P(ChildProcessSecurityPolicyTest, IsolatedOriginPatternEquality) { … } // Verifies parsing logic in SiteIsolationPolicy::ParseIsolatedOrigins. TEST_P(ChildProcessSecurityPolicyTest, ParseIsolatedOrigins) { … } // Verify that the default port for an isolated origin's scheme is returned // during a lookup, not the port of the origin requested. TEST_P(ChildProcessSecurityPolicyTest, WildcardDefaultPort) { … } TEST_P(ChildProcessSecurityPolicyTest, ProcessLockMatching) { … } // Verify the mechanism that allows non-origin-keyed isolated origins to be // associated with a single BrowsingInstance. TEST_P(ChildProcessSecurityPolicyTest, IsolatedOriginsForSpecificBrowsingInstances) { … } // Verify isolated origins associated with a single BrowsingInstance can be // combined with isolated origins that apply to future BrowsingInstances. TEST_P(ChildProcessSecurityPolicyTest, IsolatedOriginsForCurrentAndFutureBrowsingInstances) { … } // This test verifies that CanAccessDataForOrigin returns true for a process id // even if all BrowsingInstanceIDs for that process have been deleted, so long // as the request matches the process' lock. This test sets an origin-keyed // lock. TEST_P(ChildProcessSecurityPolicyTest, NoBrowsingInstanceIDs_OriginKeyed) { … } // This test verifies that CanAccessDataForOrigin returns true for a process id // even if all BrowsingInstanceIDs for that process have been deleted, so long // as the request matches the process' lock. This test sets a site-keyed lock. TEST_P(ChildProcessSecurityPolicyTest_NoOriginKeyedProcessesByDefault, NoBrowsingInstanceIDs_SiteKeyed) { … } // This test verifies that CanAccessDataForOrigin returns false for a process id // when all BrowsingInstanceIDs for that process have been deleted, and the // ProcessLock has is_locked_to_site() = false, regardless of the url requested. TEST_P(ChildProcessSecurityPolicyTest, NoBrowsingInstanceIDs_UnlockedProcess) { … } // Regression test for https://crbug.com/1324407. TEST_P(ChildProcessSecurityPolicyTest, CannotLockUsedProcessToSite) { … } INSTANTIATE_TEST_SUITE_P(…); INSTANTIATE_TEST_SUITE_P(…); } // namespace content
Codebase Browser
chromium