// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <memory> #include <set> #include <string> #include <string_view> #include <vector> #include "base/command_line.h" #include "base/memory/raw_ptr.h" #include "base/strings/strcat.h" #include "base/strings/string_number_conversions.h" #include "base/synchronization/lock.h" #include "base/test/scoped_feature_list.h" #include "base/thread_annotations.h" #include "build/build_config.h" #include "content/browser/renderer_host/frame_tree_node.h" #include "content/browser/renderer_host/render_frame_host_impl.h" #include "content/public/common/content_client.h" #include "content/public/common/content_features.h" #include "content/public/common/content_switches.h" #include "content/public/common/url_constants.h" #include "content/public/test/browser_test.h" #include "content/public/test/browser_test_utils.h" #include "content/public/test/content_browser_test.h" #include "content/public/test/content_browser_test_content_browser_client.h" #include "content/public/test/content_browser_test_utils.h" #include "content/public/test/private_network_access_util.h" #include "content/public/test/resource_load_observer.h" #include "content/shell/browser/shell.h" #include "content/test/content_browser_test_utils_internal.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_byte_range.h" #include "net/http/http_util.h" #include "net/test/embedded_test_server/embedded_test_server.h" #include "net/test/embedded_test_server/embedded_test_server_connection_listener.h" #include "net/test/embedded_test_server/http_request.h" #include "services/network/public/cpp/features.h" #include "services/network/public/cpp/network_switches.h" #include "testing/gmock/include/gmock/gmock.h" #include "third_party/blink/public/common/features.h" #include "url/gurl.h" #include "url/origin.h" namespace content { namespace { METHOD_GET; METHOD_OPTIONS; ElementsAre; IsEmpty; // These domains are mapped to the IP addresses above using the // `--host-resolver-rules` command-line switch. The exact values come from the // embedded HTTPS server, which has certificates for these domains constexpr char kLocalHost[] = …; constexpr char kOtherLocalHost[] = …; constexpr char kPrivateHost[] = …; constexpr char kPublicHost[] = …; // Path to a default response served by all servers in this test. constexpr char kDefaultPath[] = …; // Path to a response with the `treat-as-public-address` CSP directive. constexpr char kTreatAsPublicAddressPath[] = …; // Path to a response with a wide-open CORS header. This can be fetched // cross-origin without triggering CORS violations. constexpr char kCorsPath[] = …; // Path to a response that passes Private Network Access checks. constexpr char kPnaPath[] = …; // Path to a cacheable response. constexpr char kCacheablePath[] = …; // Path to a cacheable variant of `kCorsPath`. constexpr char kCacheableCorsPath[] = …; // Path to a cacheable variant of `kPnaPath`. constexpr char kCacheablePnaPath[] = …; // Returns a path to a response that passes Private Network Access checks. // // This can be used to construct the `src` URL for an iframe. std::string MakePnaPathForIframe(const url::Origin& initiator_origin) { … } // Returns a snippet of Javascript that fetch()es the given URL. // // The snippet evaluates to a boolean promise which resolves to true iff the // fetch was successful. The promise never rejects, as doing so makes it hard // to assert failure. std::string FetchSubresourceScript(const GURL& url) { … } // A |ContentBrowserClient| implementation that allows modifying the return // value of |ShouldAllowInsecurePrivateNetworkRequests()| at will. class PolicyTestContentBrowserClient : public ContentBrowserTestContentBrowserClient { … }; // An embedded test server connection listener that simply counts connections. // Thread-safe. class ConnectionCounter : public net::test_server::EmbeddedTestServerConnectionListener { … }; class RequestObserver { … }; // Removes `prefix` from the start of `str`, if present. // Returns nullopt otherwise. std::optional<std::string_view> StripPrefix(std::string_view str, std::string_view prefix) { … } // Returns a pointer to the value of the `header` header in `request`, if any. // Returns nullptr otherwise. const std::string* FindRequestHeader( const net::test_server::HttpRequest& request, std::string_view header) { … } // Returns the `Content-Range` header value for a given `range` of bytes out of // the given `total_size` number of bytes. std::string GetContentRangeHeader(const net::HttpByteRange& range, size_t total_size) { … } // An `EmbeddedTestServer` request handler function. // // Knows how to respond to CORS and PNA preflight requests, as well as regular // and range requests. // // Route: /echorange?<body> std::unique_ptr<net::test_server::HttpResponse> HandleRangeRequest( const net::test_server::HttpRequest& request) { … } // A `net::EmbeddedTestServer` that pretends to be in a given IP address space. // // NOTE(titouan): The IP address space overrides CLI switch is copied to utility // processes when said processes are started. Thus if any server is instantiated // after the network process has started, updates we make to our own CLI // switches will not propagate to the network process, yielding inconsistent // results. class FakeAddressSpaceServer { … }; } // namespace // This being an integration/browser test, we concentrate on a few behaviors // relevant to Private Network Access: // // - testing the values of important properties on top-level documents: // - address space // - secure context bit // - private network request policy // - testing the inheritance semantics of these properties // - testing the correct handling of the CSP: treat-as-public-address directive // - testing that subresource requests are subject to PNA checks // - and a few other odds and ends // // We use the `--ip-address-space-overrides` command-line switch to test against // `private` and `public` address spaces, even though all responses are actually // served from localhost. Combined with host resolver rules, this lets us define // three different domains that map to the different address spaces: // // - `a.test` is `local` // - `b.test` is `private` // - `c.test` is `public` // // We also have unit tests that test all possible combinations of source and // destination IP address spaces in services/network/url_loader_unittest.cc. class PrivateNetworkAccessBrowserTestBase : public ContentBrowserTest { … }; // Test with insecure private network subresource requests from the `public` // address space blocked and preflights otherwise enabled but not enforced. class PrivateNetworkAccessBrowserTest : public PrivateNetworkAccessBrowserTestBase { … }; // This definition is required as raw initializer lists aren't allowed in the // ternary ? operator. FeatureVec; // This is the same as PrivateNetworkAccessBrowserTest, but runs each test // twice, once with kOriginKeyedProcessesByDefault explicitly enabled, and once // with it explicitly disabled. The tests implemented using this class involve // sandboxed data: frames whose SiteInfo creation may vary depending on whether // the feature is enabled or not. class PrivateNetworkAccessSandboxedDataBrowserTest : public PrivateNetworkAccessBrowserTestBase, public testing::WithParamInterface<bool> { … }; class PrivateNetworkAccessBrowserTestWithBlockInsteadOfWarnOption : public PrivateNetworkAccessBrowserTest, public testing::WithParamInterface<bool> { … }; class PrivateNetworkAccessBrowserTestDisableWebSecurity : public PrivateNetworkAccessBrowserTest { … }; // Test with insecure private network subresource requests blocked, including // from the `private` address space. class PrivateNetworkAccessBrowserTestBlockFromPrivate : public PrivateNetworkAccessBrowserTestBase { … }; // Test with insecure private network subresource requests blocked, including // from the `private` address space. class PrivateNetworkAccessBrowserTestBlockFromUnknown : public PrivateNetworkAccessBrowserTestBase { … }; // Test with PNA checks for iframes enabled. class PrivateNetworkAccessBrowserTestForNavigations : public PrivateNetworkAccessBrowserTestBase { … }; // Test with PNA checks for navigations enabled in warning-only mode. class PrivateNetworkAccessBrowserTestForNavigationsWarningOnly : public PrivateNetworkAccessBrowserTestForNavigations { … }; // Test with the feature to send preflights (unenforced) disabled, and insecure // private network subresource requests blocked. class PrivateNetworkAccessBrowserTestNoPreflights : public PrivateNetworkAccessBrowserTestBase { … }; // Test with the feature to send preflights (enforced) enabled, and insecure // private network subresource requests blocked. class PrivateNetworkAccessBrowserTestRespectPreflightResults : public PrivateNetworkAccessBrowserTestBase { … }; // Test with PNA checks for worker-related fetches enabled. class PrivateNetworkAccessBrowserTestForWorkers : public PrivateNetworkAccessBrowserTestBase { … }; // Test with PNA checks for worker-related fetches enabled and preflight // enforcement enabled. class PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkers : public PrivateNetworkAccessBrowserTestBase { … }; // Test with PNA checks for worker-related fetches enabled in warning-only mode, // including preflights. class PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkersWarningOnly : public PrivateNetworkAccessBrowserTestBase { … }; // Test with insecure private network requests allowed. class PrivateNetworkAccessBrowserTestNoBlocking : public PrivateNetworkAccessBrowserTestBase { … }; // =========================== // CLIENT SECURITY STATE TESTS // =========================== // // These tests verify the contents of `ClientSecurityState` for top-level // documents in various different circumstances. // This test verifies the contents of the ClientSecurityState for the initial // empty document in a new main frame created by the browser. // // Note: the renderer-created main frame case is exercised by the // OpeneeInherits* tests below. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForInitialEmptyDoc) { … } // This test verifies the contents of the ClientSecurityState for `about:blank` // in a new main frame created by the browser. // // Note: the renderer-created main frame case is exercised by the Openee // inheritance tests below. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForAboutBlank) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForDataURL) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForFileURL) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForInsecureLocalAddress) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForInsecurePrivateAddress) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForInsecurePublicAddress) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForSecureLocalAddress) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForSecurePrivateAddress) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForSecurePublicAddress) { … } // Tests that a top-level navigation to 0.0.0.0 is in the kLocal address space. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForNullIP) { … } class PrivateNetworkAccessBrowserTestNullIPKillswitch : public PrivateNetworkAccessBrowserTestBase { … }; // Tests that a top-level navigation to 0.0.0.0 is in the kPublic address space // when a killswitch is enabled to specifically treat it as public. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNullIPKillswitch, ClientSecurityStateForNullIPKillswitch) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForTreatAsPublicAddress) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForTreatAsPublicAddressReportOnly) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForCachedSecureLocalDocument) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForCachedInsecurePublicDocument) { … } // This test verifies that the chrome:// scheme is considered local for the // purpose of Private Network Access. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForSpecialSchemeChromeURL) { … } // The view-source:// scheme should only ever appear in the display URL. It // shouldn't affect the IPAddressSpace computation. This test verifies that we // end up with the response IPAddressSpace. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForSpecialSchemeViewSourcePublic) { … } // Variation of above test with a private address. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForSpecialSchemeViewSourcePrivate) { … } // The chrome-error:// scheme should only ever appear in origins. It shouldn't // affect the IPAddressSpace computation. This test verifies that we end up with // the response IPAddressSpace. Error pages should not be considered secure // contexts however. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForSpecialSchemeChromeErrorPublic) { … } // Variation of above test with a private address. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, ClientSecurityStateForSpecialSchemeChromeErrorPrivate) { … } // ======================== // INHERITANCE TEST HELPERS // ======================== namespace { // Creates a blob containing dummy HTML, then returns its URL. // Executes javascript to do so in |frame_host|, which must not be nullptr. GURL CreateBlobURL(RenderFrameHostImpl* frame_host) { … } // Executes |script| to add a new child iframe to the given |parent| document. // // |parent| must not be nullptr. // // Returns a pointer to the child frame host. RenderFrameHostImpl* AddChildWithScript(RenderFrameHostImpl* parent, const std::string& script) { … } RenderFrameHostImpl* GetFirstChild(RenderFrameHostImpl& parent) { … } // Adds a child iframe sourced from `url` to the given `parent` document and // waits for it to load. Returns the child RFHI. // // `parent` must not be nullptr. RenderFrameHostImpl* AddChildFromURL(RenderFrameHostImpl* parent, std::string_view url) { … } // Convenience overload for absolute URLs. RenderFrameHostImpl* AddChildFromURL(RenderFrameHostImpl* parent, const GURL& url) { … } // Adds a child iframe sourced from `url` to the given `parent` document. // Does not wait for the child frame to load - this must be done separately. // // `parent` must not be nullptr. void AddChildFromURLWithoutWaiting(RenderFrameHostImpl* parent, std::string_view url) { … } // Convenience overload for absolute URLs. void AddChildFromURLWithoutWaiting(RenderFrameHostImpl* parent, const GURL& url) { … } RenderFrameHostImpl* AddChildFromAboutBlank(RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddChildInitialEmptyDoc(RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddChildFromSrcdoc(RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddChildFromDataURL(RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddChildFromJavascriptURL(RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddChildFromBlob(RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddSandboxedChildFromURL(RenderFrameHostImpl* parent, const GURL& url) { … } RenderFrameHostImpl* AddSandboxedChildFromAboutBlank( RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddSandboxedChildInitialEmptyDoc( RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddSandboxedChildFromSrcdoc(RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddSandboxedChildFromDataURL(RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* AddSandboxedChildFromBlob(RenderFrameHostImpl* parent) { … } // Returns the main frame RenderFrameHostImpl in the given |shell|. // // |shell| must not be nullptr. // // Helper for OpenWindow*(). RenderFrameHostImpl* GetPrimaryMainFrameHostImpl(Shell* shell) { … } // Opens a new window from within |parent|, pointed at the given |url|. // Waits until the openee window has navigated to |url|, then returns a pointer // to its main frame RenderFrameHostImpl. // // |parent| must not be nullptr. RenderFrameHostImpl* OpenWindowFromURL(RenderFrameHostImpl* parent, const GURL& url) { … } RenderFrameHostImpl* OpenWindowFromAboutBlank(RenderFrameHostImpl* parent) { … } // Same as above, but with the "noopener" window feature. RenderFrameHostImpl* OpenWindowFromAboutBlankNoOpener( RenderFrameHostImpl* parent) { … } RenderFrameHostImpl* OpenWindowFromURLExpectNoCommit( RenderFrameHostImpl* parent, const GURL& url, std::string_view features = "") { … } RenderFrameHostImpl* OpenWindowInitialEmptyDoc(RenderFrameHostImpl* parent) { … } // Same as above, but with the "noopener" window feature. RenderFrameHostImpl* OpenWindowInitialEmptyDocNoOpener( RenderFrameHostImpl* parent) { … } GURL JavascriptURL(std::string_view script) { … } RenderFrameHostImpl* OpenWindowFromJavascriptURL( RenderFrameHostImpl* parent, std::string_view script = "'foo'") { … } // Same as above, but with the "noopener" window feature. RenderFrameHostImpl* OpenWindowFromJavascriptURLNoOpener( RenderFrameHostImpl* parent, std::string_view script) { … } RenderFrameHostImpl* OpenWindowFromBlob(RenderFrameHostImpl* parent) { … } } // namespace // =============================== // ADDRESS SPACE INHERITANCE TESTS // =============================== // // These tests verify that `ClientSecurityState.ip_address_space` is correctly // inherited by child iframes and openee documents for a variety of URLs with // local schemes. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForAboutBlankFromPublic) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForAboutBlankFromLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsAddressSpaceForAboutBlankFromPublic) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsAddressSpaceForAboutBlankFromLocal) { … } // This test verifies that a newly-opened window targeting `about:blank` // inherits its address space from the opener. In this case, the opener's // address space is `public`. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsAddressSpaceForAboutBlankFromPublic) { … } // This test verifies that a newly-opened window targeting `about:blank` // inherits its address space from the opener. In this case, the opener's // address space is `local`. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsAddressSpaceForAboutBlankFromLocal) { … } // This test verifies that a newly-opened window targeting `about:blank`, // opened with the "noopener" feature, has its address space set to `local` // regardless of the address space of the opener. // // Compare and contrast against the above tests without "noopener". IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeNoOpenerAddressSpaceForAboutBlankIsLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForInitialEmptyDocFromPublic) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForInitialEmptyDocFromLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsAddressSpaceForInitialEmptyDocFromPublic) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsAddressSpaceForInitialEmptyDocFromLocal) { … } // This test verifies that a newly-opened window containing the initial empty // document inherits its address space from the opener. In this case, the // opener's address space is `public`. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsAddressSpaceForInitialEmptyDocFromPublic) { … } // This test verifies that a newly-opened window containing the initial empty // document inherits its address space from the opener. In this case, the // opener's address space is `local`. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsAddressSpaceForInitialEmptyDocFromLocal) { … } // This test verifies that a newly-opened window containing the initial empty // document, opened with the "noopener" feature, has its address space set to // `local` regardless of the address space of the opener. // // Compare and contrast against the above tests without "noopener". IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeNoOpenerAddressSpaceForInitialEmptyDocIsLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForAboutSrcdocFromPublic) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForAboutSrcdocFromLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsAddressSpaceForAboutSrcdocFromPublic) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsAddressSpaceForAboutSrcdocFromLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForDataURLFromPublic) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForDataURLFromLocal) { … } IN_PROC_BROWSER_TEST_P( PrivateNetworkAccessSandboxedDataBrowserTest, SandboxedIframeInheritsAddressSpaceForDataURLFromPublic) { … } IN_PROC_BROWSER_TEST_P(PrivateNetworkAccessSandboxedDataBrowserTest, SandboxedIframeInheritsAddressSpaceForDataURLFromLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForJavascriptURLFromPublic) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForJavascriptURLFromLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsAddressSpaceForJavascriptURLFromPublic) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsAddressSpaceForJavascriptURLFromLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeNoOpenerAddressSpaceForJavascriptURLIsLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForBlobURLFromPublic) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsAddressSpaceForBlobURLFromLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsAddressSpaceForBlobURLFromPublic) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsAddressSpaceForBlobURLFromLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsAddressSpaceForBlobURLFromPublic) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsAddressSpaceForBlobURLFromLocal) { … } // ================================ // SECURE CONTEXT INHERITANCE TESTS // ================================ // // These tests verify that `ClientSecurityState.is_web_secure_context` is // correctly inherited by child iframes and openee documents for a variety of // URLs with local schemes. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForAboutBlankFromSecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForAboutBlankFromInsecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsSecureContextForAboutBlankFromSecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsSecureContextForAboutBlankFromInsecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsSecureContextForAboutBlankFromSecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsSecureContextForAboutBlankFromInsecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForInitialEmptyDocFromSecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForInitialEmptyDocFromInsecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsSecureContextForInitialEmptyDocFromSecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsSecureContextForInitialEmptyDocFromInsecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, OpeneeInheritsSecureContextForInitialEmptyDocFromSecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, OpeneeInheritsSecureContextForInitialEmptyDocFromInsecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForAboutSrcdocFromSecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForAboutSrcdocFromInsecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsSecureContextForAboutSrcdocFromSecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsSecureContextForAboutSrcdocFromInsecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForDataURLFromSecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForDataURLFromInsecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsSecureContextForDataURLFromSecure) { … } IN_PROC_BROWSER_TEST_P( PrivateNetworkAccessSandboxedDataBrowserTest, SandboxedIframeInheritsSecureContextForDataURLFromInsecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForJavascriptURLFromSecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForJavascriptURLFromInsecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, OpeneeInheritsSecureContextForJavascriptURLFromInsecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsSecureContextForJavascriptURLFromSecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForBlobURLFromSecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeInheritsSecureContextForBlobURLFromInsecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsSecureContextForBlobURLFromSecure) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, SandboxedIframeInheritsSecureContextForBlobURLFromInsecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsSecureContextForBlobURLFromSecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, OpeneeInheritsSecureContextForBlobURLFromInsecure) { … } // ==================================== // PRIVATE NETWORK REQUEST POLICY TESTS // ==================================== // // These tests verify the correct setting of // `ClientSecurityState.private_network_request_policy` in various situations. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestDisableWebSecurity, PrivateNetworkPolicyIsAllowInsecure) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestDisableWebSecurity, PrivateNetworkPolicyIsAllowSecure) { … } // This test verifies that with the blocking feature disabled, the private // network request policy used by RenderFrameHostImpl is to warn about requests // from non-secure contexts. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNoBlocking, PrivateNetworkPolicyIsWarnByDefault) { … } // This test verifies that with the blocking feature disabled, the private // network request policy used by RenderFrameHostImpl is to send unenforced // preflight requests from secure contexts. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNoBlocking, PrivateNetworkPolicyIsWarnByDefaultForSecureContexts) { … } INSTANTIATE_TEST_SUITE_P(…); INSTANTIATE_TEST_SUITE_P(…); // This test verifies that by default, the private network request policy used // by RenderFrameHostImpl for requests is set to block requests from non-secure // contexts in the `public` address space. IN_PROC_BROWSER_TEST_P( PrivateNetworkAccessBrowserTestWithBlockInsteadOfWarnOption, PrivateNetworkPolicyIsBlockByDefaultForInsecurePublic) { … } // This test verifies that by default, the private network request policy used // by RenderFrameHostImpl for requests is set to allow requests from non-secure // contexts in the `private` address space with a warning. IN_PROC_BROWSER_TEST_P( PrivateNetworkAccessBrowserTestWithBlockInsteadOfWarnOption, PrivateNetworkPolicyForInsecurePrivate) { … } // This test verifies that when the right feature is enabled, the private // network request policy used by RenderFrameHostImpl for requests is set to // block requests from non-secure contexts in the private address space. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestBlockFromPrivate, PrivateNetworkPolicyIsBlockForInsecurePrivate) { … } // This test verifies that by default, the private network request policy used // by RenderFrameHostImpl for requests is set to allow requests from non-secure // contexts in the `unknown` address space. IN_PROC_BROWSER_TEST_P( PrivateNetworkAccessBrowserTestWithBlockInsteadOfWarnOption, PrivateNetworkPolicyIsAllowByDefaultForInsecureUnknown) { … } // This test verifies that when the right feature is enabled, the private // network request policy used by RenderFrameHostImpl for requests is set to // block requests from non-secure contexts in the `unknown` address space. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestBlockFromUnknown, PrivateNetworkPolicyIsBlockForInsecureUnknown) { … } // This test verifies that by default, the private network request policy used // by RenderFrameHostImpl for requests is set to allow requests from secure // contexts. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNoPreflights, PrivateNetworkPolicyIsAllowByDefaultForSecureContexts) { … } // This test verifies that when sending preflights is enabled, the private // network request policy for secure contexts is `kPreflightWarn`. IN_PROC_BROWSER_TEST_P( PrivateNetworkAccessBrowserTestWithBlockInsteadOfWarnOption, PrivateNetworkPolicyForSecureContexts) { … } // This test verifies that blocking insecure private network requests from the // `kPublic` address space takes precedence over sending preflight requests. IN_PROC_BROWSER_TEST_P( PrivateNetworkAccessBrowserTestWithBlockInsteadOfWarnOption, PrivateNetworkPolicyIsBlockForInsecurePublic) { … } // This test verifies that when enforcing preflights is enabled, the private // network request policy for secure contexts is `kPreflightBlock`. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, PrivateNetworkPolicyIsPreflightBlockForSecureContexts) { … } // This test verifies that when enforcing preflights is enabled, the private // network request policy for non-secure contexts in the `kPrivate` address // space is `kPreflightBlock`. // This checks that as long as the "block from insecure private" feature flag // is not enabled, we will only show warnings for these requests. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, PrivateNetworkPolicyIsWarnForInsecurePrivate) { … } // This test verifies that blocking insecure private network requests from the // `kPublic` address space takes precedence over enforcing preflight requests. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, PrivateNetworkPolicyIsBlockForInsecurePublic) { … } // This test verifies that child frames with distinct origins from their parent // do not inherit their private network request policy, which is based on the // origin of the child document instead. // TODO (crbug.com/324679506) : Fix the test. IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, DISABLED_PrivateNetworkRequestPolicyCalculatedPerOrigin) { … } // This test verifies that the initial empty document, which inherits its origin // from the document creator, also inherits its private network request policy. IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, PrivateNetworkRequestPolicyInheritedWithOriginForInitialEmptyDoc) { … } // This test verifies that `about:blank` iframes, which inherit their origin // from the navigation initiator, also inherit their private network request // policy. IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, PrivateNetworkRequestPolicyInheritedWithOriginForAboutBlank) { … } // This test verifies that `data:` iframes, which commit an opaque origin // derived from the navigation initiator's origin, do not inherit their private // network request policy. IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, PrivateNetworkRequestPolicyNotInheritedWithOriginForDataURL) { … } // This test verifies that sandboxed iframes, which commit an opaque origin // derived from the navigation initiator's origin, do not inherit their private // network request policy. IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, PrivateNetworkRequestPolicyNotInheritedForSandboxedInitialEmptyDoc) { … } // This test verifies that sandboxed iframes, which commit an opaque origin // derived from the navigation initiator's origin, do not inherit their private // network request policy. "about:blank" behaves slightly differently from the // initial empty doc in code, but should have the same policy in the end. IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, PrivateNetworkRequestPolicyNotInheritedForSandboxedAboutBlank) { … } // This test verifies that error pages have a set private network request // policy of `kAllow` irrespective of the navigation initiator. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, PrivateNetworkRequestPolicyIsAllowForErrorPage) { … } // ================================================== // SECURE CONTEXT RESTRICTION DEPRECATION TRIAL TESTS // ================================================== // // These tests verify the correct behavior of `private_network_request_policy` // in the face of the `PrivateNetworkAccessNonSecureContextsAllowed` deprecation // trial. // Test with insecure private network requests blocked, excluding navigations. class PrivateNetworkAccessDeprecationTrialDisabledBrowserTest : public PrivateNetworkAccessBrowserTestBase { … }; IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessDeprecationTrialDisabledBrowserTest, OriginEnabledDoesNothing) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, DeprecationTrialOriginEnabled) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, DeprecationTrialOriginDisabled) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, DeprecationTrialSettingInheritedByInitialEmptyDoc) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, DeprecationTrialSettingInheritedByAboutBlank) { … } // `data:` URLs do not inherit their navigation initiator's origin, so they // should not inherit deprecation trials. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, DeprecationTrialSettingNotInheritedByDataURL) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, DeprecationTrialSettingNotInheritedBySandboxedIframe) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, DeprecationTrialSettingNotInheritedByErrorPage) { … } // ======================= // SUBRESOURCE FETCH TESTS // ======================= // // These tests verify the behavior of the browser when fetching subresources // across IP address spaces. When the right features are enabled, private // network requests are blocked. // This test mimics the tests below, with all blocking features disabled. It // verifies that by default requests: // - from an insecure page with the "treat-as-public-address" CSP directive // - to a local IP address // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNoBlocking, PrivateNetworkRequestIsNotBlockedByDefault) { … } // Check that the `--disable-web-security` command-line switch disables PNA // checks. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestDisableWebSecurity, PrivateNetworkRequestIsNotBlocked) { … } // This test verifies that when preflights are disabled, requests: // - from a secure page with the "treat-as-public-address" CSP directive // - to a local IP address // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromSecureTreatAsPublicToLocalIsNotBlocked) { … } // This test verifies that when preflights are disabled, requests: // - from a secure page served from a public IP address // - to a local IP address // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNoPreflights, FromSecurePublicToLocalIsNotBlocked) { … } // This test verifies that when preflights are sent but not enforced, requests: // - from a secure page served from a public IP address // - to a local IP address // - for which the target server does not respond OK to the preflight request // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromSecurePublicToLocalIsNotBlocked) { … } // This test verifies that when preflights are sent and enforced, requests: // - from a secure page served from a public IP address // - to a local IP address // - when the target server does not respond OK to the preflight request // are blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, FromSecurePublicToLocalIsBlocked) { … } // This test verifies that when preflights are disabled, requests: // - from a secure page served from a private IP address // - to a local IP address // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNoPreflights, FromSecurePrivateToLocalIsNotBlocked) { … } // This test verifies that when preflights are sent but not enforced, requests: // - from a secure page served from a private IP address // - to a local IP address // - for which the target server does not respond OK to the preflight request // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromSecurePrivateToLocalIsNotBlocked) { … } // This test verifies that when preflights are sent and enforced, requests: // - from a secure page served from a private IP address // - to a local IP address // - for which the target server does not respond OK to the preflight request // are blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, FromSecurePrivateToLocalIsBlocked) { … } // This test verifies that when preflights are disabled, requests: // - from a secure page served from a local IP address // - to a local IP address // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNoPreflights, FromSecureLocalToLocalIsNotBlocked) { … } // This test verifies that when preflights are sent but not enforced, requests: // - from a secure page served from a local IP address // - to a local IP address // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromSecureLocalToLocalIsNotBlocked) { … } // This test verifies that when preflights are sent and enforced, requests: // - from a secure page served from a local IP address // - to a local IP address // - for which the target server does not respond OK to the preflight request // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, FromSecureLocalToLocalIsNotBlocked) { … } // This test verifies that when preflights are sent but not enforced, requests: // - from a secure page served from a local IP address // - to a local IP address // - for which the target server responds OK to the preflight request // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromSecurePublicToLocalPreflightOK) { … } // This test verifies that when preflights are sent and enforced, requests: // - from a secure page served from a local IP address // - to a local IP address // - for which the target server responds OK to the preflight request // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, FromSecurePublicToLocalPreflightOK) { … } // TODO(crbug.com/40221632): Re-enable this test IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, DISABLED_PreflightConnectionReusedHttp1) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, PreflightConnectionReusedHttp2) { … } // This test verifies that when the right feature is enabled but the content // browser client overrides it, requests: // - from an insecure page with the "treat-as-public-address" CSP directive // - to a local IP address // are not blocked. IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, FromInsecureTreatAsPublicToLocalWithPolicySetToAllowIsNotBlocked) { … } // This test verifies that when the right feature is enabled, requests: // - from an insecure page with the "treat-as-public-address" CSP directive // - to a local IP address // are blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromInsecureTreatAsPublicToLocalIsBlocked) { … } // This test verifies that when the right feature is enabled, requests: // - from an insecure page served by a public IP address // - to local IP addresses // are blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromInsecurePublicToLocalIsBlocked) { … } // This test verifies that when the right feature is disabled, requests: // - from an insecure page served by a private IP address // - to local IP addresses // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromInsecurePrivateToLocalIsNotBlocked) { … } // This test verifies that when the right feature is enabled, requests: // - from an insecure page served by a private IP address // - to local IP addresses // are blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestBlockFromPrivate, FromInsecurePrivateToLocalIsBlocked) { … } // This test verifies that when the right feature is enabled, requests: // - from an insecure page served by a local IP address // - to local IP addresses // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromInsecureLocalToLocalIsNotBlocked) { … } // This test verifies that when the right feature is enabled, requests: // - from a secure page with the "treat-as-public-address" CSP directive // - embedded in an insecure page served from a local IP address // - to local IP addresses // are blocked. IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTest, FromSecurePublicEmbeddedInInsecureLocalToLocalIsBlocked) { … } // This test verifies that even when the right feature is enabled, requests: // - from a non-secure context in the `local` IP address space // - to a subresource cached from a `local` IP address // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromInsecureLocalToCachedLocalIsNotBlocked) { … } // This test verifies that when the right feature is enabled, requests: // - from a non-secure context in the `public` IP address space // - to a subresource cached from a `local` IP address // are blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromInsecurePublicToCachedLocalIsBlocked) { … } // This test verifies that when preflights are sent and enforced, requests: // - from a secure context in the `local` IP address space // - to a subresource cached from a `local` IP address // - for which the target server does not respond OK to the preflight request // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, FromSecureLocalToCachedLocalIsNotBlocked) { … } // This test verifies that when preflights are sent but not enforced, requests: // - from a secure page served in the `public` IP address space // - to a subresource cached from a `local` IP address // - for which the target server does not respond OK to the preflight request // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FromSecurePublicToCachedLocalIsNotBlocked) { … } // This test verifies that when preflights are sent and enforced, requests: // - from a secure page served in the `public` IP address space // - to a subresource cached from a `local` IP address // - for which the target server does not respond OK to the preflight request // are blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, FromSecurePublicToCachedLocalIsBlocked) { … } // This test verifies that when preflights are sent and enforced, requests: // - from a secure page served in the `public` IP address space // - to a subresource cached from a `local` IP address // - for which the target server responds OK to the preflight request // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestRespectPreflightResults, FromSecurePublicToCachedLocalIsNotBlocked) { … } // This test verifies that even with the blocking feature disabled, an insecure // page in the `local` address space cannot fetch a `file:` URL. // // This is relevant to Private Network Access, since `file:` URLs are considered // to be in the `local` IP address space. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNoBlocking, InsecurePageCannotRequestFile) { … } // This test verifies that even with the blocking feature disabled, a secure // page in the `local` address space cannot fetch a `file:` URL. // // This is relevant to Private Network Access, since `file:` URLs are considered // to be in the `local` IP address space. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestNoBlocking, SecurePageCannotRequestFile) { … } // This test verifies that if a page redirects after responding to a private // network request to a server in a different address space, the request does // not fail. // Regression test for https://crbug.com/1293891. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, Redirect) { … } // This test verifies that if a request is made for a resource of which a // partial prefix range of bytes was cached, a preflight is correctly sent for // the non-cached portion, and the renderer does not crash. // Regression test for https://crbug.com/1279376. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, PrefixRangePreflight) { … } // ========================= // WORKER SCRIPT FETCH TESTS // ========================= namespace { // Path to a worker script that posts a message to its creator once loaded. constexpr char kWorkerScriptPath[] = …; // Same as above, but with PNA headers set correctly for preflight requests. constexpr char kWorkerScriptWithPnaHeadersPath[] = …; // Instantiates a dedicated worker script from `path`. // If it loads successfully, the worker should post a message to its creator to // signal success. std::string FetchWorkerScript(std::string_view path) { … } // Path to a worker script that posts a message to each client that connects. constexpr char kSharedWorkerScriptPath[] = …; // Same as above, but with PNA headers set correctly for preflight requests. constexpr char kSharedWorkerScriptWithPnaHeadersPath[] = …; // Instantiates a shared worker script from `path`. // If it loads successfully, the worker should post a message to each client // that connects to it to signal success. std::string FetchSharedWorkerScript(std::string_view path) { … } // TODO(crbug.com/40290702): Remove this and replace calls below with // calls to `EXPECT_EQ` directly once Shared Workers are supported on Android. void ExpectFetchSharedWorkerScriptResult(bool expected, const EvalJsResult& result) { … } } // namespace IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FetchWorkerFromInsecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForWorkers, FetchWorkerFromInsecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkers, FetchWorkerFromInsecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkersWarningOnly, FetchWorkerFromInsecurePublicToLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FetchWorkerFromSecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForWorkers, FetchWorkerFromSecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkers, FetchWorkerFromSecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkersWarningOnly, FetchWorkerFromSecurePublicToLocalFailedPreflight) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkers, FetchWorkerFromSecureTreatAsPublicToLocalSuccess) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FetchSharedWorkerFromInsecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForWorkers, FetchSharedWorkerFromInsecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkers, FetchSharedWorkerFromInsecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkersWarningOnly, FetchSharedWorkerFromInsecurePublicToLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, FetchSharedWorkerFromSecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForWorkers, FetchSharedWorkerFromSecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkers, FetchSharedWorkerFromSecureTreatAsPublicToLocal) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkersWarningOnly, FetchSharedWorkerFromSecurePublicToLocalFailedPreflight) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestRespectPreflightResultsForWorkers, FetchSharedWorkerFromSecureTreatAsPublicToLocalSuccess) { … } // ====================== // NAVIGATION FETCH TESTS // ====================== // // These tests verify the behavior of the browser when navigating across IP // address spaces. // // Iframe navigations are effectively treated as subresource fetches of the // initiator document: they are handled by checking the resource's address space // against the initiator document's address space. // // Top-level navigations are never blocked. // // TODO(crbug.com/40149351): Revisit this when top-level navigations are // subject to Private Network Access checks. // When the `PrivateNetworkAccessForIframes` feature is disabled, iframe fetches // are not subject to PNA checks. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeFromInsecurePublicToLocalIsNotBlocked) { … } // When the `PrivateNetworkAccessForIframes` feature is disabled, iframe fetches // are not subject to PNA checks. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTest, IframeFromSecurePublicToLocalIsNotBlocked) { … } // This test verifies that when iframe support is enabled in warning-only mode, // iframe requests: // - from an insecure page served from a public IP address // - to a local IP address // are not blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForNavigationsWarningOnly, IframeFromInsecurePublicToLocalIsNotBlocked) { … } // This test verifies that when the right feature is enabled, iframe requests: // - from an insecure page served from a public IP address // - to a local IP address // are blocked. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForNavigations, IframeFromInsecurePublicToLocalIsBlocked) { … } // Same as above, testing the "treat-as-public-address" CSP directive. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForNavigations, IframeFromInsecureTreatAsPublicToLocalIsBlocked) { … } // This test verifies that when an iframe navigation fails due to PNA, the // iframe navigates to an error page, even if it had previously committed a // document. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForNavigations, FailedNavigationCommitsErrorPage) { … } // This test verifies that when iframe support is enabled in warning-only mode, // iframe requests: // - from a secure page served from a public IP address // - to a local IP address // are preceded by a preflight request which is allowed to fail. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForNavigationsWarningOnly, IframeFromSecurePublicToLocalIsNotBlocked) { … } // This test verifies that when the right feature is enabled, iframe requests: // - from a secure page served from a public IP address // - to a local IP address // are preceded by a preflight request which must succeed. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForNavigations, IframeFromSecurePublicToLocalIsBlocked) { … } // This test verifies that when the right feature is enabled, iframe requests: // - from a secure page served from a public IP address // - to a local IP address // are preceded by a preflight request, to which the server must respond // correctly. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForNavigations, IframeFromSecurePublicToLocalIsNotBlocked) { … } // Same as above, testing the "treat-as-public-address" CSP directive. IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForNavigations, IframeFromSecureTreatAsPublicToLocalIsNotBlocked) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestForNavigations, FormSubmissionFromInsecurePublicToLocalIsBlockedInMainFrame) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestForNavigations, FormSubmissionFromInsecurePublicToLocalIsBlockedInChildFrame) { … } IN_PROC_BROWSER_TEST_F( PrivateNetworkAccessBrowserTestForNavigations, FormSubmissionGetFromInsecurePublicToLocalIsBlockedInChildFrame) { … } IN_PROC_BROWSER_TEST_F(PrivateNetworkAccessBrowserTestForNavigations, SiblingNavigationFromInsecurePublicToLocalIsBlocked) { … } } // namespace content
Codebase Browser
chromium