// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "services/network/cors/cors_url_loader.h" #include <optional> #include <string> #include <vector> #include "base/functional/callback_helpers.h" #include "base/strings/stringprintf.h" #include "base/test/scoped_feature_list.h" #include "mojo/public/cpp/bindings/message.h" #include "mojo/public/cpp/system/functions.h" #include "net/base/features.h" #include "net/base/load_flags.h" #include "net/http/http_request_headers.h" #include "net/log/test_net_log_util.h" #include "net/test/gtest_util.h" #include "net/url_request/referrer_policy.h" #include "services/network/cors/cors_url_loader_test_util.h" #include "services/network/public/mojom/cors.mojom.h" #include "services/network/public/mojom/network_context.mojom.h" #include "services/network/public/mojom/url_request.mojom-forward.h" #include "services/network/test/mock_devtools_observer.h" #include "services/network/test/test_url_loader_client.h" #include "services/network/url_loader.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" namespace network::cors { namespace { Contains; ElementsAre; Eq; IsEmpty; IsNull; Optional; Pointee; class CorsURLLoaderTest : public CorsURLLoaderTestBase { … }; class BadMessageTestHelper { … }; TEST_F(CorsURLLoaderTest, NoCorsWithInvalidMethod) { … } TEST_F(CorsURLLoaderTest, ForbiddenMethods) { … } TEST_F(CorsURLLoaderTest, SameOriginWithoutInitiator) { … } TEST_F(CorsURLLoaderTest, NoCorsWithoutInitiator) { … } TEST_F(CorsURLLoaderTest, CorsWithoutInitiator) { … } TEST_F(CorsURLLoaderTest, NavigateWithoutInitiator) { … } TEST_F(CorsURLLoaderTest, NavigateWithEarlyHints) { … } TEST_F(CorsURLLoaderTest, NavigationFromRenderer) { … } TEST_F(CorsURLLoaderTest, SameOriginRequest) { … } TEST_F(CorsURLLoaderTest, SameOriginRequestWithEarlyHints) { … } TEST_F(CorsURLLoaderTest, CrossOriginRequestWithNoCorsMode) { … } TEST_F(CorsURLLoaderTest, CrossOriginRequestWithNoCorsModeAndPatchMethod) { … } TEST_F(CorsURLLoaderTest, CrossOriginRequestFetchRequestModeSameOrigin) { … } TEST_F(CorsURLLoaderTest, CrossOriginRequestWithCorsModeButMissingCorsHeader) { … } TEST_F(CorsURLLoaderTest, CrossOriginRequestWithCorsMode) { … } TEST_F(CorsURLLoaderTest, CrossOriginRequestFetchRequestWithCorsModeButMismatchedCorsHeader) { … } TEST_F(CorsURLLoaderTest, CorsEnabledSameCustomSchemeRequest) { … } TEST_F(CorsURLLoaderTest, StripUsernameAndPassword) { … } TEST_F(CorsURLLoaderTest, CorsCheckPassOnRedirect) { … } TEST_F(CorsURLLoaderTest, CorsCheckFailOnRedirect) { … } TEST_F(CorsURLLoaderTest, NetworkLoaderErrorDuringRedirect) { … } TEST_F(CorsURLLoaderTest, SameOriginToSameOriginRedirect) { … } TEST_F(CorsURLLoaderTest, SameOriginToCrossOriginRedirect) { … } TEST_F(CorsURLLoaderTest, CrossOriginToCrossOriginRedirect) { … } TEST_F(CorsURLLoaderTest, CrossOriginToOriginalOriginRedirect) { … } TEST_F(CorsURLLoaderTest, CrossOriginToAnotherCrossOriginRedirect) { … } TEST_F(CorsURLLoaderTest, CrossOriginToAnotherCrossOriginRedirectWithPreflight) { … } TEST_F(CorsURLLoaderTest, CrossOriginPreflightReceiveRedirect) { … } TEST_F(CorsURLLoaderTest, RedirectInfoShouldBeUsed) { … } // Makes sure that if an intercepted redirect updates the IsolationInfo and the // SiteForCookies values, the CorsURLLoader respects those changes. The former // only happens for frames, and the latter for subframes, but should make // assumptions about whether these need to be updated in CorsURLLoader. TEST_F(CorsURLLoaderTest, InterceptedRedirectChangesIsolationInfoAndSiteForCookies) { … } TEST_F(CorsURLLoaderTest, TooManyRedirects) { … } TEST_F(CorsURLLoaderTest, FollowErrorRedirect) { … } TEST_F(CorsURLLoaderTest, CorsExemptHeaderRemovalOnCrossOriginRedirects) { … } TEST_F(CorsURLLoaderTest, CorsExemptHeaderModificationOnRedirects) { … } // Tests if OriginAccessList is actually used to decide the cors flag. // Details for the OriginAccessList behaviors are verified in // OriginAccessListTest, but this test intends to verify if CorsURlLoader calls // the list properly. TEST_F(CorsURLLoaderTest, OriginAccessList_Allowed) { … } // Tests if CorsURLLoader takes into account // ResourceRequest::isolated_world_origin when consulting OriginAccessList. TEST_F(CorsURLLoaderTest, OriginAccessList_IsolatedWorldOrigin) { … } // Tests if CorsURLLoader takes into account // ResourceRequest::isolated_world_origin when consulting OriginAccessList // after redirects. TEST_F(CorsURLLoaderTest, OriginAccessList_IsolatedWorldOrigin_Redirect) { … } // Tests if CorsURLLoader takes ignores ResourceRequest::isolated_world_origin // when URLLoaderFactoryParams::ignore_isolated_world_origin is set to true. TEST_F(CorsURLLoaderTest, OriginAccessList_IsolatedWorldOriginIgnored) { … } // Check if higher-priority block list wins. TEST_F(CorsURLLoaderTest, OriginAccessList_Blocked) { … } // Tests if OriginAccessList is actually used to decide response tainting. TEST_F(CorsURLLoaderTest, OriginAccessList_NoCors) { … } TEST_F(CorsURLLoaderTest, OriginAccessList_POST) { … } TEST_F(CorsURLLoaderTest, 304ForSimpleRevalidation) { … } TEST_F(CorsURLLoaderTest, 304ForSimpleGet) { … } TEST_F(CorsURLLoaderTest, 200ForSimpleRevalidation) { … } TEST_F(CorsURLLoaderTest, RevalidationAndPreflight) { … } // Keep this in sync with the CalculateResponseTainting test in // Blink's cors_test.cc. TEST(CorsURLLoaderTaintingTest, CalculateResponseTainting) { … } TEST_F(CorsURLLoaderTest, RequestWithHostHeaderFails) { … } TEST_F(CorsURLLoaderTest, RequestWithProxyAuthorizationHeaderFails) { … } TEST_F(CorsURLLoaderTest, SetHostHeaderOnRedirectFails) { … } TEST_F(CorsURLLoaderTest, SetProxyAuthorizationHeaderOnRedirectFails) { … } TEST_F(CorsURLLoaderTest, SameOriginCredentialsModeWithoutInitiator) { … } TEST_F(CorsURLLoaderTest, SameOriginCredentialsModeOnNavigation) { … } TEST_F(CorsURLLoaderTest, OmitCredentialsModeOnNavigation) { … } // Make sure than when a request is failed due to having `trusted_params` set // and being sent to an untrusted URLLoaderFactory, no CORS request is made. TEST_F(CorsURLLoaderTest, TrustedParamsWithUntrustedFactoryFailsBeforeCORS) { … } // Test that when a request has LOAD_RESTRICTED_PREFETCH_FOR_MAIN_FRAME and a // NetworkAnonymizationKey, CorsURLLoaderFactory does not reject the request. TEST_F(CorsURLLoaderTest, RestrictedPrefetchSucceedsWithNIK) { … } // Test that when a request has LOAD_RESTRICTED_PREFETCH_FOR_MAIN_FRAME but no // NetworkAnonymizationKey, CorsURLLoaderFactory rejects the request. This is // because the LOAD_RESTRICTED_PREFETCH_FOR_MAIN_FRAME flag must only appear on // requests that make use of their TrustedParams' `isolation_info`. TEST_F(CorsURLLoaderTest, RestrictedPrefetchFailsWithoutNIK) { … } TEST_F(CorsURLLoaderTest, DevToolsObserverOnCorsErrorCallback) { … } // Tests if CheckRedirectLocation detects kCorsDisabledScheme and // kRedirectContainsCredentials errors correctly. TEST_F(CorsURLLoaderTest, CheckRedirectLocation) { … } TEST_F(CorsURLLoaderTest, NetLogBasic) { … } TEST_F(CorsURLLoaderTest, NetLogSameOriginRequest) { … } TEST_F(CorsURLLoaderTest, NetLogCrossOriginSimpleRequest) { … } TEST_F(CorsURLLoaderTest, NetLogPreflightMissingAllowOrigin) { … } TEST_F(CorsURLLoaderTest, NetLogPreflightMethodDisallowed) { … } TEST_F(CorsURLLoaderTest, NetLogPreflightNetError) { … } TEST_F(CorsURLLoaderTest, PreflightMissingAllowOrigin) { … } TEST_F(CorsURLLoaderTest, NonBrowserNavigationRedirect) { … } TEST_F(CorsURLLoaderTest, PrivateNetworkAccessTargetAddressSpaceCheck) { … } } // namespace } // namespace network::cors
Codebase Browser
chromium