// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <map> #include <memory> #include <string> #include <vector> #include "base/command_line.h" #include "base/functional/callback_helpers.h" #include "base/json/json_reader.h" #include "base/memory/raw_ptr.h" #include "base/path_service.h" #include "base/strings/strcat.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_split.h" #include "base/strings/string_util.h" #include "base/test/scoped_feature_list.h" #include "base/values.h" #include "chrome/browser/content_settings/cookie_settings_factory.h" #include "chrome/browser/extensions/chrome_test_extension_loader.h" #include "chrome/browser/extensions/extension_action_runner.h" #include "chrome/browser/extensions/extension_browsertest.h" #include "chrome/browser/profiles/profile.h" #include "chrome/browser/ui/browser.h" #include "chrome/common/chrome_paths.h" #include "chrome/common/extensions/extension_test_util.h" #include "chrome/test/base/in_process_browser_test.h" #include "chrome/test/base/ui_test_utils.h" #include "components/content_settings/core/browser/cookie_settings.h" #include "components/content_settings/core/common/content_settings.h" #include "components/content_settings/core/common/content_settings_types.h" #include "components/network_session_configurator/common/network_switches.h" #include "content/public/browser/storage_partition.h" #include "content/public/common/content_features.h" #include "content/public/test/browser_test.h" #include "content/public/test/browser_test_utils.h" #include "content/public/test/test_navigation_observer.h" #include "content/public/test/test_utils.h" #include "extensions/browser/browsertest_util.h" #include "extensions/browser/process_manager.h" #include "extensions/common/permissions/permissions_data.h" #include "extensions/test/extension_test_message_listener.h" #include "extensions/test/test_extension_dir.h" #include "mojo/public/cpp/bindings/remote.h" #include "net/base/features.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_request_headers.h" #include "net/test/embedded_test_server/controllable_http_response.h" #include "net/test/embedded_test_server/default_handlers.h" #include "net/test/embedded_test_server/embedded_test_server.h" #include "services/network/public/cpp/network_switches.h" #include "services/network/public/mojom/cookie_manager.mojom.h" #include "services/network/public/mojom/network_context.mojom.h" #include "testing/gmock/include/gmock/gmock-matchers.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest-param-test.h" #include "testing/gtest/include/gtest/gtest.h" #include "url/gurl.h" #include "url/origin.h" namespace extensions { namespace { const char* kPermittedHost = …; const char* kOtherPermittedHost = …; const char* kNotPermittedHost = …; const char* kPermittedSubdomain = …; const char* kNotPermittedSubdomain = …; const char* kPermissionPattern1 = …; const char* kPermissionPattern1Sub = …; const char* kPermissionPattern2 = …; // Path for URL of custom ControllableHttpResponse const char* kFetchCookiesPath = …; // CSP header to be applied to the extension and the child frames const char* kCspHeader = …; const char* kNoneCookie = …; const char* kLaxCookie = …; const char* kStrictCookie = …; const char* kUnspecifiedCookie = …; const char* kSameSiteNoneAttribute = …; const char* kSameSiteLaxAttribute = …; const char* kSameSiteStrictAttribute = …; UnorderedElementsAreArray; std::vector<std::string> AsCookies(const std::string& cookie_line) { … } // Base class for special handling of cookies for extensions. class ExtensionCookiesTest : public ExtensionBrowserTest { … }; // Tests for special handling of SameSite cookies for extensions: // A request should be treated as same-site for the purposes of SameSite // cookies if either // 1) the request initiator is an extension with access to the requested URL, // 2) the site_for_cookies is an extension with access to the requested URL, // and the request initiator (if it exists) is same-site to the requested // URL and also the extension has access to it. // See URLLoader::ShouldForceIgnoreSiteForCookies(). // // The test fixture param is whether or not legacy SameSite semantics are // enabled (i.e, whether SameSite-by-default cookies and SameSite=None // requires Secure are disabled). class ExtensionSameSiteCookiesTest : public ExtensionCookiesTest, public ::testing::WithParamInterface<bool> { … }; // Tests where the extension page initiates the request. // Extension initiates request to permitted host => SameSite cookies are sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, ExtensionInitiatedPermitted) { … } // Extension initiates request to disallowed host => SameSite cookies are not // sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, ExtensionInitiatedNotPermitted) { … } // Tests with one frame on an extension page which makes the request. // Extension is site_for_cookies, initiator and requested URL are permitted, // initiator and requested URL are same-site => SameSite cookies are sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, OnePermittedSameSiteFrame) { … } // Extension is site_for_cookies, initiator and requested URL are permitted, // initiator and requested URL are same-site => SameSite cookies are sent. // crbug.com/1153083: flaky on linux, win, and mac IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, OnePermittedSameSiteFrame_Navigation) { … } // Extension is site_for_cookies, initiator and requested URL are permitted, // initiator and requested URL are same-site (initiator is a subdomain of the // requested domain) => SameSite cookies are sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, OnePermittedSubdomainFrame) { … } // Extension is site_for_cookies, initiator and requested URL are permitted, // initiator and requested URL are same-site (initiator is a superdomain of the // requested domain) => SameSite cookies are sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, OnePermittedSuperdomainFrame) { … } // Extension is site_for_cookies, initiator and requested URL are permitted, // initiator and requested URL are cross-site => SameSite cookies are not sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, OnePermittedCrossSiteFrame) { … } // Extension is site_for_cookies, initiator is permitted but requested URL is // not => SameSite cookies are not sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, CrossSiteInitiatorPermittedRequestNotPermitted) { … } // Extension is site_for_cookies, initiator is permitted but requested URL is // not, even though they are same-site => SameSite cookies are not sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, SameSiteInitiatorPermittedRequestNotPermitted) { … } // Extension is site_for_cookies, initiator is not permitted but requested URL // is permitted, even though they are same-site => SameSite cookies are not // sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, SameSiteInitiatorNotPermittedRequestPermitted) { … } // Extension is site_for_cookies, initiator and requested URL are same-site but // not permitted => SameSite cookies are not sent. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, SameSiteInitiatorAndRequestNotPermitted) { … } // Tests where the initiator is a nested frame. Here it doesn't actually matter // what the initiator is nested in, because we don't check. // Extension is site_for_cookies, initiator is allowed frame nested inside a // same-site allowed frame, request is to the same site => SameSite cookies are // attached. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, NestedSameSitePermitted) { … } // Extension is site_for_cookies, initiator is allowed frame nested inside a // cross-site allowed frame, request is to the same site => SameSite cookies are // attached. // This is kind of an interesting case. Should we attach SameSite cookies here? // If we only check first-partyness between each frame ancestor and the main // frame, then we consider all of these frames first-party to the extension, so // we should attach SameSite cookies here. (This is the current algorithm in the // spec, which says to check each ancestor against the top frame: // https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2.1) // If we also want to ensure first-partyness between each frame and its // immediate parent, then we should not send SameSite cookies here. See // crbug.com/1027258. IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, NestedCrossSitePermitted) { … } // The following tests are correct for current behavior, but should probably // change in the future. We should be walking up the whole frame tree instead of // only checking permissions and same-siteness for the initiator and request. // Extension is site_for_cookies, initiator is allowed frame nested inside a // cross-site disallowed frame, request is to the same site => SameSite cookies // are attached (but ideally shouldn't be). IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, NestedCrossSiteNotPermitted) { … } // Extension is site_for_cookies, initiator is allowed frame nested inside a // same-site disallowed frame, request is to the same site => SameSite cookies // are attached (but ideally shouldn't be). IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, NestedSameSiteNotPermitted) { … } // SameSite-cookies-flavoured copy of the ExtensionActiveTabTest.ActiveTab test. // In this test, the effective extension permissions are changing at runtime // - the test verifies that the changing permissions are correctly propagated // into the SameSite cookie decisions (e.g. in // network::URLLoader::ShouldForceIgnoreSiteForCookies). IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, ActiveTabPermissions_BackgroundPage) { … } IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, ActiveTabPermissions_ExtensionSubframeInTab) { … } IN_PROC_BROWSER_TEST_P(ExtensionSameSiteCookiesTest, ActiveTabPermissions_ExtensionServiceWorker) { … } INSTANTIATE_TEST_SUITE_P(…); } // namespace } // namespace extensions
Codebase Browser
chromium