// Test an unsuccessful cross-origin load using CORS.
TEST_F(AssociatedURLLoaderTest, CrossOriginWithAccessControlFailureBadStatusCode)
{
// This is cross-origin since the frame was loaded from www.test.com.
KURL url = toKURL("http://www.other.com/CrossOriginWithAccessControlFailure.html");
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(0);
m_expectedResponse.addHTTPHeaderField("access-control-allow-origin", "*");
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
// Failure should not be reported synchronously.
EXPECT_FALSE(m_didFail);
// The loader needs to receive the response, before doing the CORS check.
serveRequests();
EXPECT_TRUE(m_didFail);
EXPECT_FALSE(m_didReceiveResponse);
}
// Test that the loader can allow non-whitelisted response headers for trusted CORS loads.
TEST_F(AssociatedURLLoaderTest, CrossOriginHeaderAllowResponseHeaders)
{
WebURLRequest request;
request.initialize();
KURL url = toKURL("http://www.other.com/CrossOriginHeaderAllowResponseHeaders.html");
request.setURL(url);
WebString headerNameString(WebString::fromUTF8("non-whitelisted"));
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
m_expectedResponse.addHTTPHeaderField("Access-Control-Allow-Origin", "*");
m_expectedResponse.addHTTPHeaderField(headerNameString, "foo");
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.exposeAllResponseHeaders = true; // This turns off response whitelisting.
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
EXPECT_FALSE(m_actualResponse.httpHeaderField(headerNameString).isEmpty());
}
// Test that a cross origin redirect response with CORS headers that allow the requesting origin succeeds.
TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlSuccess)
{
KURL url = toKURL("http://www.test.com/RedirectCrossOriginWithAccessControlSuccess.html");
char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlSuccess.html"; // Cross-origin
KURL redirectURL = toKURL(redirect);
WebURLRequest request;
request.initialize();
request.setURL(url);
// Add a CORS simple header.
request.setHTTPHeaderField("accept", "application/json");
// Create a redirect response that allows the redirect to pass the access control checks.
m_expectedRedirectResponse = WebURLResponse();
m_expectedRedirectResponse.initialize();
m_expectedRedirectResponse.setMIMEType("text/html");
m_expectedRedirectResponse.setHTTPStatusCode(301);
m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect);
m_expectedRedirectResponse.addHTTPHeaderField("access-control-allow-origin", "*");
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
m_expectedNewRequest = WebURLRequest();
m_expectedNewRequest.initialize();
m_expectedNewRequest.setURL(redirectURL);
m_expectedNewRequest.setHTTPHeaderField("accept", "application/json");
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
m_expectedResponse.addHTTPHeaderField("access-control-allow-origin", "*");
Platform::current()->unitTestSupport()->registerMockedURL(redirectURL, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
// We should not receive a notification for the redirect.
EXPECT_FALSE(m_willSendRequest);
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
}
// Test that the same-origin restriction is the default.
TEST_F(AssociatedURLLoaderTest, SameOriginRestriction)
{
// This is cross-origin since the frame was loaded from www.test.com.
KURL url = toKURL("http://www.other.com/SameOriginRestriction.html");
WebURLRequest request;
request.initialize();
request.setURL(url);
CheckFails(request);
}
void CheckMethodFails(const char* unsafeMethod)
{
WebURLRequest request;
request.initialize();
request.setURL(toKURL("http://www.test.com/success.html"));
request.setHTTPMethod(WebString::fromUTF8(unsafeMethod));
WebURLLoaderOptions options;
options.untrustedHTTP = true;
CheckFails(request, options);
}
KURL RegisterMockedUrl(const std::string& urlRoot, const WTF::String& filename)
{
WebURLResponse response;
response.initialize();
response.setMIMEType("text/html");
WTF::String localPath = m_baseFilePath;
localPath.append(filename);
KURL url = toKURL(urlRoot + filename.utf8().data());
Platform::current()->unitTestSupport()->registerMockedURL(url, response, localPath);
return url;
}
// Test that a cross origin redirect response without CORS headers fails.
TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlFailure)
{
KURL url = toKURL("http://www.test.com/RedirectCrossOriginWithAccessControlFailure.html");
char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlFailure.html"; // Cross-origin
KURL redirectURL = toKURL(redirect);
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedRedirectResponse = WebURLResponse();
m_expectedRedirectResponse.initialize();
m_expectedRedirectResponse.setMIMEType("text/html");
m_expectedRedirectResponse.setHTTPStatusCode(301);
m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect);
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
m_expectedNewRequest = WebURLRequest();
m_expectedNewRequest.initialize();
m_expectedNewRequest.setURL(redirectURL);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
Platform::current()->unitTestSupport()->registerMockedURL(redirectURL, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
// We should get a notification about access control check failure.
EXPECT_FALSE(m_willSendRequest);
EXPECT_FALSE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFail);
}
TEST_F(WebPageSerializerTest, fromUrlWithMinusMinus)
{
WebURL topFrameURL = toKURL("http://www.test.com?--x--");
registerMockedURLLoad(topFrameURL.spec(), WebString::fromUTF8("text_only_page.html"));
loadURLInTopFrame(topFrameURL);
SimpleWebPageSerializerClient serializerClient;
WebVector<WebURL> links(&topFrameURL, 1);
WebVector<WebString> localPaths(&"local", 1);
WebPageSerializer::serialize(webView()->mainFrame()->toWebLocalFrame(), &serializerClient, links, localPaths, "");
EXPECT_EQ("<!-- saved from url=(0030)http://www.test.com/?-%2Dx-%2D -->", serializerClient.toString().substr(1, 60));
}
void CheckHeaderFails(const char* headerField, const char* headerValue)
{
WebURLRequest request;
request.initialize();
request.setURL(toKURL("http://www.test.com/success.html"));
if (equalIgnoringCase(WebString::fromUTF8(headerField), "referer"))
request.setHTTPReferrer(WebString::fromUTF8(headerValue), WebReferrerPolicyDefault);
else
request.setHTTPHeaderField(WebString::fromUTF8(headerField), WebString::fromUTF8(headerValue));
WebURLLoaderOptions options;
options.untrustedHTTP = true;
CheckFails(request, options);
}
// Test a same-origin URL redirect and load.
TEST_F(AssociatedURLLoaderTest, RedirectSuccess)
{
KURL url = toKURL("http://www.test.com/RedirectSuccess.html");
char redirect[] = "http://www.test.com/RedirectSuccess2.html"; // Same-origin
KURL redirectURL = toKURL(redirect);
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedRedirectResponse = WebURLResponse();
m_expectedRedirectResponse.initialize();
m_expectedRedirectResponse.setMIMEType("text/html");
m_expectedRedirectResponse.setHTTPStatusCode(301);
m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect);
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
m_expectedNewRequest = WebURLRequest();
m_expectedNewRequest.initialize();
m_expectedNewRequest.setURL(redirectURL);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
Platform::current()->unitTestSupport()->registerMockedURL(redirectURL, m_expectedResponse, m_frameFilePath);
m_expectedLoader = createAssociatedURLLoader();
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_TRUE(m_willSendRequest);
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
}
// Checks that the domain is set to the actual MHTML file, not the URL it was
// generated from.
TEST_F(MHTMLTest, CheckDomain)
{
const char kFileURL[] = "file:///simple_test.mht";
// Register the mocked frame and load it.
WebURL url = toKURL(kFileURL);
registerMockedURLLoad(kFileURL, WebString::fromUTF8("simple_test.mht"));
loadURLInTopFrame(url);
ASSERT_TRUE(page());
LocalFrame* frame = toLocalFrame(page()->mainFrame());
ASSERT_TRUE(frame);
Document* document = frame->document();
ASSERT_TRUE(document);
EXPECT_STREQ(kFileURL, frame->domWindow()->location()->href().ascii().data());
SecurityOrigin* origin = document->securityOrigin();
EXPECT_STRNE("localhost", origin->domain().ascii().data());
}
// Test a successful same-origin URL load.
TEST_F(AssociatedURLLoaderTest, SameOriginSuccess)
{
KURL url = toKURL("http://www.test.com/SameOriginSuccess.html");
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
m_expectedLoader = createAssociatedURLLoader();
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
}
TEST_F(WebPageNewSerializeTest, TestMHTMLEncodingWithMorphingDataURL)
{
// Load a page with some data urls.
WebURL topFrameURL = toKURL(m_baseURL);
registerMockedURLLoad(topFrameURL, WebString::fromUTF8("page_with_morphing_data.html"), WebString::fromUTF8("pageserializer/"), htmlMimeType());
loadURLInTopFrame(topFrameURL);
WebCString mhtmlData = WebPageSerializer::serializeToMHTML(webView());
ASSERT_FALSE(mhtmlData.isEmpty());
// Read the MHTML data line and check that the string data:image is found
// exactly two times.
size_t nbDataURLs = 0;
LineReader lineReader(std::string(mhtmlData.data()));
std::string line;
while (lineReader.getNextLine(&line)) {
if (line.find("data:text") != std::string::npos)
nbDataURLs++;
}
EXPECT_EQ(2u, nbDataURLs);
}
TEST_F(WebPageSerializerTest, EncodingAndNormalization)
{
WebURL topFrameURL = toKURL("http://www.test.com");
registerMockedURLLoad(topFrameURL.spec(), WebString::fromUTF8("encoding_normalization.html"));
loadURLInTopFrame(topFrameURL);
SimpleWebPageSerializerClient serializerClient;
WebVector<WebURL> links(&topFrameURL, 1);
WebVector<WebString> localPaths(&"local", 1);
WebPageSerializer::serialize(webView()->mainFrame()->toWebLocalFrame(), &serializerClient, links, localPaths, "");
const char* expectedHTML =
"<!DOCTYPE html>\n"
"<!-- saved from url=(0020)http://www.test.com/ -->\n"
"<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=EUC-KR\"><meta charset=\"euc-kr\">\n"
"<title>Ensure NFC normalization is not performed by page serializer</title>\n"
"</head><body>\n"
"\xe4\xc5\xd1\xe2\n"
"\n</body></html>";
EXPECT_EQ(expectedHTML, serializerClient.toString());
}
TEST_F(WebPageSerializerTest, URLAttributeValues)
{
WebURL topFrameURL = toKURL("http://www.test.com");
registerMockedURLLoad(topFrameURL.spec(), WebString::fromUTF8("url_attribute_values.html"));
registerMockedImageURL("javascript:\"");
loadURLInTopFrame(topFrameURL);
SimpleWebPageSerializerClient serializerClient;
WebVector<WebURL> links(&topFrameURL, 1);
WebVector<WebString> localPaths(&"local", 1);
WebPageSerializer::serialize(webView()->mainFrame()->toWebLocalFrame(), &serializerClient, links, localPaths, "");
const char* expectedHTML =
"\n<!-- saved from url=(0020)http://www.test.com/ -->\n"
"<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"><meta charset=\"utf8\">\n"
"</head><body><img src=\"javascript:"\">\n"
"<a href=\"http://www.test.com/local#"\">local</a>\n"
"<a href=\"http://www.example.com/#"><script>alert(0)</script>\">external</a>\n"
"</body></html>";
EXPECT_EQ(expectedHTML, serializerClient.toString());
}
bool CheckAccessControlHeaders(const char* headerName, bool exposed)
{
std::string id("http://www.other.com/CheckAccessControlExposeHeaders_");
id.append(headerName);
if (exposed)
id.append("-Exposed");
id.append(".html");
KURL url = toKURL(id);
WebURLRequest request;
request.initialize();
request.setURL(url);
WebString headerNameString(WebString::fromUTF8(headerName));
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
m_expectedResponse.addHTTPHeaderField("Access-Control-Allow-Origin", "*");
if (exposed)
m_expectedResponse.addHTTPHeaderField("access-control-expose-headers", headerNameString);
m_expectedResponse.addHTTPHeaderField(headerNameString, "foo");
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
return !m_actualResponse.httpHeaderField(headerNameString).isEmpty();
}
// Test a successful cross-origin load.
TEST_F(AssociatedURLLoaderTest, CrossOriginSuccess)
{
// This is cross-origin since the frame was loaded from www.test.com.
KURL url = toKURL("http://www.other.com/CrossOriginSuccess.html");
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyAllow;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
}
void registerMockedURLFromBaseURL(const WebString& baseURL, const WebString& fileName, const WebString& mimeType)
{
// fullURL = baseURL + fileName.
std::string fullString = std::string(baseURL.utf8().data()) + std::string(fileName.utf8().data());
registerMockedURLLoad(toKURL(fullString.c_str()), fileName, WebString::fromUTF8(""), mimeType);
}
void addResource(const char* url, const char* mime, PassRefPtr<SharedBuffer> data)
{
SerializedResource resource(toKURL(url), mime, data);
m_resources.append(resource);
}
void registerMockedURLLoad(const std::string& url, const WebString& fileName)
{
URLTestHelpers::registerMockedURLLoad(toKURL(url), fileName, WebString::fromUTF8("mhtml/"), WebString::fromUTF8("text/html"));
}
void registerMockedImageURL(const std::string& url)
{
// Image resources need to be mocked, but irrelevant here what image they map to.
URLTestHelpers::registerMockedURLLoad(toKURL(url), "pageserialization/awesome.png");
}
static bool webVectorContains(const WebVector<WebURL>& vector, const char* url)
{
return vector.contains(WebURL(toKURL(std::string(url))));
}
PageSerializerTest()
: m_folder(WebString::fromUTF8("pageserializer/"))
, m_baseUrl(toKURL("http://www.test.com"))
{
}
