Google Git
Sign in
chromium / chromium / src / 5b7b98694d9a5bae9b7efeb0a4a34710c83b098b / . / content / browser / browsing_data / clear_site_data_throttle_browsertest.cc
blob: 8fba2e45093b7d6fa116522f86e9e0f6f28579eb [file] [log] [blame]
// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/browsing_data/clear_site_data_throttle.h"
#include <memory>
#include "base/bind.h"
#include "base/callback.h"
#include "base/command_line.h"
#include "base/run_loop.h"
#include "base/scoped_observer.h"
#include "base/strings/stringprintf.h"
#include "base/strings/utf_string_conversions.h"
#include "build/build_config.h"
#include "components/network_session_configurator/common/network_switches.h"
#include "content/browser/browsing_data/browsing_data_filter_builder_impl.h"
#include "content/browser/service_worker/service_worker_context_core_observer.h"
#include "content/browser/service_worker/service_worker_context_wrapper.h"
#include "content/public/browser/browser_context.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/browsing_data_remover.h"
#include "content/public/browser/content_browser_client.h"
#include "content/public/browser/storage_partition.h"
#include "content/public/browser/web_contents.h"
#include "content/public/test/browser_test_utils.h"
#include "content/public/test/cache_test_util.h"
#include "content/public/test/content_browser_test.h"
#include "content/public/test/content_browser_test_utils.h"
#include "content/public/test/mock_browsing_data_remover_delegate.h"
#include "content/public/test/test_navigation_observer.h"
#include "content/shell/browser/shell.h"
#include "net/base/escape.h"
#include "net/base/url_util.h"
#include "net/cookies/cookie_store.h"
#include "net/dns/mock_host_resolver.h"
#include "net/test/embedded_test_server/http_request.h"
#include "net/test/embedded_test_server/http_response.h"
#include "net/url_request/url_request_context.h"
#include "net/url_request/url_request_context_getter.h"
#include "storage/browser/quota/quota_settings.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "url/origin.h"
#include "url/url_constants.h"
using testing::_;
namespace content {
namespace {
// Adds a key=value pair to the url's query.
void AddQuery(GURL* url, const std::string& key, const std::string& value) {
*url = GURL(url->spec() + (url->has_query() ? "&" : "?") + key + "=" +
net::EscapeQueryParamValue(value, false));
}
// A helper function to synchronize with JS side of the tests. JS can append
// information to the loaded website's title and C++ will wait until that
// happens.
void WaitForTitle(const Shell* shell, const char* expected_title) {
base::string16 expected_title_16 = base::ASCIIToUTF16(expected_title);
TitleWatcher title_watcher(shell->web_contents(), expected_title_16);
ASSERT_EQ(expected_title_16, title_watcher.WaitAndGetTitle());
}
// A value of the Clear-Site-Data header that requests cookie deletion. Reused
// in tests that need a valid header but do not depend on its value.
static const char* kClearCookiesHeader = "\"cookies\"";
// A helper class to observe BrowsingDataRemover deletion tasks coming from
// ClearSiteData.
class TestBrowsingDataRemoverDelegate : public MockBrowsingDataRemoverDelegate {
public:
// Sets a test expectation that a Clear-Site-Data header call from |origin|,
// instructing to delete |cookies|, |storage|, and |cache|, will schedule
// the corresponding BrowsingDataRemover deletion tasks.
void ExpectClearSiteDataCall(const url::Origin& origin,
bool cookies,
bool storage,
bool cache) {
const int kOriginTypeMask =
BrowsingDataRemover::ORIGIN_TYPE_UNPROTECTED_WEB |
BrowsingDataRemover::ORIGIN_TYPE_PROTECTED_WEB;
if (cookies) {
int data_type_mask =
BrowsingDataRemover::DATA_TYPE_COOKIES |
BrowsingDataRemover::DATA_TYPE_CHANNEL_IDS |
BrowsingDataRemover::DATA_TYPE_AVOID_CLOSING_CONNECTIONS;
BrowsingDataFilterBuilderImpl filter_builder(
BrowsingDataFilterBuilder::WHITELIST);
filter_builder.AddRegisterableDomain(origin.host());
ExpectCall(base::Time(), base::Time::Max(), data_type_mask,
kOriginTypeMask, std::move(filter_builder));
}
if (storage || cache) {
int data_type_mask =
(storage ? BrowsingDataRemover::DATA_TYPE_DOM_STORAGE : 0) |
(cache ? BrowsingDataRemover::DATA_TYPE_CACHE : 0);
BrowsingDataFilterBuilderImpl filter_builder(
BrowsingDataFilterBuilder::WHITELIST);
filter_builder.AddOrigin(origin);
ExpectCall(base::Time(), base::Time::Max(), data_type_mask,
kOriginTypeMask, std::move(filter_builder));
}
}
// A shortcut for the above method, but with only cookies deleted. This is
// useful for most tests that use |kClearCookiesHeader|.
void ExpectClearSiteDataCookiesCall(const url::Origin& origin) {
ExpectClearSiteDataCall(origin, true, false, false);
}
};
// TODO(msramek): A class like this already exists in ServiceWorkerBrowserTest.
// Consider extracting it to a test utils file.
class ServiceWorkerActivationObserver
: public ServiceWorkerContextCoreObserver {
public:
static void SignalActivation(ServiceWorkerContextWrapper* context,
const base::Closure& callback) {
new ServiceWorkerActivationObserver(context, callback);
}
private:
ServiceWorkerActivationObserver(ServiceWorkerContextWrapper* context,
const base::Closure& callback)
: context_(context), scoped_observer_(this), callback_(callback) {
scoped_observer_.Add(context);
}
~ServiceWorkerActivationObserver() override {}
// ServiceWorkerContextCoreObserver overrides.
void OnVersionStateChanged(int64_t version_id,
ServiceWorkerVersion::Status) override {
if (context_->GetLiveVersion(version_id)->status() ==
ServiceWorkerVersion::ACTIVATED) {
callback_.Run();
delete this;
}
}
ServiceWorkerContextWrapper* context_;
ScopedObserver<ServiceWorkerContextWrapper, ServiceWorkerContextCoreObserver>
scoped_observer_;
base::Closure callback_;
};
} // namespace
class ClearSiteDataThrottleBrowserTest : public ContentBrowserTest {
public:
void SetUpCommandLine(base::CommandLine* command_line) override {
ContentBrowserTest::SetUpCommandLine(command_line);
// We're redirecting all hosts to localhost even on HTTPS, so we'll get
// certificate errors.
command_line->AppendSwitch(switches::kIgnoreCertificateErrors);
}
void SetUpOnMainThread() override {
ContentBrowserTest::SetUpOnMainThread();
BrowserContext::GetBrowsingDataRemover(browser_context())
->SetEmbedderDelegate(&embedder_delegate_);
// Set up HTTP and HTTPS test servers that handle all hosts.
host_resolver()->AddRule("*", "127.0.0.1");
embedded_test_server()->RegisterRequestHandler(
base::Bind(&ClearSiteDataThrottleBrowserTest::HandleRequest,
base::Unretained(this)));
ASSERT_TRUE(embedded_test_server()->Start());
https_server_.reset(new net::EmbeddedTestServer(
net::test_server::EmbeddedTestServer::TYPE_HTTPS));
https_server_->SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
https_server_->RegisterRequestHandler(
base::Bind(&ClearSiteDataThrottleBrowserTest::HandleRequest,
base::Unretained(this)));
ASSERT_TRUE(https_server_->Start());
// Initialize the cookie store pointer on the IO thread.
base::RunLoop run_loop;
BrowserThread::PostTask(
BrowserThread::IO, FROM_HERE,
base::BindOnce(
&ClearSiteDataThrottleBrowserTest::InitializeCookieStore,
base::Unretained(this),
base::Unretained(
BrowserContext::GetDefaultStoragePartition(browser_context())
->GetURLRequestContext()),
run_loop.QuitClosure()));
run_loop.Run();
}
BrowserContext* browser_context() {
return shell()->web_contents()->GetBrowserContext();
}
void InitializeCookieStore(
net::URLRequestContextGetter* request_context_getter,
base::Closure callback) {
cookie_store_ =
request_context_getter->GetURLRequestContext()->cookie_store();
std::move(callback).Run();
}
// Adds a cookie for the |url|. Used in the cookie integration tests.
void AddCookie(const GURL& url) {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
base::RunLoop run_loop;
BrowserThread::PostTask(
BrowserThread::IO, FROM_HERE,
base::BindOnce(
&net::CookieStore::SetCookieWithOptionsAsync,
base::Unretained(cookie_store_), url, "A=1", net::CookieOptions(),
base::Bind(&ClearSiteDataThrottleBrowserTest::AddCookieCallback,
run_loop.QuitClosure())));
run_loop.Run();
}
// Retrieves the list of all cookies. Used in the cookie integration tests.
net::CookieList GetCookies() {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
base::RunLoop run_loop;
net::CookieList cookie_list;
BrowserThread::PostTask(
BrowserThread::IO, FROM_HERE,
base::BindOnce(
&net::CookieStore::GetAllCookiesAsync,
base::Unretained(cookie_store_),
base::Bind(&ClearSiteDataThrottleBrowserTest::GetCookiesCallback,
run_loop.QuitClosure(),
base::Unretained(&cookie_list))));
run_loop.Run();
return cookie_list;
}
// Adds a service worker. Used in the storage integration tests.
void AddServiceWorker(const std::string& origin) {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
ServiceWorkerContextWrapper* service_worker_context =
static_cast<ServiceWorkerContextWrapper*>(
BrowserContext::GetDefaultStoragePartition(browser_context())
->GetServiceWorkerContext());
GURL scope_url = https_server()->GetURL(origin, "/");
GURL js_url = https_server()->GetURL(origin, "/?file=worker.js");
// Register the worker.
blink::mojom::ServiceWorkerRegistrationOptions options(
scope_url, blink::mojom::ServiceWorkerUpdateViaCache::kImports);
BrowserThread::PostTask(
BrowserThread::IO, FROM_HERE,
base::BindOnce(
&ServiceWorkerContextWrapper::RegisterServiceWorker,
base::Unretained(service_worker_context), js_url, options,
base::Bind(
&ClearSiteDataThrottleBrowserTest::AddServiceWorkerCallback,
base::Unretained(this))));
// Wait for its activation.
base::RunLoop run_loop;
BrowserThread::PostTask(
BrowserThread::IO, FROM_HERE,
base::BindOnce(&ServiceWorkerActivationObserver::SignalActivation,
base::Unretained(service_worker_context),
run_loop.QuitClosure()));
run_loop.Run();
}
// Retrieves the list of all service workers. Used in the storage integration
// tests.
std::vector<ServiceWorkerUsageInfo> GetServiceWorkers() {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
ServiceWorkerContextWrapper* service_worker_context =
static_cast<ServiceWorkerContextWrapper*>(
BrowserContext::GetDefaultStoragePartition(browser_context())
->GetServiceWorkerContext());
std::vector<ServiceWorkerUsageInfo> service_workers;
base::RunLoop run_loop;
BrowserThread::PostTask(
BrowserThread::IO, FROM_HERE,
base::BindOnce(
&ServiceWorkerContextWrapper::GetAllOriginsInfo,
base::Unretained(service_worker_context),
base::Bind(
&ClearSiteDataThrottleBrowserTest::GetServiceWorkersCallback,
base::Unretained(this), run_loop.QuitClosure(),
base::Unretained(&service_workers))));
run_loop.Run();
return service_workers;
}
TestBrowsingDataRemoverDelegate* delegate() { return &embedder_delegate_; }
net::EmbeddedTestServer* https_server() { return https_server_.get(); }
private:
// Handles all requests.
//
// Supports the following <key>=<value> query parameters in the url:
// <key>="header" responds with the header "Clear-Site-Data: <value>"
// <key>="redirect" responds with a redirect to the url <value>
// <key>="html" responds with a text/html content <value>
// <key>="file" responds with the content of file <value>
//
// Example: "https://localhost/?header={}&redirect=example.com" will respond
// with headers
// Clear-Site-Data: {}
// Location: example.com
//
// Example: "https://localhost/?html=<html><head></head><body></body></html>"
// will respond with the header
// Content-Type: text/html
// and content
// <html><head></head><body></body></html>
//
// Example: "https://localhost/?file=file.html"
// will respond with the header
// Content-Type: text/html
// and content from the file content/test/data/file.html
std::unique_ptr<net::test_server::HttpResponse> HandleRequest(
const net::test_server::HttpRequest& request) {
std::unique_ptr<net::test_server::BasicHttpResponse> response(
new net::test_server::BasicHttpResponse());
std::string value;
if (net::GetValueForKeyInQuery(request.GetURL(), "header", &value))
response->AddCustomHeader("Clear-Site-Data", value);
if (net::GetValueForKeyInQuery(request.GetURL(), "redirect", &value)) {
response->set_code(net::HTTP_FOUND);
response->AddCustomHeader("Location", value);
} else {
response->set_code(net::HTTP_OK);
}
if (net::GetValueForKeyInQuery(request.GetURL(), "html", &value)) {
response->set_content_type("text/html");
response->set_content(value);
// The "html" parameter is telling the server what to serve, and the XSS
// auditor will complain if its |value| contains JS code. Disable that
// protection.
response->AddCustomHeader("X-XSS-Protection", "0");
}
if (net::GetValueForKeyInQuery(request.GetURL(), "file", &value)) {
base::FilePath path(GetTestFilePath("browsing_data", value.c_str()));
base::File file(path, base::File::FLAG_OPEN | base::File::FLAG_READ);
EXPECT_TRUE(file.IsValid());
int64_t length = file.GetLength();
EXPECT_GE(length, 0);
std::unique_ptr<char[]> buffer(new char[length + 1]);
file.Read(0, buffer.get(), length);
buffer[length] = '\0';
if (path.Extension() == FILE_PATH_LITERAL(".js"))
response->set_content_type("application/javascript");
else if (path.Extension() == FILE_PATH_LITERAL(".html"))
response->set_content_type("text/html");
else
NOTREACHED();
response->set_content(buffer.get());
}
return std::move(response);
}
// Callback handler for AddCookie().
static void AddCookieCallback(const base::Closure& callback, bool success) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
ASSERT_TRUE(success);
callback.Run();
}
// Callback handler for GetCookies().
static void GetCookiesCallback(const base::Closure& callback,
net::CookieList* out_cookie_list,
const net::CookieList& cookie_list) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
*out_cookie_list = cookie_list;
callback.Run();
}
// Callback handler for AddServiceWorker().
void AddServiceWorkerCallback(bool success) { ASSERT_TRUE(success); }
// Callback handler for GetServiceWorkers().
void GetServiceWorkersCallback(
const base::Closure& callback,
std::vector<ServiceWorkerUsageInfo>* out_service_workers,
const std::vector<ServiceWorkerUsageInfo>& service_workers) {
*out_service_workers = service_workers;
callback.Run();
}
std::unique_ptr<net::EmbeddedTestServer> https_server_;
TestBrowsingDataRemoverDelegate embedder_delegate_;
net::CookieStore* cookie_store_;
};
// Tests that the header is recognized on the beginning, in the middle, and on
// the end of a navigation redirect chain. Each of the three parts of the chain
// may or may not send the header, so there are 8 configurations to test.
// Crashes on Win only. https://crbug.com/741189
#if defined(OS_WIN)
#define MAYBE_RedirectNavigation DISABLED_RedirectNavigation
#else
#define MAYBE_RedirectNavigation RedirectNavigation
#endif
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest,
MAYBE_RedirectNavigation) {
GURL page_urls[3] = {
https_server()->GetURL("origin1.com", "/"),
https_server()->GetURL("origin2.com", "/foo/bar"),
https_server()->GetURL("origin3.com", "/index.html"),
};
// Iterate through the configurations. URLs whose index is matched by the mask
// will send the header, the others won't.
for (int mask = 0; mask < (1 << 3); ++mask) {
GURL urls[3];
// Set up the expectations.
for (int i = 0; i < 3; ++i) {
urls[i] = page_urls[i];
if (mask & (1 << i))
AddQuery(&urls[i], "header", kClearCookiesHeader);
if (mask & (1 << i))
delegate()->ExpectClearSiteDataCookiesCall(
url::Origin::Create(urls[i]));
}
// Set up redirects between urls 0 --> 1 --> 2.
AddQuery(&urls[1], "redirect", urls[2].spec());
AddQuery(&urls[0], "redirect", urls[1].spec());
// Navigate to the first url of the redirect chain.
NavigateToURL(shell(), urls[0]);
// We reached the end of the redirect chain.
EXPECT_EQ(urls[2], shell()->web_contents()->GetURL());
delegate()->VerifyAndClearExpectations();
}
}
// Tests that the header is recognized on the beginning, in the middle, and on
// the end of a resource load redirect chain. Each of the three parts of the
// chain may or may not send the header, so there are 8 configurations to test.
// Crashes on Win only. https://crbug.com/741189
#if defined(OS_WIN)
#define MAYBE_RedirectResourceLoad DISABLED_RedirectResourceLoad
#else
#define MAYBE_RedirectResourceLoad RedirectResourceLoad
#endif
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest,
MAYBE_RedirectResourceLoad) {
GURL resource_urls[3] = {
https_server()->GetURL("origin1.com", "/redirect-start"),
https_server()->GetURL("origin2.com", "/redirect-middle"),
https_server()->GetURL("origin3.com", "/redirect-end"),
};
// Iterate through the configurations. URLs whose index is matched by the mask
// will send the header, the others won't.
for (int mask = 0; mask < (1 << 3); ++mask) {
GURL urls[3];
// Set up the expectations.
for (int i = 0; i < 3; ++i) {
urls[i] = resource_urls[i];
if (mask & (1 << i))
AddQuery(&urls[i], "header", kClearCookiesHeader);
if (mask & (1 << i))
delegate()->ExpectClearSiteDataCookiesCall(
url::Origin::Create(urls[i]));
}
// Set up redirects between urls 0 --> 1 --> 2.
AddQuery(&urls[1], "redirect", urls[2].spec());
AddQuery(&urls[0], "redirect", urls[1].spec());
// Navigate to a page that embeds "https://origin1.com/image.png"
// and observe the loading of that resource.
GURL page_with_image = https_server()->GetURL("origin4.com", "/index.html");
std::string content_with_image =
"<html><head></head><body>"
"<img src=\"" +
urls[0].spec() +
"\" />"
"</body></html>";
AddQuery(&page_with_image, "html", content_with_image);
NavigateToURL(shell(), page_with_image);
delegate()->VerifyAndClearExpectations();
}
}
// Tests that the Clear-Site-Data header is ignored for insecure origins.
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, InsecureNavigation) {
// ClearSiteData() should not be called on HTTP.
GURL url = embedded_test_server()->GetURL("example.com", "/");
AddQuery(&url, "header", kClearCookiesHeader);
ASSERT_FALSE(url.SchemeIsCryptographic());
NavigateToURL(shell(), url);
// We do not expect any calls to have been made.
delegate()->VerifyAndClearExpectations();
}
// Tests that the Clear-Site-Data header is honored for secure resource loads
// and ignored for insecure ones.
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest,
SecureAndInsecureResourceLoad) {
GURL insecure_image =
embedded_test_server()->GetURL("example.com", "/image.png");
GURL secure_image = https_server()->GetURL("example.com", "/image.png");
ASSERT_TRUE(secure_image.SchemeIsCryptographic());
ASSERT_FALSE(insecure_image.SchemeIsCryptographic());
AddQuery(&secure_image, "header", kClearCookiesHeader);
AddQuery(&insecure_image, "header", kClearCookiesHeader);
std::string content_with_insecure_image =
"<html><head></head><body>"
"<img src=\"" +
insecure_image.spec() +
"\" />"
"</body></html>";
std::string content_with_secure_image =
"<html><head></head><body>"
"<img src=\"" +
secure_image.spec() +
"\" />"
"</body></html>";
// Test insecure resources.
GURL insecure_page = embedded_test_server()->GetURL("example.com", "/");
GURL secure_page = https_server()->GetURL("example.com", "/");
AddQuery(&insecure_page, "html", content_with_insecure_image);
AddQuery(&secure_page, "html", content_with_insecure_image);
// Insecure resource on an insecure page does not execute Clear-Site-Data.
NavigateToURL(shell(), insecure_page);
// Insecure resource on a secure page does not execute Clear-Site-Data.
NavigateToURL(shell(), secure_page);
// We do not expect any calls to have been made.
delegate()->VerifyAndClearExpectations();
// Test secure resources.
insecure_page = embedded_test_server()->GetURL("example.com", "/");
secure_page = https_server()->GetURL("example.com", "/");
AddQuery(&insecure_page, "html", content_with_secure_image);
AddQuery(&secure_page, "html", content_with_secure_image);
// Secure resource on an insecure page does execute Clear-Site-Data.
delegate()->ExpectClearSiteDataCookiesCall(url::Origin::Create(secure_image));
NavigateToURL(shell(), secure_page);
delegate()->VerifyAndClearExpectations();
// Secure resource on a secure page does execute Clear-Site-Data.
delegate()->ExpectClearSiteDataCookiesCall(url::Origin::Create(secure_image));
NavigateToURL(shell(), secure_page);
delegate()->VerifyAndClearExpectations();
}
// Tests that the Clear-Site-Data header is ignored for service worker resource
// loads.
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, ServiceWorker) {
GURL origin1 = https_server()->GetURL("origin1.com", "/");
GURL origin2 = https_server()->GetURL("origin2.com", "/");
GURL origin3 = https_server()->GetURL("origin3.com", "/");
GURL origin4 = https_server()->GetURL("origin4.com", "/");
// Navigation to worker_setup.html will install a service worker. Since
// the installation is asynchronous, the JS side will inform us about it in
// the page title.
GURL url = origin1;
AddQuery(&url, "file", "worker_setup.html");
NavigateToURL(shell(), url);
WaitForTitle(shell(), "service worker is ready");
// The service worker will now serve a page containing several images, which
// the browser will try to fetch. The service worker will be instructed
// to handle some of the fetches itself, while others will be handled by
// the testing server. The setup is the following:
//
// origin1.com/resource (-> server; should respect header)
// origin2.com/resource_from_sw (-> service worker; should not respect header)
// origin3.com/resource_from_sw (-> service worker; should not respect header)
// origin4.com/resource (-> server; should respect header)
// origin1.com/resource_from_sw (-> service worker; should not respect header)
// origin2.com/resource (-> server; should respect header)
// origin3.com/resource_from_sw (-> service worker; should not respect header)
// origin4.com/resource (-> server; should respect header)
//
// |origin1| and |origin2| are used to test that there is no difference
// between same-origin and third-party fetches. Clear-Site-Data should be
// called once for each of these origins - caused by the "/resource" fetch,
// but not by the "/resource_from_sw" fetch. |origin3| and |origin4| prove
// that the number of calls is dependent on the number of network responses,
// i.e. that it isn't always 1 as in the case of |origin1| and |origin2|.
delegate()->ExpectClearSiteDataCookiesCall(url::Origin::Create(origin1));
delegate()->ExpectClearSiteDataCookiesCall(url::Origin::Create(origin4));
delegate()->ExpectClearSiteDataCookiesCall(url::Origin::Create(origin2));
delegate()->ExpectClearSiteDataCookiesCall(url::Origin::Create(origin4));
url = https_server()->GetURL("origin1.com", "/anything-in-workers-scope");
AddQuery(&url, "origin1", origin1.spec());
AddQuery(&url, "origin2", origin2.spec());
AddQuery(&url, "origin3", origin3.spec());
AddQuery(&url, "origin4", origin4.spec());
NavigateToURL(shell(), url);
WaitForTitle(shell(), "done");
delegate()->VerifyAndClearExpectations();
}
// Tests that Clear-Site-Data is only executed on a resource fetch
// if credentials are allowed in that fetch.
// Crashes on Win only. https://crbug.com/741189
#if defined(OS_WIN)
#define MAYBE_Credentials DISABLED_Credentials
#else
#define MAYBE_Credentials Credentials
#endif
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, MAYBE_Credentials) {
GURL page_template = https_server()->GetURL("origin1.com", "/");
GURL same_origin_resource =
https_server()->GetURL("origin1.com", "/resource");
GURL different_origin_resource =
https_server()->GetURL("origin2.com", "/resource");
AddQuery(&same_origin_resource, "header", kClearCookiesHeader);
AddQuery(&different_origin_resource, "header", kClearCookiesHeader);
const struct TestCase {
bool same_origin;
std::string credentials;
bool should_run;
} kTestCases[] = {
{true, "", true},
{true, "omit", false},
{true, "same-origin", true},
{true, "include", true},
{false, "", false},
{false, "omit", false},
{false, "same-origin", false},
{false, "include", true},
};
for (const TestCase& test_case : kTestCases) {
const GURL& resource = test_case.same_origin ? same_origin_resource
: different_origin_resource;
std::string credentials =
test_case.credentials.empty()
? ""
: "credentials: '" + test_case.credentials + "'";
// Fetch a resource. Note that the script also handles fetch() error which
// might be thrown for third-party fetches because of missing
// Access-Control-Allow-Origin. However, that only affects the visibility
// of the response; the header will still be processed.
std::string content = base::StringPrintf(
"<html><head></head><body><script>"
"fetch('%s', {%s})"
".then(function() { document.title = 'done'; })"
".catch(function() { document.title = 'done'; })"
"</script></body></html>",
resource.spec().c_str(), credentials.c_str());
GURL page = page_template;
AddQuery(&page, "html", content);
if (test_case.should_run)
delegate()->ExpectClearSiteDataCookiesCall(url::Origin::Create(resource));
NavigateToURL(shell(), page);
WaitForTitle(shell(), "done");
delegate()->VerifyAndClearExpectations();
}
}
// Tests that the credentials flag is correctly taken into account when it
// interpretation changes after redirect.
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest,
CredentialsOnRedirect) {
GURL urls[2] = {
https_server()->GetURL("origin1.com", "/image.png"),
https_server()->GetURL("origin2.com", "/image.png"),
};
AddQuery(&urls[0], "header", kClearCookiesHeader);
AddQuery(&urls[1], "header", kClearCookiesHeader);
AddQuery(&urls[0], "redirect", urls[1].spec());
// Fetch a resource on origin1.com, which will redirect to origin2.com.
// Both URLs will respond with Clear-Site-Data. Since the credentials mode is
// 'same-origin', the LOAD_DO_NOT_SAVE_COOKIES flag will be set while
// processing the response from origin1.com, but not while processing the
// response from origin2.com. Therefore, the deletion will only be executed
// for origin1.com.
//
// Note that the script also handles fetch() error which might be thrown for
// third-party fetches because of missing Access-Control-Allow-Origin.
// However, that only affects the visibility of the response; the header will
// still be processed.
std::string content = base::StringPrintf(
"<html><head></head><body><script>"
"fetch('%s', {'credentials': 'same-origin'})"
".then(function() { document.title = 'done'; })"
".catch(function() { document.title = 'done'; })"
"</script></body></html>",
urls[0].spec().c_str());
delegate()->ExpectClearSiteDataCookiesCall(url::Origin::Create(urls[0]));
GURL page = https_server()->GetURL("origin1.com", "/");
AddQuery(&page, "html", content);
NavigateToURL(shell(), page);
WaitForTitle(shell(), "done");
delegate()->VerifyAndClearExpectations();
}
// Tests that ClearSiteData() is called for the correct data types.
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, Types) {
GURL base_url = https_server()->GetURL("example.com", "/");
struct TestCase {
const char* value;
bool remove_cookies;
bool remove_storage;
bool remove_cache;
} test_cases[] = {
{"\"cookies\"", true, false, false},
{"\"storage\"", false, true, false},
{"\"cache\"", false, false, true},
{"\"cookies\", \"storage\"", true, true, false},
{"\"cookies\", \"cache\"", true, false, true},
{"\"storage\", \"cache\"", false, true, true},
{"\"cookies\", \"storage\", \"cache\"", true, true, true},
};
for (const TestCase& test_case : test_cases) {
GURL url = base_url;
AddQuery(&url, "header", test_case.value);
delegate()->ExpectClearSiteDataCall(
url::Origin::Create(url), test_case.remove_cookies,
test_case.remove_storage, test_case.remove_cache);
NavigateToURL(shell(), url);
delegate()->VerifyAndClearExpectations();
}
}
// Integration test for the deletion of cookies.
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest,
CookiesIntegrationTest) {
AddCookie(https_server()->GetURL("origin1.com", "/abc"));
AddCookie(https_server()->GetURL("subdomain.origin1.com", "/"));
AddCookie(https_server()->GetURL("origin2.com", "/def"));
AddCookie(https_server()->GetURL("subdomain.origin2.com", "/"));
// There are four cookies on two eTLD+1s.
net::CookieList cookies = GetCookies();
EXPECT_EQ(4u, cookies.size());
// Let Clear-Site-Data delete the "cookies" of "origin1.com".
GURL url = https_server()->GetURL("origin1.com", "/clear-site-data");
AddQuery(&url, "header", kClearCookiesHeader);
NavigateToURL(shell(), url);
// Only the "origin2.com" eTLD now has cookies.
cookies = GetCookies();
ASSERT_EQ(2u, cookies.size());
EXPECT_EQ(cookies[0].Domain(), "origin2.com");
EXPECT_EQ(cookies[1].Domain(), "subdomain.origin2.com");
}
// Integration test for the unregistering of service workers.
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest,
StorageServiceWorkersIntegrationTest) {
AddServiceWorker("origin1.com");
AddServiceWorker("origin2.com");
// There are two service workers installed on two origins.
std::vector<ServiceWorkerUsageInfo> service_workers = GetServiceWorkers();
EXPECT_EQ(2u, service_workers.size());
// Navigate to a URL within the scope of "origin1.com" which responds with
// a Clear-Site-Data header. Verify that this did NOT remove the service
// worker for "origin1.com", as the header would not be respected outside
// of the scope.
GURL url = https_server()->GetURL("origin1.com", "/anything-in-the-scope");
AddQuery(&url, "header", "\"storage\"");
NavigateToURL(shell(), url);
service_workers = GetServiceWorkers();
EXPECT_EQ(2u, service_workers.size());
// This time, we will navigate to a URL on "origin1.com" that is not handled
// by the serice worker, but results in a network request. One such resource
// not handled by "worker.js" is the path "resource".
// The header will be respected and the worker deleted.
url = https_server()->GetURL("origin1.com", "/resource");
AddQuery(&url, "header", "\"storage\"");
NavigateToURL(shell(), url);
// Only "origin2.com" now has a service worker.
service_workers = GetServiceWorkers();
ASSERT_EQ(1u, service_workers.size());
EXPECT_EQ(service_workers[0].origin,
https_server()->GetURL("origin2.com", "/"));
// TODO(msramek): Test that the service worker update ping also deletes
// the service worker.
}
// TODO(msramek): Add integration tests for other storage data types, such as
// local storage, indexed DB, etc.
// Integration test for the deletion of cache entries.
// NOTE: This test might be flaky. disk_cache::Backend calls back before cache
// entries are actually written to the disk. Other tests using CacheTestUtil
// show that a timeout of around 1s between cache operations is necessary to
// avoid flakiness.
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, CacheIntegrationTest) {
const int kTimeoutMs = 1000;
CacheTestUtil util(
BrowserContext::GetDefaultStoragePartition(browser_context()));
std::string url1 = https_server()->GetURL("origin1.com", "/foo").spec();
std::string url2 = https_server()->GetURL("origin1.com", "/bar").spec();
std::string url3 = https_server()->GetURL("origin2.com", "/foo").spec();
std::string url4 = https_server()->GetURL("origin2.com", "/bar").spec();
std::set<std::string> entries_to_create = {url1, url2, url3, url4};
util.CreateCacheEntries(entries_to_create);
base::PlatformThread::Sleep(base::TimeDelta::FromMilliseconds(kTimeoutMs));
// There are four cache entries on two origins.
std::vector<std::string> cache_keys = util.GetEntryKeys();
EXPECT_EQ(4u, cache_keys.size());
// Let Clear-Site-Data delete the "cache" of "origin1.com".
GURL url = https_server()->GetURL("origin1.com", "/clear-site-data");
AddQuery(&url, "header", "\"cache\"");
NavigateToURL(shell(), url);
base::PlatformThread::Sleep(base::TimeDelta::FromMilliseconds(kTimeoutMs));
// Only "origin2.com" now has cache entries.
cache_keys = util.GetEntryKeys();
ASSERT_EQ(2u, cache_keys.size());
std::sort(cache_keys.begin(), cache_keys.end());
EXPECT_EQ(url4, cache_keys[0]);
EXPECT_EQ(url3, cache_keys[1]);
}
// Tests that closing the tab right after executing Clear-Site-Data does
// not crash.
IN_PROC_BROWSER_TEST_F(ClearSiteDataThrottleBrowserTest, ClosedTab) {
GURL url = https_server()->GetURL("example.com", "/");
AddQuery(&url, "header", kClearCookiesHeader);
shell()->LoadURL(url);
shell()->Close();
}
} // namespace content