Allow showing pending URL for new tab navigations, but only if safe.

content/browser/web_contents/navigation_controller_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/web_contents/navigation_controller_impl.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/file_util.h"
 #include "base/logging.h"
@@ skipping 274 matching lines @@
         NavigationEntryImpl::FromNavigationEntry(GetActiveEntry());
     if (!active_entry)
       return;
     LoadURL(active_entry->GetURL(),
             Referrer(),
             PAGE_TRANSITION_RELOAD,
             active_entry->extra_headers());
     return;
   }
 
-  DiscardNonCommittedEntriesInternal();
-  int current_index = GetCurrentEntryIndex();
+  NavigationEntryImpl* entry = NULL;
+  int current_index = -1;
+
+  // If we are reloading the initial navigation, just use the current
+  // pending entry.  Otherwise look up the current entry.
+  if (IsInitialNavigation() && pending_entry_) {
+    entry = pending_entry_;
+  } else {
+    DiscardNonCommittedEntriesInternal();
+    current_index = GetCurrentEntryIndex();
+    if (current_index != -1) {
+      entry = NavigationEntryImpl::FromNavigationEntry(
+          GetEntryAtIndex(current_index));
+    }
+  }
+
   // If we are no where, then we can't reload.  TODO(darin): We should add a
   // CanReload method.
-  if (current_index == -1) {
+  if (!entry)
     return;
-  }
 
   if (g_check_for_repost && check_for_repost &&
-      GetEntryAtIndex(current_index)->GetHasPostData()) {
+      entry->GetHasPostData()) {
     // The user is asking to reload a page with POST data. Prompt to make sure
     // they really want to do this. If they do, the dialog will call us back
     // with check_for_repost = false.
     web_contents_->NotifyBeforeFormRepostWarningShow();
 
     pending_reload_ = reload_type;
     web_contents_->Activate();
     web_contents_->GetDelegate()->ShowRepostFormWarningDialog(web_contents_);
   } else {
-    DiscardNonCommittedEntriesInternal();
-
-    NavigationEntryImpl* entry = entries_[current_index].get();
-    SiteInstanceImpl* site_instance = entry->site_instance();
-    DCHECK(site_instance);
+    if (!IsInitialNavigation())
+      DiscardNonCommittedEntriesInternal();
 
     // If we are reloading an entry that no longer belongs to the current
     // site instance (for example, refreshing a page for just installed app),
     // the reload must happen in a new process.
     // The new entry must have a new page_id and site instance, so it behaves
     // as new navigation (which happens to clear forward history).
     // Tabs that are discarded due to low memory conditions may not have a site
     // instance, and should not be treated as a cross-site reload.
+    SiteInstanceImpl* site_instance = entry->site_instance();
     if (site_instance &&
         site_instance->HasWrongProcessForURL(entry->GetURL())) {
       // Create a navigation entry that resembles the current one, but do not
       // copy page id, site instance, content state, or timestamp.
       NavigationEntryImpl* nav_entry = NavigationEntryImpl::FromNavigationEntry(
           CreateNavigationEntry(
               entry->GetURL(), entry->GetReferrer(), entry->GetTransitionType(),
               false, entry->extra_headers(), browser_context_));
 
       // Mark the reload type as NO_RELOAD, so navigation will not be considered
       // a reload in the renderer.
       reload_type = NavigationController::NO_RELOAD;
 
       nav_entry->set_should_replace_entry(true);
       pending_entry_ = nav_entry;
     } else {
+      pending_entry_ = entry;
       pending_entry_index_ = current_index;
 
       // The title of the page being reloaded might have been removed in the
       // meanwhile, so we need to revert to the default title upon reload and
       // invalidate the previously cached title (SetTitle will do both).
       // See Chromium issue 96041.
-      entries_[pending_entry_index_]->SetTitle(string16());
+      pending_entry_->SetTitle(string16());
 
-      entries_[pending_entry_index_]->SetTransitionType(PAGE_TRANSITION_RELOAD);
+      pending_entry_->SetTransitionType(PAGE_TRANSITION_RELOAD);
     }
 
     NavigateToPendingEntry(reload_type);
   }
 }
 
 void NavigationControllerImpl::CancelPendingReload() {
   DCHECK(pending_reload_ != NO_RELOAD);
   pending_reload_ = NO_RELOAD;
 }
@@ skipping 27 matching lines @@
       policy->IsDisabledScheme(entry->GetVirtualURL().scheme())) {
     VLOG(1) << "URL not loaded because the scheme is blocked by policy: "
             << entry->GetURL();
     delete entry;
     return;
   }
 
   // When navigating to a new page, we don't know for sure if we will actually
   // end up leaving the current page.  The new page load could for example
   // result in a download or a 'no content' response (e.g., a mailto: URL).
+  SetPendingEntry(entry);
+  NavigateToPendingEntry(NO_RELOAD);
+}
+
+void NavigationControllerImpl::SetPendingEntry(NavigationEntryImpl* entry) {
   DiscardNonCommittedEntriesInternal();
   pending_entry_ = entry;
   NotificationService::current()->Notify(
       NOTIFICATION_NAV_ENTRY_PENDING,
       Source<NavigationController>(this),
       Details<NavigationEntry>(entry));
-  NavigateToPendingEntry(NO_RELOAD);
 }
 
 NavigationEntry* NavigationControllerImpl::GetActiveEntry() const {
   if (transient_entry_index_ != -1)
     return entries_[transient_entry_index_].get();
   if (pending_entry_)
     return pending_entry_;
   return GetLastCommittedEntry();
 }
 
 NavigationEntry* NavigationControllerImpl::GetVisibleEntry() const {
   if (transient_entry_index_ != -1)
     return entries_[transient_entry_index_].get();
-  // Only return the pending_entry for new (non-history), browser-initiated
-  // navigations, in order to prevent URL spoof attacks.
-  // Ideally we would also show the pending entry's URL for new renderer-
-  // initiated navigations with no last committed entry (e.g., a link opening
-  // in a new tab), but an attacker can insert content into the about:blank
-  // page while the pending URL loads in that case.
-  if (pending_entry_ &&
+  // The pending entry is safe to return for new (non-history), browser-
+  // initiated navigations.  Most renderer-initiated navigations should not
+  // show the pending entry, to prevent URL spoof attacks.
+  //
+  // We make an exception for renderer-initiated navigations in new tabs, as
+  // long as no other page has tried to access the initial empty document in
+  // the new tab.  If another page modifies this blank page, a URL spoof is
+  // possible, so we must stop showing the pending entry.
+  RenderViewHostImpl* rvh = static_cast<RenderViewHostImpl*>(
+      web_contents_->GetRenderViewHost());
+  bool safe_to_show_pending =
+      pending_entry_ &&
+      // Require a new navigation.
       pending_entry_->GetPageID() == -1 &&
+      // Require either browser-initiated or an unmodified new tab.
+      (!pending_entry_->is_renderer_initiated() ||
+       (IsInitialNavigation() &&
+        !GetLastCommittedEntry() &&
+        !rvh->has_accessed_initial_document()));
+
+  // Also allow showing the pending entry for history navigations in a new tab,
+  // such as Ctrl+Back.  In this case, no existing page is visible and no one
+  // can script the new tab before it commits.
+  if (!safe_to_show_pending &&
+      pending_entry_ &&
+      pending_entry_->GetPageID() != -1 &&
+      IsInitialNavigation() &&
       !pending_entry_->is_renderer_initiated())
+    safe_to_show_pending = true;
+
+  if (safe_to_show_pending)
     return pending_entry_;
   return GetLastCommittedEntry();
 }
 
 int NavigationControllerImpl::GetCurrentEntryIndex() const {
   if (transient_entry_index_ != -1)
     return transient_entry_index_;
   if (pending_entry_index_ != -1)
     return pending_entry_index_;
   return last_committed_entry_index_;
@@ skipping 609 matching lines @@
   if (!PageTransitionIsMainFrame(params.transition)) {
     // All manual subframes would get new IDs and were handled above, so we
     // know this is auto. Since the current page was found in the navigation
     // entry list, we're guaranteed to have a last committed entry.
     DCHECK(GetLastCommittedEntry());
     return NAVIGATION_TYPE_AUTO_SUBFRAME;
   }
 
   // Anything below here we know is a main frame navigation.
   if (pending_entry_ &&
+      !pending_entry_->is_renderer_initiated() &&
       existing_entry != pending_entry_ &&
       pending_entry_->GetPageID() == -1 &&
       existing_entry == GetLastCommittedEntry()) {
     // In this case, we have a pending entry for a URL but WebCore didn't do a
     // new navigation. This happens when you press enter in the URL bar to
     // reload. We will create a pending entry, but WebKit will convert it to
     // a reload since it's the same page and not create a new entry for it
     // (the user doesn't want to have a new back/forward entry when they do
     // this). If this matches the last committed entry, we want to just ignore
     // the pending entry and go back to where we were (the "existing entry").
@@ skipping 757 matching lines @@
     const base::Callback<base::Time()>& get_timestamp_callback) {
   get_timestamp_callback_ = get_timestamp_callback;
 }
 
 void NavigationControllerImpl::SetTakeScreenshotCallbackForTest(
     const base::Callback<void(RenderViewHost*)>& take_screenshot_callback) {
   take_screenshot_callback_ = take_screenshot_callback;
 }
 
 }  // namespace content