<webview>: navigating to WebStore should fire a loadabort instead of crashing.

content/browser/browser_plugin/browser_plugin_guest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/browser_plugin/browser_plugin_guest.h"
 
 #include <algorithm>
 
 #include "base/message_loop/message_loop.h"
 #include "base/strings/string_util.h"
@@ skipping 388 matching lines @@
   }
   // All pending windows should be removed from the set after Destroy() is
   // called on all of them.
   DCHECK(pending_new_windows_.empty());
 }
 
 void BrowserPluginGuest::LoadURLWithParams(const GURL& url,
                                            const Referrer& referrer,
                                            PageTransition transition_type,
                                            WebContents* web_contents) {
-  NavigationController::LoadURLParams load_url_params(url);
+  // Do not allow navigating a guest to schemes other than known safe schemes.
+  // This will block the embedder trying to load unwanted schemes, e.g.
+  // chrome://settings.
+  bool scheme_is_blocked =
+      (!ChildProcessSecurityPolicyImpl::GetInstance()->IsWebSafeScheme(
+          url.scheme()) &&
+      !ChildProcessSecurityPolicyImpl::GetInstance()->IsPseudoScheme(
+          url.scheme())) ||
+      url.SchemeIs(kJavaScriptScheme);
+  bool can_commit =
+      GetContentClient()->browser()->CanCommitURL(
+          GetWebContents()->GetRenderProcessHost(), url);
+  if (scheme_is_blocked || !url.is_valid() || !can_commit) {
+    if (delegate_) {
+      // TODO(fsamuel): Need better error reporting here.
+      std::string error_type;
+      base::RemoveChars(net::ErrorToString(net::ERR_ABORTED), "net::",
+                        &error_type);
+      delegate_->LoadAbort(true /* is_top_level */, url, error_type);
+    }
+    return;
+  }
+
+  GURL validated_url(url);
+  GetWebContents()->GetRenderProcessHost()->FilterURL(false, &validated_url);
+
+  NavigationController::LoadURLParams load_url_params(validated_url);
   load_url_params.referrer = referrer;
   load_url_params.transition_type = transition_type;
   load_url_params.extra_headers = std::string();
   if (delegate_ && delegate_->IsOverridingUserAgent()) {
     load_url_params.override_user_agent =
         NavigationController::UA_OVERRIDE_TRUE;
   }
   web_contents->GetController().LoadURLWithParams(load_url_params);
 }
 
@@ skipping 177 matching lines @@
   // For GTK and Aura this is necessary to get proper renderer configuration
   // values for caret blinking interval, colors related to selection and
   // focus.
   *renderer_prefs = *embedder_web_contents_->GetMutableRendererPrefs();
   renderer_prefs->user_agent_override = guest_user_agent_override;
 
   // We would like the guest to report changes to frame names so that we can
   // update the BrowserPlugin's corresponding 'name' attribute.
   // TODO(fsamuel): Remove this once http://crbug.com/169110 is addressed.
   renderer_prefs->report_frame_name_changes = true;
-  // Navigation is disabled in Chrome Apps. We want to make sure guest-initiated
-  // navigations still continue to function inside the app.
-  renderer_prefs->browser_handles_all_top_level_requests = false;
+  // Top-level guest-initiated navigations are all plumbed through
+  // BrowserPluginGuest::OpenURLFromTab. There, it is determined whether a
+  // particular navigation will be allowed to proceed or whether it is aborted.
+  renderer_prefs->browser_handles_all_top_level_requests = true;
   // Disable "client blocked" error page for browser plugin.
   renderer_prefs->disable_client_blocked_error_page = true;
 
   embedder_web_contents_observer_.reset(new EmbedderWebContentsObserver(this));
 
   OnSetSize(instance_id_, params.auto_size_params, params.resize_guest_params);
 
   // Create a swapped out RenderView for the guest in the embedder render
   // process, so that the embedder can access the guest's window object.
   int guest_routing_id =
@@ skipping 201 matching lines @@
                                                 const OpenURLParams& params) {
   // If the guest wishes to navigate away prior to attachment then we save the
   // navigation to perform upon attachment. Navigation initializes a lot of
   // state that assumes an embedder exists, such as RenderWidgetHostViewGuest.
   // Navigation also resumes resource loading which we don't want to allow
   // until attachment.
   if (!attached()) {
     PendingWindowMap::iterator it = opener()->pending_new_windows_.find(this);
     if (it == opener()->pending_new_windows_.end())
       return NULL;
-    const NewWindowInfo& old_target_url = it->second;
-    NewWindowInfo new_window_info(params.url, old_target_url.name);
-    new_window_info.changed = new_window_info.url != old_target_url.url;
-    it->second = new_window_info;
+    const NewWindowInfo& old_info = it->second;
+    it->second = NewWindowInfo(params.url, old_info.name);
     return NULL;
   }
   if (params.disposition == CURRENT_TAB) {
-    // This can happen for cross-site redirects.
+    // This can happen for cross-site redirects and top-level frame navigations.
     LoadURLWithParams(params.url, params.referrer, params.transition, source);
     return source;
   }
 
   return CreateNewGuestWindow(params)->GetWebContents();
 }
 
 void BrowserPluginGuest::WebContentsCreated(WebContents* source_contents,
                                             int64 source_frame_id,
                                             const base::string16& frame_name,
@@ skipping 396 matching lines @@
   // to initialize the browser-side state now so that the RenderFrameHostManager
   // does not create a new RenderView on navigation.
   if (has_render_view_) {
     static_cast<RenderViewHostImpl*>(
         GetWebContents()->GetRenderViewHost())->Init();
     WebContentsViewGuest* new_view =
         static_cast<WebContentsViewGuest*>(GetWebContents()->GetView());
     new_view->CreateViewForWidget(web_contents()->GetRenderViewHost());
   }
 
-  // We need to do a navigation here if the target URL has changed between
-  // the time the WebContents was created and the time it was attached.
-  // We also need to do an initial navigation if a RenderView was never
-  // created for the new window in cases where there is no referrer.
+  // Grab the URL for the initial navigation.
   PendingWindowMap::iterator it = opener()->pending_new_windows_.find(this);
   if (it != opener()->pending_new_windows_.end()) {
-    const NewWindowInfo& new_window_info = it->second;
-    if (new_window_info.changed || !has_render_view_)
-      params.src = it->second.url.spec();
+    params.src = it->second.url.spec();
   } else {
     NOTREACHED();
   }
 
   // Once a new guest is attached to the DOM of the embedder page, then the
   // lifetime of the new guest is no longer managed by the opener guest.
   opener()->pending_new_windows_.erase(this);
 
   // The guest's frame name takes precedence over the BrowserPlugin's name.
   // The guest's frame name is assigned in
@@ skipping 171 matching lines @@
   pending_lock_request_ = false;
   if (succeeded)
     mouse_locked_ = true;
 }
 
 void BrowserPluginGuest::OnNavigateGuest(
     int instance_id,
     const std::string& src) {
   GURL url = delegate_ ? delegate_->ResolveURL(src) : GURL(src);
 
-  // Do not allow navigating a guest to schemes other than known safe schemes.
-  // This will block the embedder trying to load unwanted schemes, e.g.
-  // chrome://settings.
-  bool scheme_is_blocked =
-      (!ChildProcessSecurityPolicyImpl::GetInstance()->IsWebSafeScheme(
-          url.scheme()) &&
-      !ChildProcessSecurityPolicyImpl::GetInstance()->IsPseudoScheme(
-          url.scheme())) ||
-      url.SchemeIs(kJavaScriptScheme);
-  if (scheme_is_blocked || !url.is_valid()) {
-    if (delegate_) {
-      std::string error_type;
-      base::RemoveChars(net::ErrorToString(net::ERR_ABORTED), "net::",
-                        &error_type);
-      delegate_->LoadAbort(true /* is_top_level */, url, error_type);
-    }
-    return;
-  }
-
-  GURL validated_url(url);
-  GetWebContents()->GetRenderProcessHost()->FilterURL(false, &validated_url);
   // As guests do not swap processes on navigation, only navigations to
   // normal web URLs are supported.  No protocol handlers are installed for
   // other schemes (e.g., WebUI or extensions), and no permissions or bindings
   // can be granted to the guest process.
-  LoadURLWithParams(validated_url, Referrer(), PAGE_TRANSITION_AUTO_TOPLEVEL,
+  LoadURLWithParams(url, Referrer(), PAGE_TRANSITION_AUTO_TOPLEVEL,
                     GetWebContents());
 }
 
 void BrowserPluginGuest::OnPluginDestroyed(int instance_id) {
   Destroy();
 }
 
 void BrowserPluginGuest::OnResizeGuest(
     int instance_id,
     const BrowserPluginHostMsg_ResizeGuest_Params& params) {
@@ skipping 393 matching lines @@
                    base::Value::CreateStringValue(request_method));
   request_info.Set(browser_plugin::kURL, base::Value::CreateStringValue(url));
 
   RequestPermission(BROWSER_PLUGIN_PERMISSION_TYPE_DOWNLOAD,
                     new DownloadRequest(weak_ptr_factory_.GetWeakPtr(),
                                         callback),
                     request_info);
 }
 
 }  // namespace content