<webview>: navigating to WebStore should fire a loadabort instead of crashing.

content/browser/browser_plugin/browser_plugin_guest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/browser_plugin/browser_plugin_guest.h"
 
 #include <algorithm>
 
 #include "base/message_loop/message_loop.h"
 #include "base/strings/string_util.h"
@@ skipping 379 matching lines @@
   }
   // All pending windows should be removed from the set after Destroy() is
   // called on all of them.
   DCHECK(pending_new_windows_.empty());
 }
 
 void BrowserPluginGuest::LoadURLWithParams(const GURL& url,
                                            const Referrer& referrer,
                                            PageTransition transition_type,
                                            WebContents* web_contents) {
-  NavigationController::LoadURLParams load_url_params(url);
+  // Do not allow navigating a guest to schemes other than known safe schemes.
+  // This will block the embedder trying to load unwanted schemes, e.g.
+  // chrome://settings.
+  bool scheme_is_blocked =
+      (!ChildProcessSecurityPolicyImpl::GetInstance()->IsWebSafeScheme(
+          url.scheme()) &&
+      !ChildProcessSecurityPolicyImpl::GetInstance()->IsPseudoScheme(
+          url.scheme())) ||
+      url.SchemeIs(kJavaScriptScheme);
+  bool can_commit =
+      GetContentClient()->browser()->CanCommitURL(
+          GetWebContents()->GetRenderProcessHost(), url);
+  if (scheme_is_blocked || !url.is_valid() || !can_commit) {
+    if (delegate_) {
+      std::string error_type;
+      base::RemoveChars(net::ErrorToString(net::ERR_ABORTED), "net::",
+                        &error_type);
+      delegate_->LoadAbort(true /* is_top_level */, url, error_type);
+    }
+    return;
+  }
+
+  GURL validated_url(url);
+  GetWebContents()->GetRenderProcessHost()->FilterURL(false, &validated_url);
+
+  NavigationController::LoadURLParams load_url_params(validated_url);
   load_url_params.referrer = referrer;
   load_url_params.transition_type = transition_type;
   load_url_params.extra_headers = std::string();
   if (delegate_ && delegate_->IsOverridingUserAgent()) {
     load_url_params.override_user_agent =
         NavigationController::UA_OVERRIDE_TRUE;
   }
   web_contents->GetController().LoadURLWithParams(load_url_params);
 }
 
@@ skipping 168 matching lines @@
   // focus.
   *renderer_prefs = *embedder_web_contents_->GetMutableRendererPrefs();
   renderer_prefs->user_agent_override = guest_user_agent_override;
 
   // We would like the guest to report changes to frame names so that we can
   // update the BrowserPlugin's corresponding 'name' attribute.
   // TODO(fsamuel): Remove this once http://crbug.com/169110 is addressed.
   renderer_prefs->report_frame_name_changes = true;
   // Navigation is disabled in Chrome Apps. We want to make sure guest-initiated
   // navigations still continue to function inside the app.
-  renderer_prefs->browser_handles_all_top_level_requests = false;
+  renderer_prefs->browser_handles_all_top_level_requests = true;

[lazyboy, 2014/01/16 22:31:24]

I remember creis@ raising concerns doing this before, are those concerns not an
issue anymore?

[Fady Samuel, 2014/01/16 23:40:27]

Nasko? Thoughts? Charlie is on paternity leave.

   // Disable "client blocked" error page for browser plugin.
   renderer_prefs->disable_client_blocked_error_page = true;
 
   embedder_web_contents_observer_.reset(new EmbedderWebContentsObserver(this));
 
   OnSetSize(instance_id_, params.auto_size_params, params.resize_guest_params);
 
   // Create a swapped out RenderView for the guest in the embedder render
   // process, so that the embedder can access the guest's window object.
   int guest_routing_id =
@@ skipping 206 matching lines @@
     PendingWindowMap::iterator it = opener()->pending_new_windows_.find(this);
     if (it == opener()->pending_new_windows_.end())
       return NULL;
     const NewWindowInfo& old_target_url = it->second;
     NewWindowInfo new_window_info(params.url, old_target_url.name);
     new_window_info.changed = new_window_info.url != old_target_url.url;
     it->second = new_window_info;
     return NULL;
   }
   if (params.disposition == CURRENT_TAB) {
-    // This can happen for cross-site redirects.
+    // This can happen for cross-site redirects and top-level frame navigations.
     LoadURLWithParams(params.url, params.referrer, params.transition, source);
     return source;
   }
 
   return CreateNewGuestWindow(params)->GetWebContents();
 }
 
 void BrowserPluginGuest::WebContentsCreated(WebContents* source_contents,
                                             int64 source_frame_id,
                                             const base::string16& frame_name,
@@ skipping 597 matching lines @@
   pending_lock_request_ = false;
   if (succeeded)
     mouse_locked_ = true;
 }
 
 void BrowserPluginGuest::OnNavigateGuest(
     int instance_id,
     const std::string& src) {
   GURL url = delegate_ ? delegate_->ResolveURL(src) : GURL(src);
 
-  // Do not allow navigating a guest to schemes other than known safe schemes.
-  // This will block the embedder trying to load unwanted schemes, e.g.
-  // chrome://settings.
-  bool scheme_is_blocked =
-      (!ChildProcessSecurityPolicyImpl::GetInstance()->IsWebSafeScheme(
-          url.scheme()) &&
-      !ChildProcessSecurityPolicyImpl::GetInstance()->IsPseudoScheme(
-          url.scheme())) ||
-      url.SchemeIs(kJavaScriptScheme);
-  if (scheme_is_blocked || !url.is_valid()) {
-    if (delegate_) {
-      std::string error_type;
-      base::RemoveChars(net::ErrorToString(net::ERR_ABORTED), "net::",
-                        &error_type);
-      delegate_->LoadAbort(true /* is_top_level */, url, error_type);
-    }
-    return;
-  }
-
-  GURL validated_url(url);
-  GetWebContents()->GetRenderProcessHost()->FilterURL(false, &validated_url);
   // As guests do not swap processes on navigation, only navigations to
   // normal web URLs are supported.  No protocol handlers are installed for
   // other schemes (e.g., WebUI or extensions), and no permissions or bindings
   // can be granted to the guest process.
-  LoadURLWithParams(validated_url, Referrer(), PAGE_TRANSITION_AUTO_TOPLEVEL,
+  LoadURLWithParams(url, Referrer(), PAGE_TRANSITION_AUTO_TOPLEVEL,
                     GetWebContents());
 }
 
 void BrowserPluginGuest::OnPluginDestroyed(int instance_id) {
   Destroy();
 }
 
 void BrowserPluginGuest::OnResizeGuest(
     int instance_id,
     const BrowserPluginHostMsg_ResizeGuest_Params& params) {
@@ skipping 382 matching lines @@
   request_info.Set(browser_plugin::kRequestMethod,
                    base::Value::CreateStringValue(request_method));
   request_info.Set(browser_plugin::kURL, base::Value::CreateStringValue(url));
 
   RequestPermission(BROWSER_PLUGIN_PERMISSION_TYPE_DOWNLOAD,
                     new DownloadRequest(callback),
                     request_info);
 }
 
 }  // namespace content