Use about:blank as the failback URL if the filter denies a navigation.

content/browser/renderer_host/render_view_host_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/renderer_host/render_view_host_impl.h"
 
 #include <set>
 #include <string>
 #include <utility>
 #include <vector>
@@ skipping 1022 matching lines @@
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
   // Without this check, an evil renderer can trick the browser into creating
   // a navigation entry for a banned URL.  If the user clicks the back button
   // followed by the forward button (or clicks reload, or round-trips through
   // session restore, etc), we'll think that the browser commanded the
   // renderer to load the URL and grant the renderer the privileges to request
   // the URL.  To prevent this attack, we block the renderer from inserting
   // banned URLs into the navigation controller in the first place.
   FilterURL(policy, renderer_id, &validated_params.url);
-  FilterURL(policy, renderer_id, &validated_params.referrer.url);
+  if (!validated_params.referrer.url.is_empty())

[Charlie Reis, 2012/03/21 16:23:03]

Your comment on the bug said that we should allow empty URLs for referrer but
not for navigations.  What if we added a is_navigation boolean flag to FilterURL
rather than having to do this check everywhere?

+    FilterURL(policy, renderer_id, &validated_params.referrer.url);
   for (std::vector<GURL>::iterator it(validated_params.redirects.begin());
       it != validated_params.redirects.end(); ++it) {
     FilterURL(policy, renderer_id, &(*it));
   }
-  FilterURL(policy, renderer_id, &validated_params.searchable_form_url);
-  FilterURL(policy, renderer_id, &validated_params.password_form.origin);
-  FilterURL(policy, renderer_id, &validated_params.password_form.action);
+  if (!validated_params.searchable_form_url.is_empty())
+    FilterURL(policy, renderer_id, &validated_params.searchable_form_url);
+  if (!validated_params.password_form.origin.is_empty())
+    FilterURL(policy, renderer_id, &validated_params.password_form.origin);
+  if (!validated_params.password_form.action.is_empty())
+    FilterURL(policy, renderer_id, &validated_params.password_form.action);
 
   delegate_->DidNavigate(this, validated_params);
 }
 
 void RenderViewHostImpl::OnMsgUpdateState(int32 page_id,
                                           const std::string& state) {
   delegate_->UpdateState(this, page_id, state);
 }
 
 void RenderViewHostImpl::OnMsgUpdateTitle(
@@ skipping 71 matching lines @@
 
   // Validate the URLs in |params|.  If the renderer can't request the URLs
   // directly, don't show them in the context menu.
   content::ContextMenuParams validated_params(params);
   int renderer_id = GetProcess()->GetID();
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   // We don't validate |unfiltered_link_url| so that this field can be used
   // when users want to copy the original link URL.
-  FilterURL(policy, renderer_id, &validated_params.link_url);
-  FilterURL(policy, renderer_id, &validated_params.src_url);
+  if (!validated_params.link_url.is_empty())
+    FilterURL(policy, renderer_id, &validated_params.link_url);
+  if (!validated_params.src_url.is_empty())
+    FilterURL(policy, renderer_id, &validated_params.src_url);
   FilterURL(policy, renderer_id, &validated_params.page_url);
-  FilterURL(policy, renderer_id, &validated_params.frame_url);
+  if (!validated_params.frame_url.is_empty())
+    FilterURL(policy, renderer_id, &validated_params.frame_url);
 
   view->ShowContextMenu(validated_params);
 }
 
 void RenderViewHostImpl::OnMsgToggleFullscreen(bool enter_fullscreen) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   delegate_->ToggleFullscreenMode(enter_fullscreen);
   WasResized();
 }
 
@@ skipping 285 matching lines @@
   Send(new ViewMsg_SelectPopupMenuItem(GetRoutingID(), -1));
 }
 #endif
 
 void RenderViewHostImpl::ToggleSpeechInput() {
   Send(new InputTagSpeechMsg_ToggleSpeechInput(GetRoutingID()));
 }
 
 void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy,
                                    int renderer_id,
                                    GURL* url) {

[Charlie Reis, 2012/03/21 16:23:03]

Can we add a comment saying why an empty URL is dangerous for navigations?

-  if (!url->is_valid())
-    return;  // We don't need to block invalid URLs.
+  if (!url->is_valid()) {
+    *url = GURL(chrome::kAboutBlankURL);
+    return;
+  }
 
   if (url->SchemeIs(chrome::kAboutScheme)) {
     // The renderer treats all URLs in the about: scheme as being about:blank.
     // Canonicalize about: URLs to about:blank.
     *url = GURL(chrome::kAboutBlankURL);
   }
 
   if (!policy->CanRequestURL(renderer_id, *url)) {
     // If this renderer is not permitted to request this URL, we invalidate the
     // URL.  This prevents us from storing the blocked URL and becoming confused
     // later.
     VLOG(1) << "Blocked URL " << url->spec();
-    *url = GURL();
+    *url = GURL(chrome::kAboutBlankURL);
   }
 }
 
 void RenderViewHostImpl::SetAltErrorPageURL(const GURL& url) {
   Send(new ViewMsg_SetAltErrorPageURL(GetRoutingID(), url));
 }
 
 void RenderViewHostImpl::SetGuest(bool guest) {
   guest_ = guest;
 }
@@ skipping 245 matching lines @@
   // can cause navigations to be ignored in OnMsgNavigate.
   is_waiting_for_beforeunload_ack_ = false;
   is_waiting_for_unload_ack_ = false;
 }
 
 void RenderViewHostImpl::ClearPowerSaveBlockers() {
   STLDeleteValues(&power_save_blockers_);
 }
 
 }  // namespace content