Use about:blank as the failback URL if the filter denies a navigation.

content/browser/renderer_host/render_view_host_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/renderer_host/render_view_host_impl.h"
 
 #include <set>
 #include <string>
 #include <utility>
 #include <vector>
@@ skipping 477 matching lines @@
     const gfx::Point& client_pt,
     const gfx::Point& screen_pt,
     WebDragOperationsMask operations_allowed) {
   const int renderer_id = GetProcess()->GetID();
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   // The URL could have been cobbled together from any highlighted text string,
   // and can't be interpreted as a capability.
   WebDropData filtered_data(drop_data);
-  FilterURL(policy, renderer_id, &filtered_data.url);
+  FilterURL(policy, renderer_id, false, &filtered_data.url);
 
   // The filenames vector, on the other hand, does represent a capability to
   // access the given files.
   std::set<FilePath> filesets;
   for (std::vector<string16>::iterator iter(filtered_data.filenames.begin());
        iter != filtered_data.filenames.end(); ++iter) {
     FilePath path = FilePath::FromWStringHack(UTF16ToWideHack(*iter));
     policy->GrantRequestURL(renderer_id, net::FilePathToFileURL(path));
     policy->GrantReadFile(renderer_id, path);
 
@@ skipping 523 matching lines @@
   const int renderer_id = GetProcess()->GetID();
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
   // Without this check, an evil renderer can trick the browser into creating
   // a navigation entry for a banned URL.  If the user clicks the back button
   // followed by the forward button (or clicks reload, or round-trips through
   // session restore, etc), we'll think that the browser commanded the
   // renderer to load the URL and grant the renderer the privileges to request
   // the URL.  To prevent this attack, we block the renderer from inserting
   // banned URLs into the navigation controller in the first place.
-  FilterURL(policy, renderer_id, &validated_params.url);
-  FilterURL(policy, renderer_id, &validated_params.referrer.url);
+  FilterURL(policy, renderer_id, false, &validated_params.url);
+  FilterURL(policy, renderer_id, true, &validated_params.referrer.url);
   for (std::vector<GURL>::iterator it(validated_params.redirects.begin());
       it != validated_params.redirects.end(); ++it) {
-    FilterURL(policy, renderer_id, &(*it));
+    FilterURL(policy, renderer_id, false, &(*it));
   }
-  FilterURL(policy, renderer_id, &validated_params.searchable_form_url);
-  FilterURL(policy, renderer_id, &validated_params.password_form.origin);
-  FilterURL(policy, renderer_id, &validated_params.password_form.action);
+  FilterURL(policy, renderer_id, true, &validated_params.searchable_form_url);
+  FilterURL(policy, renderer_id, true, &validated_params.password_form.origin);
+  FilterURL(policy, renderer_id, true, &validated_params.password_form.action);
 
   delegate_->DidNavigate(this, validated_params);
 }
 
 void RenderViewHostImpl::OnMsgUpdateState(int32 page_id,
                                           const std::string& state) {
   delegate_->UpdateState(this, page_id, state);
 }
 
 void RenderViewHostImpl::OnMsgUpdateTitle(
@@ skipping 71 matching lines @@
 
   // Validate the URLs in |params|.  If the renderer can't request the URLs
   // directly, don't show them in the context menu.
   content::ContextMenuParams validated_params(params);
   int renderer_id = GetProcess()->GetID();
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   // We don't validate |unfiltered_link_url| so that this field can be used
   // when users want to copy the original link URL.
-  FilterURL(policy, renderer_id, &validated_params.link_url);
-  FilterURL(policy, renderer_id, &validated_params.src_url);
-  FilterURL(policy, renderer_id, &validated_params.page_url);
-  FilterURL(policy, renderer_id, &validated_params.frame_url);
+  FilterURL(policy, renderer_id, true, &validated_params.link_url);

[Charlie Reis, 2012/03/21 17:02:45]

Why is it ok for these to be empty?

+  FilterURL(policy, renderer_id, true, &validated_params.src_url);
+  FilterURL(policy, renderer_id, false, &validated_params.page_url);
+  FilterURL(policy, renderer_id, true, &validated_params.frame_url);
 
   view->ShowContextMenu(validated_params);
 }
 
 void RenderViewHostImpl::OnMsgToggleFullscreen(bool enter_fullscreen) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   delegate_->ToggleFullscreenMode(enter_fullscreen);
   WasResized();
 }
 
 void RenderViewHostImpl::OnMsgOpenURL(const GURL& url,
                                       const content::Referrer& referrer,
                                       WindowOpenDisposition disposition,
                                       int64 source_frame_id) {
   GURL validated_url(url);
   FilterURL(ChildProcessSecurityPolicyImpl::GetInstance(),
-            GetProcess()->GetID(), &validated_url);
+            GetProcess()->GetID(), false, &validated_url);
 
   delegate_->RequestOpenURL(
       validated_url, referrer, disposition, source_frame_id);
 }
 
 void RenderViewHostImpl::OnMsgDidContentsPreferredSizeChange(
     const gfx::Size& new_size) {
   delegate_->UpdatePreferredSize(new_size);
 }
 
@@ skipping 64 matching lines @@
   RenderViewHostDelegate::View* view = delegate_->GetViewDelegate();
   if (!view)
     return;
 
   WebDropData filtered_data(drop_data);
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar.
   if (!filtered_data.url.SchemeIs(chrome::kJavaScriptScheme))
-    FilterURL(policy, GetProcess()->GetID(), &filtered_data.url);
-  FilterURL(policy, GetProcess()->GetID(), &filtered_data.html_base_url);
+    FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.url);
+  FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.html_base_url);
   view->StartDragging(filtered_data, drag_operations_mask, image, image_offset);
 }
 
 void RenderViewHostImpl::OnUpdateDragCursor(WebDragOperation current_op) {
   RenderViewHostDelegate::View* view = delegate_->GetViewDelegate();
   if (view)
     view->UpdateDragCursor(current_op);
 }
 
 void RenderViewHostImpl::OnTargetDropACK() {
@@ skipping 182 matching lines @@
   Send(new ViewMsg_SelectPopupMenuItem(GetRoutingID(), -1));
 }
 #endif
 
 void RenderViewHostImpl::ToggleSpeechInput() {
   Send(new InputTagSpeechMsg_ToggleSpeechInput(GetRoutingID()));
 }
 
 void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy,
                                    int renderer_id,
+                                   bool empty_allowed,

[Charlie Reis, 2012/03/21 17:02:45]

You'll need to update the .h file, right?  Please add a comment there guiding
people whether to pass true or false.

                                    GURL* url) {
-  if (!url->is_valid())
-    return;  // We don't need to block invalid URLs.
+  if (empty_allowed && url->is_empty())
+    return;
+
+  if (!url->is_valid()) {
+    // Have to use about:blank for the denied case, instead of an empty GURL.
+    // This is because the browser treats navigation to an empty GURL as a
+    // navigation to the home page. This is often a privileged page
+    // (chrome://newtab/) which is exactly what we don't want.
+    *url = GURL(chrome::kAboutBlankURL);
+    return;
+  }
 
   if (url->SchemeIs(chrome::kAboutScheme)) {
     // The renderer treats all URLs in the about: scheme as being about:blank.
     // Canonicalize about: URLs to about:blank.
     *url = GURL(chrome::kAboutBlankURL);
   }
 
   if (!policy->CanRequestURL(renderer_id, *url)) {
     // If this renderer is not permitted to request this URL, we invalidate the
     // URL.  This prevents us from storing the blocked URL and becoming confused
     // later.
     VLOG(1) << "Blocked URL " << url->spec();
-    *url = GURL();
+    *url = GURL(chrome::kAboutBlankURL);
   }
 }
 
 void RenderViewHostImpl::SetAltErrorPageURL(const GURL& url) {
   Send(new ViewMsg_SetAltErrorPageURL(GetRoutingID(), url));
 }
 
 void RenderViewHostImpl::SetGuest(bool guest) {
   guest_ = guest;
 }
@@ skipping 245 matching lines @@
   // can cause navigations to be ignored in OnMsgNavigate.
   is_waiting_for_beforeunload_ack_ = false;
   is_waiting_for_unload_ack_ = false;
 }
 
 void RenderViewHostImpl::ClearPowerSaveBlockers() {
   STLDeleteValues(&power_save_blockers_);
 }
 
 }  // namespace content