Index: content/browser/renderer_host/render_view_host_impl.cc |
=================================================================== |
--- content/browser/renderer_host/render_view_host_impl.cc (revision 127913) |
+++ content/browser/renderer_host/render_view_host_impl.cc (working copy) |
@@ -495,7 +495,7 @@ |
// The URL could have been cobbled together from any highlighted text string, |
// and can't be interpreted as a capability. |
WebDropData filtered_data(drop_data); |
- FilterURL(policy, renderer_id, &filtered_data.url); |
+ FilterURL(policy, renderer_id, false, &filtered_data.url); |
// The filenames vector, on the other hand, does represent a capability to |
// access the given files. |
@@ -1039,15 +1039,15 @@ |
// renderer to load the URL and grant the renderer the privileges to request |
// the URL. To prevent this attack, we block the renderer from inserting |
// banned URLs into the navigation controller in the first place. |
- FilterURL(policy, renderer_id, &validated_params.url); |
- FilterURL(policy, renderer_id, &validated_params.referrer.url); |
+ FilterURL(policy, renderer_id, false, &validated_params.url); |
+ FilterURL(policy, renderer_id, true, &validated_params.referrer.url); |
for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); |
it != validated_params.redirects.end(); ++it) { |
- FilterURL(policy, renderer_id, &(*it)); |
+ FilterURL(policy, renderer_id, false, &(*it)); |
} |
- FilterURL(policy, renderer_id, &validated_params.searchable_form_url); |
- FilterURL(policy, renderer_id, &validated_params.password_form.origin); |
- FilterURL(policy, renderer_id, &validated_params.password_form.action); |
+ FilterURL(policy, renderer_id, true, &validated_params.searchable_form_url); |
+ FilterURL(policy, renderer_id, true, &validated_params.password_form.origin); |
+ FilterURL(policy, renderer_id, true, &validated_params.password_form.action); |
delegate_->DidNavigate(this, validated_params); |
} |
@@ -1139,10 +1139,10 @@ |
// We don't validate |unfiltered_link_url| so that this field can be used |
// when users want to copy the original link URL. |
- FilterURL(policy, renderer_id, &validated_params.link_url); |
- FilterURL(policy, renderer_id, &validated_params.src_url); |
- FilterURL(policy, renderer_id, &validated_params.page_url); |
- FilterURL(policy, renderer_id, &validated_params.frame_url); |
+ FilterURL(policy, renderer_id, true, &validated_params.link_url); |
+ FilterURL(policy, renderer_id, true, &validated_params.src_url); |
+ FilterURL(policy, renderer_id, false, &validated_params.page_url); |
+ FilterURL(policy, renderer_id, true, &validated_params.frame_url); |
view->ShowContextMenu(validated_params); |
} |
@@ -1159,7 +1159,7 @@ |
int64 source_frame_id) { |
GURL validated_url(url); |
FilterURL(ChildProcessSecurityPolicyImpl::GetInstance(), |
- GetProcess()->GetID(), &validated_url); |
+ GetProcess()->GetID(), false, &validated_url); |
delegate_->RequestOpenURL( |
validated_url, referrer, disposition, source_frame_id); |
@@ -1244,8 +1244,8 @@ |
// Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar. |
if (!filtered_data.url.SchemeIs(chrome::kJavaScriptScheme)) |
- FilterURL(policy, GetProcess()->GetID(), &filtered_data.url); |
- FilterURL(policy, GetProcess()->GetID(), &filtered_data.html_base_url); |
+ FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.url); |
+ FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.html_base_url); |
view->StartDragging(filtered_data, drag_operations_mask, image, image_offset); |
} |
@@ -1448,10 +1448,20 @@ |
void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy, |
int renderer_id, |
+ bool empty_allowed, |
GURL* url) { |
- if (!url->is_valid()) |
- return; // We don't need to block invalid URLs. |
+ if (empty_allowed && url->is_empty()) |
+ return; |
+ if (!url->is_valid()) { |
+ // Have to use about:blank for the denied case, instead of an empty GURL. |
+ // This is because the browser treats navigation to an empty GURL as a |
+ // navigation to the home page. This is often a privileged page |
+ // (chrome://newtab/) which is exactly what we don't want. |
+ *url = GURL(chrome::kAboutBlankURL); |
+ return; |
+ } |
+ |
if (url->SchemeIs(chrome::kAboutScheme)) { |
// The renderer treats all URLs in the about: scheme as being about:blank. |
// Canonicalize about: URLs to about:blank. |
@@ -1463,7 +1473,7 @@ |
// URL. This prevents us from storing the blocked URL and becoming confused |
// later. |
VLOG(1) << "Blocked URL " << url->spec(); |
- *url = GURL(); |
+ *url = GURL(chrome::kAboutBlankURL); |
} |
} |