Merge parts of 117417 from trunk.

content/browser/renderer_host/render_view_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/renderer_host/render_view_host.h"
 
 #include <string>
 #include <utility>
 #include <vector>
 
@@ skipping 921 matching lines @@
   const int renderer_id = process()->GetID();
   ChildProcessSecurityPolicy* policy =
       ChildProcessSecurityPolicy::GetInstance();
   // Without this check, an evil renderer can trick the browser into creating
   // a navigation entry for a banned URL.  If the user clicks the back button
   // followed by the forward button (or clicks reload, or round-trips through
   // session restore, etc), we'll think that the browser commanded the
   // renderer to load the URL and grant the renderer the privileges to request
   // the URL.  To prevent this attack, we block the renderer from inserting
   // banned URLs into the navigation controller in the first place.
-  FilterURL(policy, renderer_id, &validated_params.url);
-  FilterURL(policy, renderer_id, &validated_params.referrer.url);
+  FilterURL(policy, renderer_id, false, &validated_params.url);
+  FilterURL(policy, renderer_id, true, &validated_params.referrer.url);
   for (std::vector<GURL>::iterator it(validated_params.redirects.begin());
       it != validated_params.redirects.end(); ++it) {
-    FilterURL(policy, renderer_id, &(*it));
+    FilterURL(policy, renderer_id, false, &(*it));
   }
-  FilterURL(policy, renderer_id, &validated_params.searchable_form_url);
-  FilterURL(policy, renderer_id, &validated_params.password_form.origin);
-  FilterURL(policy, renderer_id, &validated_params.password_form.action);
+  FilterURL(policy, renderer_id, true, &validated_params.searchable_form_url);
+  FilterURL(policy, renderer_id, true, &validated_params.password_form.origin);
+  FilterURL(policy, renderer_id, true, &validated_params.password_form.action);
 
   delegate_->DidNavigate(this, validated_params);
 }
 
 void RenderViewHost::OnMsgUpdateState(int32 page_id,
                                       const std::string& state) {
   delegate_->UpdateState(this, page_id, state);
 }
 
 void RenderViewHost::OnMsgUpdateTitle(
@@ skipping 69 matching lines @@
 
   // Validate the URLs in |params|.  If the renderer can't request the URLs
   // directly, don't show them in the context menu.
   ContextMenuParams validated_params(params);
   int renderer_id = process()->GetID();
   ChildProcessSecurityPolicy* policy =
       ChildProcessSecurityPolicy::GetInstance();
 
   // We don't validate |unfiltered_link_url| so that this field can be used
   // when users want to copy the original link URL.
-  FilterURL(policy, renderer_id, &validated_params.link_url);
-  FilterURL(policy, renderer_id, &validated_params.src_url);
-  FilterURL(policy, renderer_id, &validated_params.page_url);
-  FilterURL(policy, renderer_id, &validated_params.frame_url);
+  FilterURL(policy, renderer_id, true, &validated_params.link_url);
+  FilterURL(policy, renderer_id, true, &validated_params.src_url);
+  FilterURL(policy, renderer_id, false, &validated_params.page_url);
+  FilterURL(policy, renderer_id, true, &validated_params.frame_url);
 
   view->ShowContextMenu(validated_params);
 }
 
 void RenderViewHost::OnMsgToggleFullscreen(bool enter_fullscreen) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   delegate_->ToggleFullscreenMode(enter_fullscreen);
 }
 
 void RenderViewHost::OnMsgOpenURL(const GURL& url,
                                   const content::Referrer& referrer,
                                   WindowOpenDisposition disposition,
                                   int64 source_frame_id) {
   GURL validated_url(url);
   FilterURL(ChildProcessSecurityPolicy::GetInstance(),
-            process()->GetID(), &validated_url);
+            process()->GetID(), false, &validated_url);
 
   delegate_->RequestOpenURL(
       validated_url, referrer, disposition, source_frame_id);
 }
 
 void RenderViewHost::OnMsgDidContentsPreferredSizeChange(
     const gfx::Size& new_size) {
   delegate_->UpdatePreferredSize(new_size);
 }
 
@@ skipping 65 matching lines @@
     return;
 
   GURL drag_url = drop_data.url;
   GURL html_base_url = drop_data.html_base_url;
 
   ChildProcessSecurityPolicy* policy =
       ChildProcessSecurityPolicy::GetInstance();
 
   // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar.
   if (!drag_url.SchemeIs(chrome::kJavaScriptScheme))
-    FilterURL(policy, process()->GetID(), &drag_url);
-  FilterURL(policy, process()->GetID(), &html_base_url);
+    FilterURL(policy, process()->GetID(), false, &drag_url);
+  FilterURL(policy, process()->GetID(), false, &html_base_url);
 
   if (drag_url != drop_data.url || html_base_url != drop_data.html_base_url) {
     WebDropData drop_data_copy = drop_data;
     drop_data_copy.url = drag_url;
     drop_data_copy.html_base_url = html_base_url;
     view->StartDragging(drop_data_copy, drag_operations_mask, image,
                         image_offset);
   } else {
     view->StartDragging(drop_data, drag_operations_mask, image, image_offset);
   }
@@ skipping 167 matching lines @@
   Send(new ViewMsg_SelectPopupMenuItem(routing_id(), -1));
 }
 #endif
 
 void RenderViewHost::ToggleSpeechInput() {
   Send(new SpeechInputMsg_ToggleSpeechInput(routing_id()));
 }
 
 void RenderViewHost::FilterURL(ChildProcessSecurityPolicy* policy,
                                int renderer_id,
+                               bool empty_allowed,
                                GURL* url) {
-  if (!url->is_valid())
-    return;  // We don't need to block invalid URLs.
+  if (empty_allowed && url->is_empty())
+    return;
+
+  if (!url->is_valid()) {
+    // Have to use about:blank for the denied case, instead of an empty GURL.
+    // This is because the browser treats navigation to an empty GURL as a
+    // navigation to the home page. This is often a privileged page
+    // (chrome://newtab/) which is exactly what we don't want.
+    *url = GURL(chrome::kAboutBlankURL);
+    return;
+  }
 
   if (url->SchemeIs(chrome::kAboutScheme)) {
     // The renderer treats all URLs in the about: scheme as being about:blank.
     // Canonicalize about: URLs to about:blank.
     *url = GURL(chrome::kAboutBlankURL);
   }
 
   if (!policy->CanRequestURL(renderer_id, *url)) {
     // If this renderer is not permitted to request this URL, we invalidate the
     // URL.  This prevents us from storing the blocked URL and becoming confused
     // later.
     VLOG(1) << "Blocked URL " << url->spec();
-    *url = GURL();
+    *url = GURL(chrome::kAboutBlankURL);
   }
 }
 
 void RenderViewHost::SetAltErrorPageURL(const GURL& url) {
   Send(new ViewMsg_SetAltErrorPageURL(routing_id(), url));
 }
 
 void RenderViewHost::ExitFullscreen() {
   RejectMouseLockOrUnlockIfNecessary();
 }
@@ skipping 212 matching lines @@
   // Whenever we change swap out state, we should not be waiting for
   // beforeunload or unload acks.  We clear them here to be safe, since they
   // can cause navigations to be ignored in OnMsgNavigate.
   is_waiting_for_beforeunload_ack_ = false;
   is_waiting_for_unload_ack_ = false;
 }
 
 void RenderViewHost::ClearPowerSaveBlockers() {
   STLDeleteValues(&power_save_blockers_);
 }