Only disallow top-level navigations in platform apps

content/renderer/render_view_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_view_impl.h"
 
 #include <algorithm>
 #include <cmath>
 #include <string>
 #include <vector>
@@ skipping 2354 matching lines @@
     WebString origin_str = frame->document().securityOrigin().toString();
     GURL frame_url(origin_str.utf8().data());
     // TODO(cevans): revisit whether this origin check is still necessary once
     // crbug.com/101395 is fixed.
     if (frame_url.GetOrigin() != url.GetOrigin()) {
       OpenURL(frame, url, referrer, default_policy);
       return WebKit::WebNavigationPolicyIgnore;
     }
   }
 
-  // If the browser is interested, then give it a chance to look at top level
-  // navigations.
+  // If the browser is interested, then give it a chance to look at the request.
   if (is_content_initiated) {
-    bool browser_handles_top_level_requests =
+    bool browser_handles_request =
         renderer_preferences_.browser_handles_top_level_requests &&
         IsNonLocalTopLevelNavigation(url, frame, type);
-    if (browser_handles_top_level_requests ||
-        renderer_preferences_.browser_handles_all_requests) {
+    if (!browser_handles_request) {
+      browser_handles_request = renderer_preferences_.
+              browser_handles_all_top_level_or_non_local_requests &&
+          IsRemoteOrTopLevelNavigation(url, frame);
+    }
+
+    if (browser_handles_request) {
       // Reset these counters as the RenderView could be reused for the next
       // navigation.
       page_id_ = -1;
       last_page_id_sent_to_browser_ = -1;
       OpenURL(frame, url, referrer, default_policy);
       return WebKit::WebNavigationPolicyIgnore;  // Suppress the load here.
     }
   }
 
   // Detect when we're crossing a permission-based boundary (e.g. into or out of
@@ skipping 2904 matching lines @@
                                             &override_state))
     return override_state;
   return current_state;
 }
 
 WebKit::WebUserMediaClient* RenderViewImpl::userMediaClient() {
   EnsureMediaStreamImpl();
   return media_stream_impl_;
 }
 
+bool RenderViewImpl::IsRemoteOrTopLevelNavigation(

[abarth-chromium, 2012/05/18 18:34:07]

"remote" is sort of a funny term to use here.  For example, "file" URLs aren't
remote, but this function will return true.

+    const GURL& url, WebKit::WebFrame* frame) const {
+  if (frame->parent() == NULL)
+    return true;
+
+  // blob: and data: URLs don't involve remote content either, thus are
+  // considered local.
+  if (url.SchemeIs(chrome::kBlobScheme) || url.SchemeIs(chrome::kDataScheme))

[abarth-chromium, 2012/05/18 18:34:07]

Presumably filesystem is in this category too.

+    return false;
+
+  return url.GetOrigin() !=
+      GURL(frame->document().securityOrigin().toString().utf8());
+}
+
 bool RenderViewImpl::IsNonLocalTopLevelNavigation(
-    const GURL& url, WebKit::WebFrame* frame, WebKit::WebNavigationType type) {
+    const GURL& url, WebKit::WebFrame* frame, WebKit::WebNavigationType type)
+    const {
   // Must be a top level frame.
   if (frame->parent() != NULL)
     return false;
 
   // Navigations initiated within Webkit are not sent out to the external host
   // in the following cases.
   // 1. The url scheme is not http/https
   // 2. The origin of the url and the opener is the same in which case the
   //    opener relationship is maintained.
   // 3. Reloads/form submits/back forward navigations
@@ skipping 72 matching lines @@
 bool RenderViewImpl::WebWidgetHandlesCompositorScheduling() const {
   return !!RenderThreadImpl::current()->compositor_thread();
 }
 
 void RenderViewImpl::OnJavaBridgeInit() {
   DCHECK(!java_bridge_dispatcher_);
 #if defined(ENABLE_JAVA_BRIDGE)
   java_bridge_dispatcher_ = new JavaBridgeDispatcher(this);
 #endif
 }