To fix the cross-site post submission bug.

content/browser/web_contents/web_contents_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/web_contents/web_contents_impl.h"
 
 #include <utility>
 
 #include "base/command_line.h"
 #include "base/metrics/histogram.h"
@@ skipping 194 matching lines @@
   params->extra_headers = entry.extra_headers();
   params->transferred_request_child_id =
       entry.transferred_global_request_id().child_id;
   params->transferred_request_request_id =
       entry.transferred_global_request_id().request_id;
   params->is_overriding_user_agent = entry.GetIsOverridingUserAgent();
   // Avoid downloading when in view-source mode.
   params->allow_download = !entry.IsViewSourceMode();
   params->is_post = entry.GetHasPostData();
   if(entry.GetBrowserInitiatedPostData()) {
-      params->browser_initiated_post_data.assign(
-          entry.GetBrowserInitiatedPostData()->front(),
-          entry.GetBrowserInitiatedPostData()->front() +
-              entry.GetBrowserInitiatedPostData()->size());
-
+      params->browser_initiated_post_data =
+          entry.GetBrowserInitiatedPostData();
   }
 
   if (reload_type == NavigationControllerImpl::RELOAD_ORIGINAL_REQUEST_URL &&
       entry.GetOriginalRequestURL().is_valid() && !entry.GetHasPostData()) {
     // We may have been redirected when navigating to the current URL.
     // Use the URL the user originally intended to visit, if it's valid and if a
     // POST wasn't involved; the latter case avoids issues with sending data to
     // the wrong page.
     params->url = entry.GetOriginalRequestURL();
   } else {
@@ skipping 2638 matching lines @@
       !rvh->GetSiteInstance()->IsRelatedSiteInstance(GetSiteInstance())) {
     return;
   }
 
   // Delegate to RequestTransferURL because this is just the generic
   // case where |old_request_id| is empty.
   RequestTransferURL(url, referrer, disposition, source_frame_id,
                      GlobalRequestID());
 }
 
+void WebContentsImpl::RequestOpenPostURL(
+    RenderViewHost* rvh,
+    const GURL& url,
+    const Referrer& referrer,
+    WindowOpenDisposition disposition,
+    int64 source_frame_id,
+    const ViewMsg_PostRequest_Params& request) {
+  // If this came from a swapped out RenderViewHost, we only allow the request
+  // if we are still in the same BrowsingInstance.
+  if (static_cast<RenderViewHostImpl*>(rvh)->is_swapped_out() &&
+      !rvh->GetSiteInstance()->IsRelatedSiteInstance(GetSiteInstance())) {
+    return;
+  }
+
+  // Delegate to RequestTransferURL because this is just the generic
+  // case where |old_request_id| is empty.
+  RequestTransferPostURL(url, referrer, disposition, source_frame_id,
+                     GlobalRequestID(), request);
+}
+
 void WebContentsImpl::RequestTransferURL(
     const GURL& url,
     const Referrer& referrer,
     WindowOpenDisposition disposition,
     int64 source_frame_id,
     const GlobalRequestID& old_request_id) {
   WebContents* new_contents = NULL;
   PageTransition transition_type = PAGE_TRANSITION_LINK;
   if (render_manager_.web_ui()) {
     // When we're a Web UI, it will provide a page transition type for us (this
@@ skipping 21 matching lines @@
     FOR_EACH_OBSERVER(WebContentsObserver, observers_,
                       DidOpenRequestedURL(new_contents,
                                           url,
                                           referrer,
                                           disposition,
                                           transition_type,
                                           source_frame_id));
   }
 }
 
+void WebContentsImpl::RequestTransferPostURL(
+    const GURL& url,
+    const content::Referrer& referrer,
+    WindowOpenDisposition disposition,
+    int64 source_frame_id,
+    const GlobalRequestID& old_request_id,
+    const ViewMsg_PostRequest_Params& request) {
+  WebContents* new_contents = NULL;
+  content::PageTransition transition_type = content::PAGE_TRANSITION_LINK;
+  if (render_manager_.web_ui()) {
+    // When we're a Web UI, it will provide a page transition type for us (this
+    // is so the new tab page can specify AUTO_BOOKMARK for automatically
+    // generated suggestions).
+    //
+    // Note also that we hide the referrer for Web UI pages. We don't really
+    // want web sites to see a referrer of "chrome://blah" (and some
+    // chrome: URLs might have search terms or other stuff we don't want to
+    // send to the site), so we send no referrer.
+    OpenURLParams params(url, content::Referrer(), source_frame_id, disposition,
+        render_manager_.web_ui()->GetLinkTransitionType(),
+        false /* is_renderer_initiated */);
+    params.transferred_global_request_id = old_request_id;
+    new_contents = OpenURL(params);
+    transition_type = render_manager_.web_ui()->GetLinkTransitionType();
+  } else {
+    OpenURLParams params(url, referrer, source_frame_id, disposition,
+        content::PAGE_TRANSITION_LINK, true /* is_renderer_initiated */);
+    params.transition = content::PAGE_TRANSITION_FORM_SUBMIT;
+
+    params.browser_initiated_post_data = request.request_body;
+    params.extra_headers = request.extra_header;
+
+    params.transferred_global_request_id = old_request_id;
+    new_contents = OpenURL(params);
+  }
+  if (new_contents) {
+    // Notify observers.
+    FOR_EACH_OBSERVER(WebContentsObserver, observers_,
+                      DidOpenRequestedURL(new_contents,
+                                          url,
+                                          referrer,
+                                          disposition,
+                                          transition_type,
+                                          source_frame_id));
+  }
+}
+
 void WebContentsImpl::RouteCloseEvent(RenderViewHost* rvh) {
   // Tell the active RenderViewHost to run unload handlers and close, as long
   // as the request came from a RenderViewHost in the same BrowsingInstance.
   // In most cases, we receive this from a swapped out RenderViewHost.
   // It is possible to receive it from one that has just been swapped in,
   // in which case we might as well deliver the message anyway.
   if (rvh->GetSiteInstance()->IsRelatedSiteInstance(GetSiteInstance()))
     GetRenderViewHost()->ClosePage();
 }
 
@@ skipping 400 matching lines @@
 
 BrowserPluginGuest* WebContentsImpl::GetBrowserPluginGuest() {
   return browser_plugin_guest_.get();
 }
 
 BrowserPluginEmbedder* WebContentsImpl::GetBrowserPluginEmbedder() {
   return browser_plugin_embedder_.get();
 }
 
 }  // namespace content