Second attempt to swap processes on rel=noreferrer, target=blank links....

chrome/renderer/render_view.cc

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/renderer/render_view.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 199 matching lines @@
                        const WebPreferences& webkit_preferences)
     : RenderWidget(render_thread, true),
       enabled_bindings_(0),
       target_url_status_(TARGET_NONE),
       is_loading_(false),
       navigation_gesture_(NavigationGestureUnknown),
       page_id_(-1),
       last_page_id_sent_to_browser_(-1),
       last_indexed_page_id_(-1),
       opened_by_user_gesture_(true),
+      opener_suppressed_(false),
       ALLOW_THIS_IN_INITIALIZER_LIST(method_factory_(this)),
       devtools_agent_(NULL),
       devtools_client_(NULL),
       file_chooser_completion_(NULL),
       history_back_list_count_(0),
       history_forward_list_count_(0),
       has_unload_listener_(false),
       decrement_shared_popup_at_destruction_(false),
       autofill_query_id_(0),
       popup_notification_visible_(false),
@@ skipping 1052 matching lines @@
   // Check to make sure we aren't overloading on popups.
   if (shared_popup_counter_->data > kMaximumNumberOfUnacknowledgedPopups)
     return NULL;
 
   // This window can't be closed from a window.close() call until we receive a
   // message from the Browser process explicitly allowing it.
   popup_notification_visible_ = true;
 
   int32 routing_id = MSG_ROUTING_NONE;
   bool user_gesture = creator->isProcessingUserGesture();
+  bool opener_suppressed = creator->willSuppressOpenerInNewFrame();
 
   render_thread_->Send(
       new ViewHostMsg_CreateWindow(routing_id_, user_gesture, &routing_id));
   if (routing_id == MSG_ROUTING_NONE)
     return NULL;
 
   RenderView* view = RenderView::Create(render_thread_,
                                         0,
                                         routing_id_,
                                         renderer_preferences_,
                                         webkit_preferences_,
                                         shared_popup_counter_,
                                         routing_id);
   view->opened_by_user_gesture_ = user_gesture;
 
+  // Record whether the creator frame is trying to suppress the opener field.
+  view->opener_suppressed_ = opener_suppressed;
+
   // Record the security origin of the creator.
   GURL creator_url(creator->securityOrigin().toString().utf8());
   if (!creator_url.is_valid() || !creator_url.IsStandard())
     creator_url = GURL();
   view->creator_url_ = creator_url;
 
   // Copy over the alternate error page URL so we can have alt error pages in
   // the new render view (we don't need the browser to send the URL back down).
   view->alternate_error_page_url_ = alternate_error_page_url_;
 
@@ skipping 563 matching lines @@
   // its own process.  This is done by sites like Gmail that try to open links
   // in new windows without script connections back to the original page.  We
   // treat such cases as browser navigations (in which we will create a new
   // renderer for a cross-site navigation), rather than WebKit navigations.
   //
   // We use the following heuristic to decide whether to fork a new page in its
   // own process:
   // The parent page must open a new tab to about:blank, set the new tab's
   // window.opener to null, and then redirect the tab to a cross-site URL using
   // JavaScript.
+  //
+  // TODO(creis): Deprecate this logic once we can rely on rel=noreferrer
+  // (see below).
   bool is_fork =
       // Must start from a tab showing about:blank, which is later redirected.
       GURL(frame->url()) == GURL(chrome::kAboutBlankURL) &&
       // Must be the first real navigation of the tab.
       historyBackListCount() < 1 &&
       historyForwardListCount() < 1 &&
       // The parent page must have set the child's window.opener to null before
       // redirecting to the desired URL.
       frame->opener() == NULL &&
       // Must be a top-level frame.
       frame->parent() == NULL &&
       // Must not have issued the request from this page.
       is_content_initiated &&
       // Must be targeted at the current tab.
       default_policy == WebKit::WebNavigationPolicyCurrentTab &&
       // Must be a JavaScript navigation, which appears as "other".
       type == WebKit::WebNavigationTypeOther;
-  if (is_fork) {
+
+  // Recognize if this navigation is from a link with rel=noreferrer and
+  // target=_blank attributes, in which case the opener will be suppressed. If
+  // so, it is safe to load cross-site pages in a separate process, so we
+  // should let the browser handle it.
+  bool is_noreferrer_and_blank_target =
+      // Frame should be top level and not yet navigated.
+      frame->parent() == NULL &&
+      frame->url().isEmpty() &&
+      historyBackListCount() < 1 &&
+      historyForwardListCount() < 1 &&
+      // Links with rel=noreferrer will have no Referer field, and their
+      // resulting frame will have its window.opener suppressed.
+      // TODO(creis): should add a request.httpReferrer() method to help avoid
+      // typos on the unusual spelling of Referer.
+      request.httpHeaderField(WebString::fromUTF8("Referer")).isNull() &&
+      opener_suppressed_ &&
+      frame->opener() == NULL &&
+      // Links with target=_blank will have no name.
+      frame->name().isNull() &&
+      // Another frame (with a non-empty creator) should have initiated the
+      // request, targeted at this frame.
+      !creator_url_.is_empty() &&
+      is_content_initiated &&
+      default_policy == WebKit::WebNavigationPolicyCurrentTab &&
+      type == WebKit::WebNavigationTypeOther;
+
+  if (is_fork || is_noreferrer_and_blank_target) {
     // Open the URL via the browser, not via WebKit.
     OpenURL(url, GURL(), default_policy);
     return WebKit::WebNavigationPolicyIgnore;
   }
 
   return default_policy;
 }
 
 bool RenderView::canHandleRequest(
     WebFrame* frame, const WebURLRequest& request) {
@@ skipping 1729 matching lines @@
       new PluginMsg_SignalModalDialogEvent(host_window_));
 
   message->EnableMessagePumping();  // Runs a nested message loop.
   bool rv = Send(message);
 
   PluginChannelHost::Broadcast(
       new PluginMsg_ResetModalDialogEvent(host_window_));
 
   return rv;
 }