Restricting redirects to chrome:

net/url_request/url_request_http_job.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_http_job.h"
 
 #include "base/bind.h"
 #include "base/base_switches.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
@@ skipping 988 matching lines @@
 
   return !encoding_types.empty()
       ? Filter::Factory(encoding_types, *filter_context_) : NULL;
 }
 
 bool URLRequestHttpJob::IsSafeRedirect(const GURL& location) {
   // We only allow redirects to certain "safe" protocols.  This does not
   // restrict redirects to externally handled protocols.  Our consumer would
   // need to take care of those.
 
+  // This is a special case: we need to disallow redirects to chrome://
+  // URIs by network resources for security reasons
+  if (location.SchemeIs("chrome"))

[abarth-chromium, 2011/09/12 19:51:21]

The net module shouldn't really know anything about the "chrome" scheme.

[kenrb, 2011/09/12 20:05:05]

I know. This is a hack at this point, but the alternatives seem messy. I have
some questions in the bug, including whether it might be worth trying to change
WebKit's handling of redirects.

+    return false;
+
   if (!URLRequest::IsHandledURL(location))

[abarth-chromium, 2011/09/12 19:51:21]

Do we think that "chrome" is a handled URL?

[kenrb, 2011/09/12 20:05:05]

Note the ! in the condition. It is not a handled URL, so this function returns
true. The actual behavior of this function is to blacklist about:, javascript:,
and view-source:.

[rvargas (doing something else), 2011/09/12 21:07:14]

I don't think hard coding "chrome:" is a good idea. However, you mentioned
view-source: and javascript:, and they are not part of kBuiltinFactories, so if
IsHandledURL returns true for them, there must be a registered factory (I don't
see that). Maybe we can do something along that line.

[kenrb, 2011/09/13 00:27:53]

Sorry, my mistake. I was confusing this with a list elsewhere. It's about:,
file:, and data: that are blocked as redirect targets by this function.

     return true;
 
   static const char* kSafeSchemes[] = {
     "http",
     "https",
     "ftp"
   };
 
   for (size_t i = 0; i < arraysize(kSafeSchemes); ++i) {
     if (location.SchemeIs(kSafeSchemes[i]))
       return true;
   }
 
   return false;

[abarth-chromium, 2011/09/12 19:51:21]

If so, it seems like we should be returning false here.

 }
 
 bool URLRequestHttpJob::NeedsAuth() {
   int code = GetResponseCode();
   if (code == -1)
     return false;
 
   // Check if we need either Proxy or WWW Authentication.  This could happen
   // because we either provided no auth info, or provided incorrect info.
   switch (code) {
@@ skipping 441 matching lines @@
   if (done_)
     return;
   done_ = true;
 
   RecordPerfHistograms(reason);
   if (reason == FINISHED)
     RecordCompressionHistograms();
 }
 
 }  // namespace net