Restricting redirects to chrome:

net/url_request/url_request_http_job.cc

Index: net/url_request/url_request_http_job.cc
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 89a0ef9a6be470fcab0fa81314e4dde0f8aca376..0d7d125d3b99101d20b40448308dc1e142a23d1d 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -1006,6 +1006,11 @@ bool URLRequestHttpJob::IsSafeRedirect(const GURL& location) {
   // restrict redirects to externally handled protocols.  Our consumer would
   // need to take care of those.
 
+  // This is a special case: we need to disallow redirects to chrome://
+  // URIs by network resources for security reasons
+  if (location.SchemeIs("chrome"))

[abarth-chromium, 2011/09/12 19:51:21]

The net module shouldn't really know anything about the "chrome" scheme.

[kenrb, 2011/09/12 20:05:05]

I know. This is a hack at this point, but the alternatives seem messy. I have
some questions in the bug, including whether it might be worth trying to change
WebKit's handling of redirects.

+    return false;
+
   if (!URLRequest::IsHandledURL(location))

[abarth-chromium, 2011/09/12 19:51:21]

Do we think that "chrome" is a handled URL?

[kenrb, 2011/09/12 20:05:05]

Note the ! in the condition. It is not a handled URL, so this function returns
true. The actual behavior of this function is to blacklist about:, javascript:,
and view-source:.

[rvargas (doing something else), 2011/09/12 21:07:14]

I don't think hard coding "chrome:" is a good idea. However, you mentioned
view-source: and javascript:, and they are not part of kBuiltinFactories, so if
IsHandledURL returns true for them, there must be a registered factory (I don't
see that). Maybe we can do something along that line.

[kenrb, 2011/09/13 00:27:53]

Sorry, my mistake. I was confusing this with a list elsewhere. It's about:,
file:, and data: that are blocked as redirect targets by this function.

     return true;