Restricting redirects to chrome:

content/browser/child_process_security_policy.cc

Index: content/browser/child_process_security_policy.cc
diff --git a/content/browser/child_process_security_policy.cc b/content/browser/child_process_security_policy.cc
index 81d3964c54a5c2759ff4e0767d1fe2a6f5c65953..2f3fe5df33018ea228a31355e89aae343e31390b 100644
--- a/content/browser/child_process_security_policy.cc
+++ b/content/browser/child_process_security_policy.cc
@@ -136,6 +136,10 @@ ChildProcessSecurityPolicy::ChildProcessSecurityPolicy() {
   RegisterWebSafeScheme(chrome::kBlobScheme);
   RegisterWebSafeScheme(chrome::kFileSystemScheme);
 
+  // The following Web UI schemes are only accessible by children with with
+  // WebUI bindings.
+  RegisterWebUIScheme(chrome::kChromeUIScheme);

[abarth-chromium, 2011/09/19 06:46:39]

In the past, access to this scheme happened naturally because we navigated
render processes to chrome: URLs when we added the WebUI bindings.  Does this
mean we're granting WebUI bindings to URLs that lack the chrome: scheme?

+
   // We know about the following pseudo schemes and treat them specially.
   RegisterPseudoScheme(chrome::kAboutScheme);
   RegisterPseudoScheme(chrome::kJavaScriptScheme);
@@ -192,6 +196,21 @@ bool ChildProcessSecurityPolicy::IsWebSafeScheme(const std::string& scheme) {
   return (web_safe_schemes_.find(scheme) != web_safe_schemes_.end());
 }
 
+void ChildProcessSecurityPolicy::RegisterWebUIScheme(
+    const std::string& scheme) {
+  base::AutoLock lock(lock_);
+  DCHECK(webui_schemes_.count(scheme) == 0) << "Adds schemes at most once.";
+  DCHECK(web_safe_schemes_.count(scheme) == 0) << "WebUI schemes not web-safe.";
+
+  webui_schemes_.insert(scheme);
+}
+
+bool ChildProcessSecurityPolicy::IsWebUIScheme(const std::string& scheme) {
+    base::AutoLock lock(lock_);
+
+    return (webui_schemes_.find(scheme) != webui_schemes_.end());
+}
+
 void ChildProcessSecurityPolicy::RegisterPseudoScheme(
     const std::string& scheme) {
   base::AutoLock lock(lock_);
@@ -349,7 +368,7 @@ bool ChildProcessSecurityPolicy::CanRequestURL(
     return false;  // Can't request invalid URLs.
 
   if (IsDisabledScheme(url.scheme()))
-    return false; // The scheme is disabled by policy.
+    return false;  // The scheme is disabled by policy.
 
   if (IsWebSafeScheme(url.scheme()))
     return true;  // The scheme has been white-listed for every child process.
@@ -393,6 +412,11 @@ bool ChildProcessSecurityPolicy::CanRequestURL(
   }
 }
 
+bool ChildProcessSecurityPolicy::CanRedirectURL(
+    int child_id, const GURL& url) {
+  return CanRequestURL(child_id, url) && !IsWebUIScheme(url.scheme());

[abarth-chromium, 2011/09/19 06:46:39]

If you can request a URL, why can't you redirect to it?  I suspect you're trying
to solve this problem at the wrong layer.

The ChildProcessSecurityPolicy is only meant to be a line of defense against a
compromised rendering engine.  If a render process CanRequestURL, then that
process can navigate itself to that URL and there's no security to be gained by
blocking redirects.

+}
+
 bool ChildProcessSecurityPolicy::CanReadFile(int child_id,
                                              const FilePath& file) {
   return HasPermissionsForFile(child_id, file, kReadFilePermissions);