Prevent webview tags from navigating outside web-safe schemes.

chrome/browser/profiles/profile_impl_io_data.cc

Index: chrome/browser/profiles/profile_impl_io_data.cc
diff --git a/chrome/browser/profiles/profile_impl_io_data.cc b/chrome/browser/profiles/profile_impl_io_data.cc
index 3920aecdebd54c683b05eb1184b83dcb7d11b040..e877b24eb1d228b7c4ce503b7769e96b34645f3d 100644
--- a/chrome/browser/profiles/profile_impl_io_data.cc
+++ b/chrome/browser/profiles/profile_impl_io_data.cc
@@ -556,12 +556,16 @@ ProfileImplIOData::InitializeAppRequestContext(
 
   // Overwrite the job factory that we inherit from the main context so
   // that we can later provide our own handles for storage related protocols.
+  // Install all the usual protocol handlers unless we are in a browser plugin
+  // guest process, in which case only web-safe schemes are allowed.
   scoped_ptr<net::URLRequestJobFactoryImpl> job_factory(
       new net::URLRequestJobFactoryImpl());
-  SetUpJobFactory(job_factory.get(), protocol_handler_interceptor.Pass(),
-                  network_delegate(),
-                  context->ftp_transaction_factory(),
-                  context->ftp_auth_cache());
+  if (!is_guest_process) {
+    SetUpJobFactory(job_factory.get(), protocol_handler_interceptor.Pass(),
+                    network_delegate(),
+                    context->ftp_transaction_factory(),
+                    context->ftp_auth_cache());
+  }
   context->SetJobFactory(job_factory.PassAs<net::URLRequestJobFactory>());
 
   return context;