signin: force web signin flow initiated visits to accounts.google.com to their own process.

chrome/browser/ui/sync/one_click_signin_helper.cc

Index: chrome/browser/ui/sync/one_click_signin_helper.cc
diff --git a/chrome/browser/ui/sync/one_click_signin_helper.cc b/chrome/browser/ui/sync/one_click_signin_helper.cc
index 7a898bad89ee47a1e4956eb38230e2c40297c99f..62212dcb78d038cca14d6460a377f67e9596def6 100644
--- a/chrome/browser/ui/sync/one_click_signin_helper.cc
+++ b/chrome/browser/ui/sync/one_click_signin_helper.cc
@@ -547,12 +547,15 @@ bool OneClickSigninHelper::CanOffer(content::WebContents* web_contents,
   if (!SigninManager::AreSigninCookiesAllowed(profile))
     return false;
 
-  if (!email.empty()) {
-    SigninManager* manager =
-        SigninManagerFactory::GetForProfile(profile);
-    if (!manager)
-      return false;
+  SigninManager* manager =
+      SigninManagerFactory::GetForProfile(profile);
+  if (!manager)
+    return false;
 
+  if (!manager->IsSigninProcess(web_contents->GetRenderProcessHost()))
+    return false;

[Roger Tawa OOO till Jul 10th, 2013/02/28 18:23:17]

This check should only be done if there is a valid email.  CanOffer() is called
from BrowserTabContents::AttachTabHelpers() to know if a OneClickSigninHelper
should even be instantiated, and does not pass in an email address.

Move this if statement to line 559 below.

+
+  if (!email.empty()) {
     // If the signin manager already has an authenticated name, then this is a
     // re-auth scenario.  Make sure the email just signed in corresponds to the
     // the one sign in manager expects.