signin: force web signin flow initiated visits to accounts.google.com to their own process.

chrome/browser/ui/sync/one_click_signin_helper.cc

Index: chrome/browser/ui/sync/one_click_signin_helper.cc
diff --git a/chrome/browser/ui/sync/one_click_signin_helper.cc b/chrome/browser/ui/sync/one_click_signin_helper.cc
index f0b8cedcfaa28bea1706fd0a45be47f6f23522ab..3340d57bfc1c2a6dd103299642c0ec8cfe5009f5 100644
--- a/chrome/browser/ui/sync/one_click_signin_helper.cc
+++ b/chrome/browser/ui/sync/one_click_signin_helper.cc
@@ -55,6 +55,7 @@
 #include "chrome/common/url_constants.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/page_navigator.h"
+#include "content/public/browser/render_process_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_contents_view.h"
 #include "content/public/common/frame_navigate_params.h"
@@ -553,6 +554,14 @@ bool OneClickSigninHelper::CanOffer(content::WebContents* web_contents,
     if (!manager)
       return false;
 
+    if (!manager->IsSigninProcess(
+        web_contents->GetRenderProcessHost()->GetID())) {

[Charlie Reis, 2013/03/04 19:22:24]

nit: 4 more spaces.

[tim (not reviewing), 2013/03/04 23:40:19]

Done.

+      // We only allow the dedicated signin process to sign the user into
+      // Chrome without intervention, because it doesn't load any untrusted
+      // pages.
+      return false;
+    }
+
     // If the signin manager already has an authenticated name, then this is a
     // re-auth scenario.  Make sure the email just signed in corresponds to the
     // the one sign in manager expects.