Don't grant WebUI bindings during non-WebUI subframe navigations.

content/browser/frame_host/render_frame_host_manager_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/test/histogram_tester.h"
 #include "base/time/time.h"
 #include "content/browser/compositor/test/no_transport_image_transport_factory.h"
@@ skipping 2234 matching lines @@
   // |contents1| -- that was http://crbug.com/473714.
   EXPECT_FALSE(contents2->GetMainFrame()->IsRenderFrameLive());
   contents2->NavigateAndCommit(kUrl3);
   EXPECT_TRUE(contents2->GetMainFrame()->IsRenderFrameLive());
   EXPECT_NE(nullptr,
             iframe->GetRenderFrameProxyHost(contents1->GetSiteInstance()));
   EXPECT_EQ(nullptr,
             iframe->GetRenderFrameProxyHost(contents2->GetSiteInstance()));
 }
 
+// Ensure that we don't grant WebUI bindings to a pending RenderViewHost when
+// creating proxies for a non-WebUI subframe navigation.  This was possible due
+// to the InitRenderView call from CreateRenderFrameProxy.
+// See https://crbug.com/536145.
+TEST_F(RenderFrameHostManagerTestWithSiteIsolation,
+       DontGrantPendingWebUIToSubframe) {
+  set_should_create_webui(true);
+
+  // Make sure the initial process is live so that the pending WebUI navigation
+  // does not commit immediately.  Give the page a subframe as well.
+  const GURL kUrl1("http://foo.com");
+  RenderFrameHostImpl* main_rfh = contents()->GetMainFrame();
+  NavigateAndCommit(kUrl1);
+  EXPECT_TRUE(main_rfh->render_view_host()->IsRenderViewLive());
+  EXPECT_TRUE(main_rfh->IsRenderFrameLive());
+  main_rfh->OnCreateChildFrame(main_rfh->GetProcess()->GetNextRoutingID(),
+                               blink::WebTreeScopeType::Document, std::string(),
+                               blink::WebSandboxFlags::None);
+  RenderFrameHostManager* subframe_rfhm =
+      contents()->GetFrameTree()->root()->child_at(0)->render_manager();
+
+  // Start a pending WebUI navigation in the main frame and verify that the
+  // pending RVH has bindings.
+  const GURL kWebUIUrl("chrome://foo");
+  NavigationEntryImpl webui_entry(
+      nullptr /* instance */, -1 /* page_id */, kWebUIUrl, Referrer(),
+      base::string16() /* title */, ui::PAGE_TRANSITION_TYPED,
+      false /* is_renderer_init */);
+  RenderFrameHostManager* main_rfhm = contents()->GetRenderManagerForTesting();
+  RenderFrameHostImpl* webui_rfh = NavigateToEntry(main_rfhm, webui_entry);
+  EXPECT_EQ(webui_rfh, GetPendingFrameHost(main_rfhm));
+  EXPECT_TRUE(webui_rfh->render_view_host()->GetEnabledBindings() &
+              BINDINGS_POLICY_WEB_UI);
+
+  // Before it commits, do a cross-process navigation in a subframe.  This
+  // should not grant WebUI bindings to the subframe's RVH.
+  const GURL kSubframeUrl("http://bar.com");
+  NavigationEntryImpl subframe_entry(
+      nullptr /* instance */, -1 /* page_id */, kSubframeUrl, Referrer(),
+      base::string16() /* title */, ui::PAGE_TRANSITION_LINK,
+      false /* is_renderer_init */);
+  RenderFrameHostImpl* bar_rfh = NavigateToEntry(subframe_rfhm, subframe_entry);
+  EXPECT_FALSE(bar_rfh->render_view_host()->GetEnabledBindings() &
+               BINDINGS_POLICY_WEB_UI);
+}
+
 // Test that opener proxies are created properly with a cycle on the opener
 // chain.
 TEST_F(RenderFrameHostManagerTest, CreateOpenerProxiesWithCycleOnOpenerChain) {
   const GURL kUrl1("http://www.google.com/");
   const GURL kUrl2("http://www.chromium.org/");
 
   // Navigate to an initial URL.
   contents()->NavigateAndCommit(kUrl1);
   TestRenderFrameHost* rfh1 = main_test_rfh();
   scoped_refptr<SiteInstanceImpl> site_instance1 = rfh1->GetSiteInstance();
@@ skipping 162 matching lines @@
   EXPECT_EQ(tree4, opener_frame_trees[3]);
 
   EXPECT_EQ(2U, nodes_with_back_links.size());
   EXPECT_TRUE(nodes_with_back_links.find(root1->child_at(1)) !=
               nodes_with_back_links.end());
   EXPECT_TRUE(nodes_with_back_links.find(root4->child_at(0)) !=
               nodes_with_back_links.end());
 }
 
 }  // namespace content