Allow huge data: URIs only via WebView.loadDataWithBaseUrl

content/browser/frame_host/navigation_entry_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/navigation_entry_impl.h"
 
 #include <queue>
 
 #include "base/metrics/histogram.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "components/url_formatter/url_formatter.h"
+#include "content/common/content_constants_internal.h"
 #include "content/common/navigation_params.h"
 #include "content/common/page_state_serialization.h"
 #include "content/common/site_isolation_policy.h"
 #include "content/public/common/content_constants.h"
 #include "content/public/common/url_constants.h"
 #include "ui/gfx/text_elider.h"
 
 using base::UTF16ToUTF8;
 
 namespace content {
@@ skipping 181 matching lines @@
 }
 
 void NavigationEntryImpl::SetBaseURLForDataURL(const GURL& url) {
   base_url_for_data_url_ = url;
 }
 
 const GURL& NavigationEntryImpl::GetBaseURLForDataURL() const {
   return base_url_for_data_url_;
 }
 
+#if defined(OS_ANDROID)
+void NavigationEntryImpl::SetDataURLAsString(
+    scoped_refptr<base::RefCountedString> data_url) {
+  data_url_as_string_ = data_url;

[Charlie Reis, 2015/12/15 19:22:07]

I had an earlier comment about adding a safety check here, and it looks like it
slipped through the cracks:
https://codereview.chromium.org/1497743005/diff/100001/content/browser/frame_...

[mnaganov (inactive), 2015/12/15 20:30:49]

Really sorry about missing that one! Thanks for pointing that out, added a
check.

+}
+
+const scoped_refptr<const base::RefCountedString>
+NavigationEntryImpl::GetDataURLAsString() const {
+  return data_url_as_string_;
+}
+#endif
+
 void NavigationEntryImpl::SetReferrer(const Referrer& referrer) {
   frame_tree_->frame_entry->set_referrer(referrer);
 }
 
 const Referrer& NavigationEntryImpl::GetReferrer() const {
   return frame_tree_->frame_entry->referrer();
 }
 
 void NavigationEntryImpl::SetVirtualURL(const GURL& url) {
   virtual_url_ = (url == GetURL()) ? GURL() : url;
@@ skipping 289 matching lines @@
   copy->restore_type_ = restore_type_;
   copy->original_request_url_ = original_request_url_;
   copy->is_overriding_user_agent_ = is_overriding_user_agent_;
   copy->timestamp_ = timestamp_;
   copy->http_status_code_ = http_status_code_;
   // ResetForCommit: browser_initiated_post_data_
   copy->screenshot_ = screenshot_;
   copy->extra_headers_ = extra_headers_;
   // ResetForCommit: source_site_instance_
   copy->base_url_for_data_url_ = base_url_for_data_url_;
+#if defined(OS_ANDROID)
+  copy->data_url_as_string_ = data_url_as_string_;
+#endif
   // ResetForCommit: is_renderer_initiated_
   copy->cached_display_title_ = cached_display_title_;
   // ResetForCommit: transferred_global_request_id_
   // ResetForCommit: should_replace_entry_
   copy->redirect_chain_ = redirect_chain_;
   // ResetForCommit: should_clear_history_list_
   // ResetForCommit: frame_tree_node_id_
   // ResetForCommit: intent_received_timestamp_
   copy->extra_data_ = extra_data_;
 
@@ skipping 62 matching lines @@
   int current_length_to_send = current_history_list_length;
   if (should_clear_history_list()) {
     // Set the history list related parameters to the same values a
     // NavigationController would return before its first navigation. This will
     // fully clear the RenderView's view of the session history.
     pending_offset_to_send = -1;
     current_offset_to_send = -1;
     current_length_to_send = 0;
   }
 
-  return RequestNavigationParams(
+  RequestNavigationParams request_params(
       GetIsOverridingUserAgent(), redirects, GetCanLoadLocalResources(),
       base::Time::Now(), frame_entry.page_state(), GetPageID(), GetUniqueID(),
       is_same_document_history_load, has_committed_real_load,
       intended_as_new_entry, pending_offset_to_send, current_offset_to_send,
       current_length_to_send, IsViewSourceMode(), should_clear_history_list());
+#if defined(OS_ANDROID)
+  if (GetDataURLAsString() &&
+      GetDataURLAsString()->size() <= kMaxLengthOfDataURLString) {
+    // The number of characters that is enough for validating a data: URI.  From
+    // the GURL's POV, the only important part here is scheme, it doesn't check
+    // the actual content. Thus we can take only the prefix of the url, to avoid
+    // unneeded copying of a potentially long string.
+    const size_t kDataUriPrefixMaxLen = 64;
+    GURL data_url(std::string(
+        GetDataURLAsString()->front_as<char>(),
+        std::min(GetDataURLAsString()->size(), kDataUriPrefixMaxLen)));
+    if (data_url.is_valid() && data_url.SchemeIs(url::kDataScheme))
+      request_params.data_url_as_string = GetDataURLAsString()->data();
+  }
+#endif
+  return request_params;
 }
 
 void NavigationEntryImpl::ResetForCommit() {
   // Any state that only matters when a navigation entry is pending should be
   // cleared here.
   // TODO(creis): This state should be moved to NavigationRequest once
   // PlzNavigate is enabled.
   SetBrowserInitiatedPostData(nullptr);
   set_source_site_instance(nullptr);
   set_is_renderer_initiated(false);
@@ skipping 103 matching lines @@
       return node;
     }
     // Enqueue any children and keep looking.
     for (auto& child : node->children)
       work_queue.push(child);
   }
   return nullptr;
 }
 
 }  // namespace content