Disallow was_within_same_page = true for a cross-process navigation

content/browser/frame_host/navigation_controller_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 /*
  * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  *     (http://www.torchmobile.com/)
  *
@@ skipping 856 matching lines @@
   } else {
     details->did_replace_entry = pending_entry_ &&
                                  pending_entry_->should_replace_entry();
   }
 
   // Do navigation-type specific actions. These will make and commit an entry.
   details->type = ClassifyNavigation(rfh, params);
 
   // is_in_page must be computed before the entry gets committed.
   details->is_in_page = IsURLInPageNavigation(
-      params.url, params.was_within_same_page, rfh);
+      params.url, params.was_within_same_page, rfh, false);

[Charlie Reis, 2016/02/26 20:11:57]

This looks odd at first glance (since we do get here for cross-process
navigations), but we don't seem to need the check in this case because we get
here after committing the pending/speculative RFH.

That seems like another reason to just put the check in
NavigatorImpl::DidNavigate.

 
   switch (details->type) {
     case NAVIGATION_TYPE_NEW_PAGE:
       RendererDidNavigateToNewPage(rfh, params, details->did_replace_entry);
       break;
     case NAVIGATION_TYPE_EXISTING_PAGE:
       details->did_replace_entry = details->is_in_page;
       RendererDidNavigateToExistingPage(rfh, params);
       break;
     case NAVIGATION_TYPE_SAME_PAGE:
@@ skipping 497 matching lines @@
 //    the same origin.
 // However, due to reloads, even identical urls are *not* guaranteed to be
 // in-page navigations, we have to trust the renderer almost entirely.
 // The one thing we do know is that cross-origin navigations will *never* be
 // in-page. Therefore, trust the renderer if the URLs are on the same origin,
 // and assume the renderer is malicious if a cross-origin navigation claims to
 // be in-page.
 bool NavigationControllerImpl::IsURLInPageNavigation(
     const GURL& url,
     bool renderer_says_in_page,
-    RenderFrameHost* rfh) const {
+    RenderFrameHost* rfh,
+    bool will_swap) const {
   GURL last_committed_url;
   if (rfh->GetParent()) {
     last_committed_url = rfh->GetLastCommittedURL();
   } else {
     NavigationEntry* last_committed = GetLastCommittedEntry();
     // There must be a last-committed entry to compare URLs to. TODO(avi): When
     // might Blink say that a navigation is in-page yet there be no last-
     // committed entry?
     if (!last_committed)
       return false;
     last_committed_url = last_committed->GetURL();
   }
 
   WebPreferences prefs = rfh->GetRenderViewHost()->GetWebkitPreferences();
   const url::Origin& committed_origin = static_cast<RenderFrameHostImpl*>(rfh)
                                             ->frame_tree_node()
                                             ->current_origin();
-  bool is_same_origin = last_committed_url.is_empty() ||
+  bool maybe_in_page = !will_swap &&
+                       (last_committed_url.is_empty() ||
                         // TODO(japhet): We should only permit navigations
                         // originating from about:blank to be in-page if the
                         // about:blank is the first document that frame loaded.
                         // We don't have sufficient information to identify
                         // that case at the moment, so always allow about:blank
                         // for now.
                         last_committed_url == GURL(url::kAboutBlankURL) ||
                         last_committed_url.GetOrigin() == url.GetOrigin() ||
                         !prefs.web_security_enabled ||
                         (prefs.allow_universal_access_from_file_urls &&
-                         committed_origin.scheme() == url::kFileScheme);
-  if (!is_same_origin && renderer_says_in_page) {
+                         committed_origin.scheme() == url::kFileScheme));
+  if (!maybe_in_page && renderer_says_in_page) {
     bad_message::ReceivedBadMessage(rfh->GetProcess(),
                                     bad_message::NC_IN_PAGE_NAVIGATION);
   }
-  return is_same_origin && renderer_says_in_page;
+  return maybe_in_page && renderer_says_in_page;
 }
 
 void NavigationControllerImpl::CopyStateFrom(
     const NavigationController& temp) {
   const NavigationControllerImpl& source =
       static_cast<const NavigationControllerImpl&>(temp);
   // Verify that we look new.
   DCHECK(GetEntryCount() == 0 && !GetPendingEntry());
 
   if (source.GetEntryCount() == 0)
@@ skipping 623 matching lines @@
     }
   }
 }
 
 void NavigationControllerImpl::SetGetTimestampCallbackForTest(
     const base::Callback<base::Time()>& get_timestamp_callback) {
   get_timestamp_callback_ = get_timestamp_callback;
 }
 
 }  // namespace content