Fix potential XSS on the NTP

chrome/browser/resources/local_ntp/most_visited_single.js

 /* Copyright 2015 The Chromium Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file. */
 
  // Single iframe for NTP tiles.
 (function() {
 'use strict';
 
 
 /**
@@ skipping 253 matching lines @@
   // We want the CSS transition to trigger, so need to add to the DOM before
   // setting the style.
   setTimeout(function() {
     cur.style.opacity = 1.0;
   }, 0);
 
   // Make sure the tiles variable contain the next tileset we may use.
   tiles = document.createElement('div');
 
   if (impressionUrl) {
-    if (navigator.sendBeacon) {

[Marc Treib, 2016/03/09 15:24:02]

navigator.sendBeacon has existed since Chrome 39, I don't think we need the
fallback anymore.

-      navigator.sendBeacon(impressionUrl);
-    } else {
-      // if sendBeacon is not enabled, we fallback to "a ping".
-      var a = document.createElement('a');
-      a.href = '#';
-      a.ping = impressionUrl;
-      a.click();
-    }
+    navigator.sendBeacon(impressionUrl);
     impressionUrl = null;
   }
 };
 
 
 /**
  * Called when the host page wants to add a suggestion tile.
  * For Most Visited, it grabs the data from Chrome and pass on.
  * For host page generated it just passes the data.
  * @param {object} args Data for the tile to be rendered.
@@ skipping 43 matching lines @@
 
   if (data == null) {
     tile.className = 'mv-empty-tile';
     return tile;
   }
 
   logEvent(LOG_TYPE.NTP_TILE);
 
   tile.className = 'mv-tile';
   tile.setAttribute('data-tid', data.tid);
-  var tooltip = queryArgs['removeTooltip'] || '';
   var html = [];
   if (!USE_ICONS) {
     html.push('<div class="mv-favicon"></div>');
   }
   html.push('<div class="mv-title"></div><div class="mv-thumb"></div>');
-  html.push('<div title="' + tooltip + '" class="mv-x"></div>');
+  html.push('<div class="mv-x"></div>');
   tile.innerHTML = html.join('');
+  tile.lastElementChild.title = queryArgs['removeTooltip'] || '';
 
-  tile.href = data.url;
+  if (!data.url.startsWith('javascript:')) {

[jochen (gone - plz use gerrit), 2016/03/09 15:26:41]

what about blob URLs etc? Would prefer a whitelist approach over a blacklist

[Marc Treib, 2016/03/09 16:28:34]

I agree that a whitelist is generally nicer, but I don't know where we could get
an appropriate whitelist from - right now, TopSites supports "any" scheme,
though I hope to change that soon (context on crbug.com/584461). Are you okay
with a blacklist for now, and revisiting once we can actually produce a
meaningful whitelist?

+    tile.href = data.url;
+  }
   tile.title = data.title;
   if (data.impressionUrl) {
     impressionUrl = data.impressionUrl;
   }
   if (data.pingUrl) {
     tile.addEventListener('click', function(ev) {
-      if (navigator.sendBeacon) {
-        navigator.sendBeacon(data.pingUrl);
-      } else {
-        // if sendBeacon is not enabled, we fallback to "a ping".
-        var a = document.createElement('a');
-        a.href = '#';
-        a.ping = data.pingUrl;
-        a.click();
-      }
+      navigator.sendBeacon(data.pingUrl);
     });
   }
   // For local suggestions, we use navigateContentWindow instead of the default
   // action, since it includes support for file:// urls.
   if (data.rid) {
     tile.addEventListener('click', function(ev) {
       ev.preventDefault();
       var disp = chrome.embeddedSearch.newTabPage.getDispositionFromClick(
         ev.button == 1,  // MIDDLE BUTTON
         ev.altKey, ev.ctrlKey, ev.metaKey, ev.shiftKey);
@@ skipping 249 matching lines @@
     var html = document.querySelector('html');
     html.dir = 'rtl';
   }
 
   window.addEventListener('message', handlePostMessage);
 };
 
 
 window.addEventListener('DOMContentLoaded', init);
 })();