Do not allow HTTP refresh headers to refresh to javascript: URLs.

Source/core/dom/Document.cpp

Index: Source/core/dom/Document.cpp
diff --git a/Source/core/dom/Document.cpp b/Source/core/dom/Document.cpp
index 9120562dece95b5b5ba7393616666088bd5101a2..8be59708ec297caf360e3ff7c26939cff00c58bb 100644
--- a/Source/core/dom/Document.cpp
+++ b/Source/core/dom/Document.cpp
@@ -2748,7 +2748,12 @@ void Document::processHttpEquiv(const String& equiv, const String& content)
                 url = m_url.string();
             else
                 url = completeURL(url).string();
-            frame->navigationScheduler()->scheduleRedirect(delay, url);
+            if (!protocolIsJavaScript(url)) {
+                frame->navigationScheduler()->scheduleRedirect(delay, url);
+            } else {
+                String message = "Refused to refresh " + m_url.elidedString() + " to a javascript: URL";
+                addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message);
+            }
         }
     } else if (equalIgnoringCase(equiv, "set-cookie")) {
         // FIXME: make setCookie work on XML documents too; e.g. in case of <html:meta .....>