[ios] Do not allow loading chrome:// URLs from regular http/https pages.

ios/web/web_state/ui/crw_web_controller.mm

Index: ios/web/web_state/ui/crw_web_controller.mm
diff --git a/ios/web/web_state/ui/crw_web_controller.mm b/ios/web/web_state/ui/crw_web_controller.mm
index 66173f2126034c21e38cfe1ffd59f4a5bb54ff01..6cfb4c1f606b8acac99ab2d45037ee9a26e36ad0 100644
--- a/ios/web/web_state/ui/crw_web_controller.mm
+++ b/ios/web/web_state/ui/crw_web_controller.mm
@@ -4842,9 +4842,15 @@ const NSTimeInterval kSnapshotOverlayTransition = 0.5;
     // TODO(crbug.com/546347): Extract necessary tasks for app specific URL
     // navigation rather than restarting the load.
     if (web::GetWebClient()->IsAppSpecificURL(webViewURL)) {
-      [self abortWebLoad];
-      NavigationManager::WebLoadParams params(webViewURL);
-      [self loadWithParams:params];
+      // Renderer-initiated loads of WebUI can be done only from other WebUI
+      // pages. WebUI pages may have increased power and using the same web
+      // process (which may potentially be controller by an attacker) is
+      // dangerous.
+      if (web::GetWebClient()->IsAppSpecificURL(_documentURL)) {
+        [self abortWebLoad];
+        NavigationManager::WebLoadParams params(webViewURL);
+        [self loadWithParams:params];
+      }
       return;
     } else {
       [self registerLoadRequest:webViewURL];