OpenURL post data handling.

content/renderer/render_frame_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_frame_impl.h"
 
 #include <map>
 #include <string>
 #include <utility>
 #include <vector>
@@ skipping 782 matching lines @@
               url::Origin(GURL(main_ds->request().url()))) ||
           main_resource_ssl_status.security_style !=
               ssl_status.security_style ||
           main_resource_ssl_status.cert_id != ssl_status.cert_id ||
           main_resource_ssl_status.cert_status != ssl_status.cert_status ||
           main_resource_ssl_status.security_bits != ssl_status.security_bits ||
           main_resource_ssl_status.connection_status !=
               ssl_status.connection_status);
 }
 
+bool IsHttpPost(const blink::WebURLRequest& request) {
+  return request.httpMethod().utf8() == "POST";
+}
+
 #if defined(OS_ANDROID)
 // Returns true if WMPI should be used for playback, false otherwise.
 //
 // Note that HLS and MP4 detection are pre-redirect and path-based. It is
 // possible to load such a URL and find different content.
 bool UseWebMediaPlayerImpl(const GURL& url) {
   // WMPI does not support HLS.
   if (media::MediaCodecUtil::IsHLSURL(url))
     return false;
 
@@ skipping 2096 matching lines @@
                                         blink::WebNavigationPolicy policy,
                                         const blink::WebString& suggested_name,
                                         bool should_replace_current_entry) {
   Referrer referrer(RenderViewImpl::GetReferrerFromRequest(frame_, request));
   if (policy == blink::WebNavigationPolicyDownload) {
     render_view_->Send(new ViewHostMsg_DownloadUrl(render_view_->GetRoutingID(),
                                                    GetRoutingID(),
                                                    request.url(), referrer,
                                                    suggested_name));
   } else {
-    OpenURL(request.url(), referrer, policy, should_replace_current_entry,
-            false);
+    OpenURL(request.url(), IsHttpPost(request),
+            GetRequestBodyForWebURLRequest(request), referrer, policy,
+            should_replace_current_entry, false);
   }
 }
 
 blink::WebHistoryItem RenderFrameImpl::historyItemForNewChildFrame() {
   // OOPIF enabled modes will punt this navigation to the browser in
   // decidePolicyForNavigation.
   if (SiteIsolationPolicy::UseSubframeNavigationEntries())
     return WebHistoryItem();
 
   return render_view_->history_controller()->GetItemForNewChildFrame(this);
@@ skipping 1845 matching lines @@
 
   // Webkit is asking whether to navigate to a new URL.
   // This is fine normally, except if we're showing UI from one security
   // context and they're trying to navigate to a different context.
   const GURL& url = info.urlRequest.url();
 
   // If the browser is interested, then give it a chance to look at the request.
   if (is_content_initiated && IsTopLevelNavigation(frame_) &&
       render_view_->renderer_preferences_
           .browser_handles_all_top_level_requests) {
-    OpenURL(url, referrer, info.defaultPolicy, info.replacesCurrentHistoryItem,
-            false);
+    OpenURL(url, IsHttpPost(info.urlRequest),
+            GetRequestBodyForWebURLRequest(info.urlRequest), referrer,
+            info.defaultPolicy, info.replacesCurrentHistoryItem, false);
     return blink::WebNavigationPolicyIgnore;  // Suppress the load here.
   }
 
   // In OOPIF-enabled modes, back/forward navigations in newly created subframes
   // should be sent to the browser in case there is a matching
   // FrameNavigationEntry.  If none is found, fall back to the default url.
   if (SiteIsolationPolicy::UseSubframeNavigationEntries() &&
       info.isHistoryNavigationInNewChildFrame && is_content_initiated) {
-    OpenURL(url, referrer, info.defaultPolicy, info.replacesCurrentHistoryItem,
-            true);
+    OpenURL(url, IsHttpPost(info.urlRequest),
+            GetRequestBodyForWebURLRequest(info.urlRequest), referrer,
+            info.defaultPolicy, info.replacesCurrentHistoryItem, true);
     // Suppress the load in Blink but mark the frame as loading.
     return blink::WebNavigationPolicyHandledByClient;
   }
 
   // Use the frame's original request's URL rather than the document's URL for
   // subsequent checks.  For a popup, the document's URL may become the opener
   // window's URL if the opener has called document.write().
   // See http://crbug.com/93517.
   GURL old_url(frame_->dataSource()->request().url());
 
   // Detect when we're crossing a permission-based boundary (e.g. into or out of
   // an extension or app origin, leaving a WebUI page, etc). We only care about
   // top-level navigations (not iframes). But we sometimes navigate to
   // about:blank to clear a tab, and we want to still allow that.
   //
   // Note: this is known to break POST submissions when crossing process
   // boundaries until http://crbug.com/101395 is fixed.  This is better for
   // security than loading a WebUI, extension or app page in the wrong process.
   // POST requests don't work because this mechanism does not preserve form
   // POST data. We will need to send the request's httpBody data up to the
   // browser process, and issue a special POST navigation in WebKit (via
   // FrameLoader::loadFrameRequest). See ResourceDispatcher and WebURLLoaderImpl
   // for examples of how to send the httpBody data.

[Łukasz Anforowicz, 2016/06/10 19:53:52]

One extra change here (one that wasn't solicited by CR feedback): removing
no-longer-applicable comment above.

[Charlie Reis, 2016/06/10 21:14:18]

Good catch!  That reminded me to do a search for 101395, and I found another one
in ChromeContentRendererClient::ShouldFork.  That case should be safe to remove,
but I'd be ok with doing that in a followup CL if you'd prefer (to avoid any
risk).

That also reminded me of comment 15 on https://crbug.com/101395, which was
actually a bit scary.  Thankfully, that signin code went away in
https://codereview.chromium.org/964553002.  Hooray!

[Charlie Reis, 2016/06/16 22:27:40]

SGTM.

   if (!frame_->parent() && is_content_initiated &&
       !url.SchemeIs(url::kAboutScheme)) {
     bool send_referrer = false;
 
     // All navigations to or from WebUI URLs or within WebUI-enabled
     // RenderProcesses must be handled by the browser process so that the
     // correct bindings and data sources can be registered.
     // Similarly, navigations to view-source URLs or within ViewSource mode
     // must be handled by the browser process (except for reloads - those are
     // safe to leave within the renderer).
@@ skipping 19 matching lines @@
     }
 
     if (!should_fork) {
       // Give the embedder a chance.
       should_fork = GetContentClient()->renderer()->ShouldFork(
           frame_, url, info.urlRequest.httpMethod().utf8(),
           is_initial_navigation, is_redirect, &send_referrer);
     }
 
     if (should_fork) {
-      OpenURL(url, send_referrer ? referrer : Referrer(), info.defaultPolicy,
+      OpenURL(url, IsHttpPost(info.urlRequest),
+              GetRequestBodyForWebURLRequest(info.urlRequest),
+              send_referrer ? referrer : Referrer(), info.defaultPolicy,
               info.replacesCurrentHistoryItem, false);
       return blink::WebNavigationPolicyIgnore;  // Suppress the load here.
     }
   }
 
   // Detect when a page is "forking" a new tab that can be safely rendered in
   // its own process.  This is done by sites like Gmail that try to open links
   // in new windows without script connections back to the original page.  We
   // treat such cases as browser navigations (in which we will create a new
   // renderer for a cross-site navigation), rather than WebKit navigations.
@@ skipping 19 matching lines @@
       frame_->parent() == NULL &&
       // Must not have issued the request from this page.
       is_content_initiated &&
       // Must be targeted at the current tab.
       info.defaultPolicy == blink::WebNavigationPolicyCurrentTab &&
       // Must be a JavaScript navigation, which appears as "other".
       info.navigationType == blink::WebNavigationTypeOther;
 
   if (is_fork) {
     // Open the URL via the browser, not via WebKit.
-    OpenURL(url, Referrer(), info.defaultPolicy,
-            info.replacesCurrentHistoryItem, false);
+    OpenURL(url, IsHttpPost(info.urlRequest),
+            GetRequestBodyForWebURLRequest(info.urlRequest), Referrer(),
+            info.defaultPolicy, info.replacesCurrentHistoryItem, false);
     return blink::WebNavigationPolicyIgnore;
   }
 
   // Execute the BeforeUnload event. If asked not to proceed or the frame is
   // destroyed, ignore the navigation. There is no need to execute the
   // BeforeUnload event during a redirect, since it was already executed at the
   // start of the navigation.
   // PlzNavigate: this is not executed when commiting the navigation.
   if (info.defaultPolicy == blink::WebNavigationPolicyCurrentTab &&
       !is_redirect && (!IsBrowserSideNavigationEnabled() ||
@@ skipping 345 matching lines @@
   // TODO(jcivelli): http:/b/5793321 Implement a better fix, as detailed in bug.
   if (!external_popup_menu_)
     return;
 
   external_popup_menu_->DidSelectItems(canceled, selected_indices);
   external_popup_menu_.reset();
 }
 #endif
 #endif
 
-void RenderFrameImpl::OpenURL(const GURL& url,
-                              const Referrer& referrer,
-                              WebNavigationPolicy policy,
-                              bool should_replace_current_entry,
-                              bool is_history_navigation_in_new_child) {
+void RenderFrameImpl::OpenURL(
+    const GURL& url,
+    bool uses_post,
+    const scoped_refptr<ResourceRequestBodyImpl>& resource_request_body,
+    const Referrer& referrer,
+    WebNavigationPolicy policy,
+    bool should_replace_current_entry,
+    bool is_history_navigation_in_new_child) {
   FrameHostMsg_OpenURL_Params params;
   params.url = url;
+  params.uses_post = uses_post;
+  params.resource_request_body = resource_request_body;
   params.referrer = referrer;
   params.disposition = RenderViewImpl::NavigationPolicyToDisposition(policy);
 
   if (IsBrowserInitiated(pending_navigation_params_.get())) {
     // This is necessary to preserve the should_replace_current_entry value on
     // cross-process redirects, in the event it was set by a previous process.
     WebDataSource* ds = frame_->provisionalDataSource();
     DCHECK(ds);
     params.should_replace_current_entry = ds->replacesCurrentHistoryItem();
   } else {
@@ skipping 882 matching lines @@
   // event target. Potentially a Pepper plugin will receive the event.
   // In order to tell whether a plugin gets the last mouse event and which it
   // is, we set |pepper_last_mouse_event_target_| to null here. If a plugin gets
   // the event, it will notify us via DidReceiveMouseEvent() and set itself as
   // |pepper_last_mouse_event_target_|.
   pepper_last_mouse_event_target_ = nullptr;
 #endif
 }
 
 }  // namespace content