Allow about:blank to be considered in-page if origin matches.

content/browser/frame_host/navigation_controller_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 /*
  * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  *     (http://www.torchmobile.com/)
  *
@@ skipping 808 matching lines @@
       pending_entry_->restore_type() != NavigationEntryImpl::RESTORE_NONE)
     pending_entry_->set_restore_type(NavigationEntryImpl::RESTORE_NONE);
 
   // The renderer tells us whether the navigation replaces the current entry.
   details->did_replace_entry = params.should_replace_current_entry;
 
   // Do navigation-type specific actions. These will make and commit an entry.
   details->type = ClassifyNavigation(rfh, params);
 
   // is_in_page must be computed before the entry gets committed.
-  details->is_in_page = IsURLInPageNavigation(
-      params.url, params.was_within_same_page, rfh);
+  details->is_in_page = IsURLInPageNavigation(params.url, params.origin,
+                                              params.was_within_same_page, rfh);
 
   switch (details->type) {
     case NAVIGATION_TYPE_NEW_PAGE:
       RendererDidNavigateToNewPage(rfh, params, details->did_replace_entry);
       break;
     case NAVIGATION_TYPE_EXISTING_PAGE:
       details->did_replace_entry = details->is_in_page;
       RendererDidNavigateToExistingPage(rfh, params);
       break;
     case NAVIGATION_TYPE_SAME_PAGE:
@@ skipping 524 matching lines @@
 // 2. A history API navigation (pushState and replaceState). This case is
 //    always in-page, but the urls are not guaranteed to match excluding the
 //    fragment. The relevant spec allows pushState/replaceState to any URL on
 //    the same origin.
 // However, due to reloads, even identical urls are *not* guaranteed to be
 // in-page navigations, we have to trust the renderer almost entirely.
 // The one thing we do know is that cross-origin navigations will *never* be
 // in-page. Therefore, trust the renderer if the URLs are on the same origin,
 // and assume the renderer is malicious if a cross-origin navigation claims to
 // be in-page.
+//
+// TODO(creis): Clean up and simplify the about:blank and origin checks below,
+// which are likely redundant with each other.  Be careful about data URLs vs
+// about:blank, both of which are unique origins and thus not considered equal.
 bool NavigationControllerImpl::IsURLInPageNavigation(
     const GURL& url,
+    const url::Origin& origin,
     bool renderer_says_in_page,
     RenderFrameHost* rfh) const {
   RenderFrameHostImpl* rfhi = static_cast<RenderFrameHostImpl*>(rfh);
   GURL last_committed_url;
   if (rfh->GetParent()) {
     // Use the FrameTreeNode's current_url and not rfh->GetLastCommittedURL(),
     // which might be empty in a new RenderFrameHost after a process swap.
     // Here, we care about the last committed URL in the FrameTreeNode,
     // regardless of which process it is in.
     last_committed_url = rfhi->frame_tree_node()->current_url();
@@ skipping 12 matching lines @@
       rfhi->frame_tree_node()->current_origin();
   bool is_same_origin = last_committed_url.is_empty() ||
                         // TODO(japhet): We should only permit navigations
                         // originating from about:blank to be in-page if the
                         // about:blank is the first document that frame loaded.
                         // We don't have sufficient information to identify
                         // that case at the moment, so always allow about:blank
                         // for now.
                         last_committed_url == GURL(url::kAboutBlankURL) ||
                         last_committed_url.GetOrigin() == url.GetOrigin() ||
+                        committed_origin == origin ||
                         !prefs.web_security_enabled ||
                         (prefs.allow_universal_access_from_file_urls &&
                          committed_origin.scheme() == url::kFileScheme);
   if (!is_same_origin && renderer_says_in_page) {
     bad_message::ReceivedBadMessage(rfh->GetProcess(),
                                     bad_message::NC_IN_PAGE_NAVIGATION);
   }
   return is_same_origin && renderer_says_in_page;
 }
 
@@ skipping 647 matching lines @@
     }
   }
 }
 
 void NavigationControllerImpl::SetGetTimestampCallbackForTest(
     const base::Callback<base::Time()>& get_timestamp_callback) {
   get_timestamp_callback_ = get_timestamp_callback;
 }
 
 }  // namespace content