[ios] Do not allow WebUI URLs for windows open by DOM.

ios/web/web_state/ui/crw_web_controller.mm

Index: ios/web/web_state/ui/crw_web_controller.mm
diff --git a/ios/web/web_state/ui/crw_web_controller.mm b/ios/web/web_state/ui/crw_web_controller.mm
index 96f66346c385f396f998a5424c4436114c0e9919..55563f4a36ec1c9121fbf76f70cdef9dca8d43c8 100644
--- a/ios/web/web_state/ui/crw_web_controller.mm
+++ b/ios/web/web_state/ui/crw_web_controller.mm
@@ -2044,7 +2044,17 @@ const NSTimeInterval kSnapshotOverlayTransition = 0.5;
   // If it's a chrome URL, but not a native one, create the WebUI instance.
   if (web::GetWebClient()->IsAppSpecificURL(currentURL) &&
       ![_nativeProvider hasControllerForURL:currentURL]) {
-    [self createWebUIForURL:currentURL];
+    web::NavigationItem* item = [self currentNavItem];
+    if (!(item->GetTransitionType() & ui::PAGE_TRANSITION_TYPED) &&
+        self.sessionController.openedByDOM) {
+      // WebUI URLs can not be open By DOM to prevent cross-site scripting as

[Jackie Quinn, 2016/08/23 02:23:05]

s/open By/opened by

[Eugene But (OOO till 7-30), 2016/08/23 17:41:02]

Done.

+      // they have increased power. The only exception is when the user has

[Jackie Quinn, 2016/08/23 02:23:05]

Maybe "WebUI URLs may only be opened when the user types in the URL"

Also does that cover the bookmarked WebUI URL case?

[Eugene But (OOO till 7-30), 2016/08/23 17:41:02]

Good catch. Added bookmarks handling (which also accounts for history) and
updated the comment.

+      // typed URL in.
+      [[self sessionController] discardNonCommittedEntries];
+      return;
+    } else {
+      [self createWebUIForURL:currentURL];
+    }
   }
 
   // Loading a new url, must check here if it's a native chrome URL and