Index: ios/web/web_state/ui/crw_web_controller.mm |
diff --git a/ios/web/web_state/ui/crw_web_controller.mm b/ios/web/web_state/ui/crw_web_controller.mm |
index 96f66346c385f396f998a5424c4436114c0e9919..2ccfcbeeaf9214dd2199886878b54b3653f0b58c 100644 |
--- a/ios/web/web_state/ui/crw_web_controller.mm |
+++ b/ios/web/web_state/ui/crw_web_controller.mm |
@@ -2044,7 +2044,18 @@ const NSTimeInterval kSnapshotOverlayTransition = 0.5; |
// If it's a chrome URL, but not a native one, create the WebUI instance. |
if (web::GetWebClient()->IsAppSpecificURL(currentURL) && |
![_nativeProvider hasControllerForURL:currentURL]) { |
- [self createWebUIForURL:currentURL]; |
+ web::NavigationItem* item = [self currentNavItem]; |
+ if (!(item->GetTransitionType() & ui::PAGE_TRANSITION_TYPED || |
+ item->GetTransitionType() & ui::PAGE_TRANSITION_AUTO_BOOKMARK) && |
+ self.sessionController.openedByDOM) { |
+ // WebUI URLs can not be opened by DOM to prevent cross-site scripting as |
+ // they have increased power. WebUI URLs may only be opened when the user |
+ // types in the URL or use bookmarks. |
+ [[self sessionController] discardNonCommittedEntries]; |
+ return; |
+ } else { |
+ [self createWebUIForURL:currentURL]; |
+ } |
} |
// Loading a new url, must check here if it's a native chrome URL and |