[ios] Do not allow WebUI URLs for windows open by DOM.

ios/web/web_state/ui/crw_web_controller.mm

Index: ios/web/web_state/ui/crw_web_controller.mm
diff --git a/ios/web/web_state/ui/crw_web_controller.mm b/ios/web/web_state/ui/crw_web_controller.mm
index 96f66346c385f396f998a5424c4436114c0e9919..2ccfcbeeaf9214dd2199886878b54b3653f0b58c 100644
--- a/ios/web/web_state/ui/crw_web_controller.mm
+++ b/ios/web/web_state/ui/crw_web_controller.mm
@@ -2044,7 +2044,18 @@ const NSTimeInterval kSnapshotOverlayTransition = 0.5;
   // If it's a chrome URL, but not a native one, create the WebUI instance.
   if (web::GetWebClient()->IsAppSpecificURL(currentURL) &&
       ![_nativeProvider hasControllerForURL:currentURL]) {
-    [self createWebUIForURL:currentURL];
+    web::NavigationItem* item = [self currentNavItem];
+    if (!(item->GetTransitionType() & ui::PAGE_TRANSITION_TYPED ||
+          item->GetTransitionType() & ui::PAGE_TRANSITION_AUTO_BOOKMARK) &&
+        self.sessionController.openedByDOM) {
+      // WebUI URLs can not be opened by DOM to prevent cross-site scripting as
+      // they have increased power. WebUI URLs may only be opened when the user
+      // types in the URL or use bookmarks.
+      [[self sessionController] discardNonCommittedEntries];
+      return;
+    } else {
+      [self createWebUIForURL:currentURL];
+    }
   }
 
   // Loading a new url, must check here if it's a native chrome URL and