Ignore Javascript urls dropped on tabs

chrome/browser/ui/views/tabs/tab_strip.cc

Index: chrome/browser/ui/views/tabs/tab_strip.cc
diff --git a/chrome/browser/ui/views/tabs/tab_strip.cc b/chrome/browser/ui/views/tabs/tab_strip.cc
index 7800dc987e5ae98dd56dfdc7a7189dc17e99408a..0e09237e2d72b9d9170734294d03b7f6c2a2c2a2 100644
--- a/chrome/browser/ui/views/tabs/tab_strip.cc
+++ b/chrome/browser/ui/views/tabs/tab_strip.cc
@@ -1626,7 +1626,8 @@ int TabStrip::OnDragUpdated(const DropTargetEvent& event) {
   // dragging a file to the contents of another tab.
   UpdateDropIndex(event);
 
-  if (!drop_info_->file_supported)
+  if (!drop_info_->file_supported ||
+      drop_info_->url.SchemeIs(url::kJavaScriptScheme))
     return ui::DragDropTypes::DRAG_NONE;
 
   return GetDropEffect(event);
@@ -1647,14 +1648,16 @@ int TabStrip::OnPerformDrop(const DropTargetEvent& event) {
   // Hide the drop indicator.
   SetDropIndex(-1, false);
 
-  // Do nothing if the file was unsupported or the URL is invalid. The URL may
-  // have been changed after |drop_info_| was created.
+  // Do nothing if the file was unsupported, the URL is invalid, or this is a
+  // javascript: URL (prevent self-xss). The URL may have been changed after
+  // |drop_info_| was created.
   GURL url;
   base::string16 title;
   if (!file_supported ||
       !event.data().GetURLAndTitle(
            ui::OSExchangeData::CONVERT_FILENAMES, &url, &title) ||
-      !url.is_valid())
+      !url.is_valid() ||
+      url.SchemeIs(url::kJavaScriptScheme))
     return ui::DragDropTypes::DRAG_NONE;
 
   controller_->PerformDrop(drop_before, drop_index, url);