Ignore Javascript urls dropped on tabs (Mac version)

chrome/browser/ui/cocoa/tabs/tab_strip_controller.mm

Index: chrome/browser/ui/cocoa/tabs/tab_strip_controller.mm
diff --git a/chrome/browser/ui/cocoa/tabs/tab_strip_controller.mm b/chrome/browser/ui/cocoa/tabs/tab_strip_controller.mm
index 5d008da722bc20cfaadfd16f1f942e5c2d2dfcdb..f4a9004651c4b94eb9e76c6fdbe46d2c89b5bdf7 100644
--- a/chrome/browser/ui/cocoa/tabs/tab_strip_controller.mm
+++ b/chrome/browser/ui/cocoa/tabs/tab_strip_controller.mm
@@ -2066,6 +2066,11 @@ CGFloat FlipXInView(NSView* view, CGFloat width, CGFloat x) {
             givesIndex:&index
            disposition:&disposition];
 
+  // Security: Block JavaScript to prevent self-xss

[Avi (use Gerrit), 2016/09/16 18:31:09]

Comments are full sentences; end them with a full-stop.

[elawrence, 2016/09/16 19:02:16]

Done.

+  if (url->SchemeIs(url::kJavaScriptScheme)) {
+    return;
+  }
+

[Avi (use Gerrit), 2016/09/16 18:31:09]

Why not put this right at the beginning of the function? If we're going to bail
early, bail as early as possible.

And no {} around the one-line body of the if.

[elawrence, 2016/09/16 19:02:16]

Makes sense.
I was trying to match the style elsewhere in this file, but I'm happy to remove.

   // Either insert a new tab or open in a current tab.
   switch (disposition) {
     case WindowOpenDisposition::NEW_FOREGROUND_TAB: {