PlzNavigate: Fix the FindInPageControllerTest.SearchWithinSpecialURL browser test.

content/browser/frame_host/navigation_request.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/navigation_request.h"
 
 #include <utility>
 
+#include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/devtools/render_frame_devtools_agent_host.h"
 #include "content/browser/frame_host/frame_tree.h"
 #include "content/browser/frame_host/frame_tree_node.h"
 #include "content/browser/frame_host/navigation_controller_impl.h"
 #include "content/browser/frame_host/navigation_handle_impl.h"
 #include "content/browser/frame_host/navigation_request_info.h"
 #include "content/browser/frame_host/navigator.h"
 #include "content/browser/frame_host/navigator_impl.h"
 #include "content/browser/loader/navigation_url_loader.h"
+#include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/browser/service_worker/service_worker_context_wrapper.h"
 #include "content/browser/service_worker/service_worker_navigation_handle.h"
 #include "content/browser/site_instance_impl.h"
 #include "content/common/resource_request_body_impl.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/navigation_controller.h"
 #include "content/public/browser/navigation_data.h"
 #include "content/public/browser/navigation_ui_data.h"
 #include "content/public/browser/storage_partition.h"
@@ skipping 297 matching lines @@
   request_params_.navigation_timing.redirect_end = base::TimeTicks::Now();
   request_params_.navigation_timing.fetch_start = base::TimeTicks::Now();
 
   request_params_.redirect_response.push_back(response->head);
 
   request_params_.redirects.push_back(common_params_.url);
   common_params_.url = redirect_info.new_url;
   common_params_.method = redirect_info.new_method;
   common_params_.referrer.url = GURL(redirect_info.new_referrer);
 
-  // TODO(clamy): Have CSP + security upgrade checks here.
+  // For non browser initiated navigations we need to check if the source and
+  // target site instances both have access to the URL. We always allow
+  // browser initiated requests.

[Charlie Reis, 2016/10/24 22:04:36]

I don't think it matters if the target (or rather, the current SiteInstance) has
access, does it?  Suppose the source is an extension A that opens a new tab to a
web page B.  The web page B is not allowed to go to another (non-web-accessible)
extension URL (in A), but A is allowed to send the tab to another extension URL
(in A).  Note that this assumes we'll end up with a process swap for the
redirect.

Or am I thinking about this the wrong way?  What's a case where we should block
the navigation because the current SiteInstance isn't allowed to navigate there?
 

(e.g., Is there a case where the navigation would stay in the current
SiteInstance but that SiteInstance isn't allowed to request it?  Seems unlikely
to me.)

[ananta, 2016/10/24 23:01:41]

Thanks. Removed the check for the target.

   // TODO(clamy): Kill the renderer if FilterURL fails?
+  GURL url = common_params_.url;
+  if (!browser_initiated_ && source_site_instance()) {
+    source_site_instance()->GetProcess()->FilterURL(false, &url);
+    // FilterURL sets the URL to about:blank if the CSP checks prevent the
+    // renderer from accessing it.
+    if (url != common_params_.url) {

[Charlie Reis, 2016/10/24 22:04:36]

This is making an assumption that FilterURL will only ever rewrite to
about:blank.  That's true today, but maybe this should also be checking whether
|url| became about:blank (in addition to whether they differ)?

[ananta, 2016/10/24 23:01:41]

Thanks. Done.

+      NavigationRequest::OnRedirectChecksComplete(NavigationThrottle::CANCEL);
+      return;
+    }
+  }
+
+  if (!browser_initiated_) {
+    frame_tree_node()->current_frame_host()->GetSiteInstance()->GetProcess()->
+        FilterURL(false, &url);
+    if (url != common_params_.url) {
+      // FilterURL sets the URL to about:blank if the CSP checks prevent the
+      // renderer from accessing it.
+      NavigationRequest::OnRedirectChecksComplete(NavigationThrottle::CANCEL);
+      return;
+    }
+  }
 
   // It's safe to use base::Unretained because this NavigationRequest owns the
   // NavigationHandle where the callback will be stored.
   // TODO(clamy): pass the real value for |is_external_protocol| if needed.
   navigation_handle_->WillRedirectRequest(
       common_params_.url, common_params_.method, common_params_.referrer.url,
       false, response->head.headers,
       base::Bind(&NavigationRequest::OnRedirectChecksComplete,
                  base::Unretained(this)));
 }
@@ skipping 214 matching lines @@
   DCHECK_EQ(request_params_.has_user_gesture, begin_params_.has_user_gesture);
 
   render_frame_host->CommitNavigation(response_.get(), std::move(body_),
                                       common_params_, request_params_,
                                       is_view_source_);
 
   frame_tree_node_->ResetNavigationRequest(true);
 }
 
 }  // namespace content