PlzNavigate: Fix the FindInPageControllerTest.SearchWithinSpecialURL browser test.

content/browser/frame_host/navigation_request.cc

Index: content/browser/frame_host/navigation_request.cc
diff --git a/content/browser/frame_host/navigation_request.cc b/content/browser/frame_host/navigation_request.cc
index c13a7e7f346df429cfd58896da678a198019f258..50fcaacf14c9aebbc512280e02fbb47ff6b928ad 100644
--- a/content/browser/frame_host/navigation_request.cc
+++ b/content/browser/frame_host/navigation_request.cc
@@ -6,6 +6,7 @@
 
 #include <utility>
 
+#include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/devtools/render_frame_devtools_agent_host.h"
 #include "content/browser/frame_host/frame_tree.h"
 #include "content/browser/frame_host/frame_tree_node.h"
@@ -15,6 +16,7 @@
 #include "content/browser/frame_host/navigator.h"
 #include "content/browser/frame_host/navigator_impl.h"
 #include "content/browser/loader/navigation_url_loader.h"
+#include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/browser/service_worker/service_worker_context_wrapper.h"
 #include "content/browser/service_worker/service_worker_navigation_handle.h"
 #include "content/browser/site_instance_impl.h"
@@ -332,8 +334,31 @@ void NavigationRequest::OnRequestRedirected(
   common_params_.method = redirect_info.new_method;
   common_params_.referrer.url = GURL(redirect_info.new_referrer);
 
-  // TODO(clamy): Have CSP + security upgrade checks here.
+  // For non browser initiated navigations we need to check if the source and
+  // target site instances both have access to the URL. We always allow
+  // browser initiated requests.

[Charlie Reis, 2016/10/24 22:04:36]

I don't think it matters if the target (or rather, the current SiteInstance) has
access, does it?  Suppose the source is an extension A that opens a new tab to a
web page B.  The web page B is not allowed to go to another (non-web-accessible)
extension URL (in A), but A is allowed to send the tab to another extension URL
(in A).  Note that this assumes we'll end up with a process swap for the
redirect.

Or am I thinking about this the wrong way?  What's a case where we should block
the navigation because the current SiteInstance isn't allowed to navigate there?
 

(e.g., Is there a case where the navigation would stay in the current
SiteInstance but that SiteInstance isn't allowed to request it?  Seems unlikely
to me.)

[ananta, 2016/10/24 23:01:41]

Thanks. Removed the check for the target.

   // TODO(clamy): Kill the renderer if FilterURL fails?
+  GURL url = common_params_.url;
+  if (!browser_initiated_ && source_site_instance()) {
+    source_site_instance()->GetProcess()->FilterURL(false, &url);
+    // FilterURL sets the URL to about:blank if the CSP checks prevent the
+    // renderer from accessing it.
+    if (url != common_params_.url) {

[Charlie Reis, 2016/10/24 22:04:36]

This is making an assumption that FilterURL will only ever rewrite to
about:blank.  That's true today, but maybe this should also be checking whether
|url| became about:blank (in addition to whether they differ)?

[ananta, 2016/10/24 23:01:41]

Thanks. Done.

+      NavigationRequest::OnRedirectChecksComplete(NavigationThrottle::CANCEL);
+      return;
+    }
+  }
+
+  if (!browser_initiated_) {
+    frame_tree_node()->current_frame_host()->GetSiteInstance()->GetProcess()->
+        FilterURL(false, &url);
+    if (url != common_params_.url) {
+      // FilterURL sets the URL to about:blank if the CSP checks prevent the
+      // renderer from accessing it.
+      NavigationRequest::OnRedirectChecksComplete(NavigationThrottle::CANCEL);
+      return;
+    }
+  }
 
   // It's safe to use base::Unretained because this NavigationRequest owns the
   // NavigationHandle where the callback will be stored.