Fix XSS in app launcher and remove use of unvalidated URL

Fix XSS in app launcher and remove use of unvalidated URL

The third parameter of "launchApp" is only used for the webstore app,
and used to append utm_source=chrome-ntp-icon to the app URL.
But the launchApp handler did not validate that the URL is safe.
To fix that issue, I specialize the parameter for launchApp: It now takes the
source string ("chrome-ntp-icon") instead of a URL without validation.

BUG=668665
TEST=Manually using test case from bug report. Also opened the app launcher and
verified that clicking on the Webstore icon still leads to the same place.
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Committed: https://crrev.com/15120efa4b9394086d687086e443f47290b5170a
Cr-Commit-Position: refs/heads/master@{#434939}

[robwu, 2016-11-25 17:28:37]

Description was changed from

==========
Fix XSS in app launcher and remove use of unvalidated URL

The third parameter of "launchApp" is only used for the webstore app,
and used to append utm_source=chrome-ntp-icon to the app URL.
But the launchApp handler did not validate that the URL is safe.
To fix that issue, I specialize the parameter for launchApp: It now takes the
source string ("chrome-ntp-icon") instead of a URL without validation.

BUG=668665
TEST=Manually using test case from bug report. Also opened the app launcher and
verified that clicking on the Webstore icon still leads to the same place.
==========

to

==========
Fix XSS in app launcher and remove use of unvalidated URL

The third parameter of "launchApp" is only used for the webstore app,
and used to append utm_source=chrome-ntp-icon to the app URL.
But the launchApp handler did not validate that the URL is safe.
To fix that issue, I specialize the parameter for launchApp: It now takes the
source string ("chrome-ntp-icon") instead of a URL without validation.

BUG=668665
TEST=Manually using test case from bug report. Also opened the app launcher and
verified that clicking on the Webstore icon still leads to the same place.
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation
==========

[robwu, 2016-11-25 17:29:36]

The CQ bit was checked by rob@robwu.nl to run a CQ dry run

[commit-bot: I haz the power, 2016-11-25 17:29:48]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[robwu, 2016-11-25 17:31:07]

rob@robwu.nl changed reviewers:
+ dbeam@chromium.org

[commit-bot: I haz the power, 2016-11-25 18:59:41]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-25 18:59:42]

Dry run: This issue passed the CQ dry run.

[Dan Beam, 2016-11-29 06:27:21]

lgtm

[robwu, 2016-11-29 08:28:13]

The CQ bit was checked by rob@robwu.nl

[commit-bot: I haz the power, 2016-11-29 08:28:35]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-29 09:38:53]

CQ is committing da patch.

Bot data: {"patchset_id": 1, "attempt_start_ts": 1480408093092120, "parent_rev":
"e61b721ded0cf00e1b3c09a400f2ac2b2db32d4d", "commit_rev":
"02831b2dd0cd78a78a877b020e8be00980ea33fb"}

[commit-bot: I haz the power, 2016-11-29 09:39:18]

Committed patchset #1 (id:1)

[commit-bot: I haz the power, 2016-11-29 09:40:52]

Description was changed from

==========
Fix XSS in app launcher and remove use of unvalidated URL

The third parameter of "launchApp" is only used for the webstore app,
and used to append utm_source=chrome-ntp-icon to the app URL.
But the launchApp handler did not validate that the URL is safe.
To fix that issue, I specialize the parameter for launchApp: It now takes the
source string ("chrome-ntp-icon") instead of a URL without validation.

BUG=668665
TEST=Manually using test case from bug report. Also opened the app launcher and
verified that clicking on the Webstore icon still leads to the same place.
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation
==========

to

==========
Fix XSS in app launcher and remove use of unvalidated URL

The third parameter of "launchApp" is only used for the webstore app,
and used to append utm_source=chrome-ntp-icon to the app URL.
But the launchApp handler did not validate that the URL is safe.
To fix that issue, I specialize the parameter for launchApp: It now takes the
source string ("chrome-ntp-icon") instead of a URL without validation.

BUG=668665
TEST=Manually using test case from bug report. Also opened the app launcher and
verified that clicking on the Webstore icon still leads to the same place.
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Committed: https://crrev.com/15120efa4b9394086d687086e443f47290b5170a
Cr-Commit-Position: refs/heads/master@{#434939}
==========

[commit-bot: I haz the power, 2016-11-29 09:40:53]

Patchset 1 (id:??) landed as
https://crrev.com/15120efa4b9394086d687086e443f47290b5170a
Cr-Commit-Position: refs/heads/master@{#434939}