Fix Self-Referencing OOPIF Infinite Loop

content/browser/frame_host/navigation_handle_impl.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/navigation_handle_impl.h"
 
 #include <iterator>
 
 #include "base/debug/dump_without_crashing.h"
 #include "base/logging.h"
@@ skipping 34 matching lines @@
     NavigationThrottle::ThrottleCheckResult result) {
   *to_update = result;
 }
 
 void NotifyAbandonedTransferNavigation(const GlobalRequestID& id) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
   if (ResourceDispatcherHostImpl* rdh = ResourceDispatcherHostImpl::Get())
     rdh->CancelRequest(id.child_id, id.request_id);
 }
 
+// This is a helper method used in IsSelfReferentialURL.  It checks if two
+// URLs are identical when the URL fragments are removed.
+bool EqualIgnoringFragmentIdentifier(const GURL& url1, const GURL& url2) {
+  url::Replacements<char> replacements;
+  replacements.ClearRef();
+  return (url1.ReplaceComponents(replacements) ==
+          url2.ReplaceComponents(replacements));

[dcheng, 2017/01/28 01:51:44]

We (or more precisely, csharrison@) has gone to a lot of trouble to reduce the
number of string copies when working with urls.

Can we do the same thing that the Blink equivalent of this function does, so we
can avoid copies here?

[davidsac (gone - try alexmos), 2017/02/10 18:44:26]

Done.

+}
+
 }  // namespace
 
 // static
 std::unique_ptr<NavigationHandleImpl> NavigationHandleImpl::Create(
     const GURL& url,
     FrameTreeNode* frame_tree_node,
     bool is_renderer_initiated,
     bool is_same_page,
     const base::TimeTicks& navigation_start,
     int pending_nav_entry_id,
@@ skipping 373 matching lines @@
     resource_request_body_ = resource_request_body;
   sanitized_referrer_ = sanitized_referrer;
   has_user_gesture_ = has_user_gesture;
   transition_ = transition;
   is_external_protocol_ = is_external_protocol;
   request_context_type_ = request_context_type;
   mixed_content_context_type_ = mixed_content_context_type;
   state_ = WILL_SEND_REQUEST;
   complete_callback_ = callback;
 
+  if (IsSelfReferentialURL()) {
+    state_ = CANCELING;
+    RunCompleteCallback(NavigationThrottle::CANCEL);
+    return;
+  }
+
   RegisterNavigationThrottles();
 
   if (IsBrowserSideNavigationEnabled())
     navigation_ui_data_ = GetDelegate()->GetNavigationUIData(this);
 
   // Notify each throttle of the request.
   NavigationThrottle::ThrottleCheckResult result = CheckWillStartRequest();
 
   // If the navigation is not deferred, run the callback.
   if (result != NavigationThrottle::DEFER)
@@ skipping 17 matching lines @@
   response_headers_ = response_headers;
   connection_info_ = connection_info;
   was_redirected_ = true;
   redirect_chain_.push_back(new_url);
   if (new_method != "POST")
     resource_request_body_ = nullptr;
 
   state_ = WILL_REDIRECT_REQUEST;
   complete_callback_ = callback;
 
+  if (IsSelfReferentialURL()) {
+    state_ = CANCELING;
+    RunCompleteCallback(NavigationThrottle::CANCEL);
+    return;
+  }
+
   // Notify each throttle of the request.
   NavigationThrottle::ThrottleCheckResult result = CheckWillRedirectRequest();
 
   // If the navigation is not deferred, run the callback.
   if (result != NavigationThrottle::DEFER)
     RunCompleteCallback(result);
 }
 
 void NavigationHandleImpl::WillProcessResponse(
     RenderFrameHostImpl* render_frame_host,
@@ skipping 310 matching lines @@
   std::unique_ptr<content::NavigationThrottle> ancestor_throttle =
       content::AncestorThrottle::MaybeCreateThrottleFor(this);
   if (ancestor_throttle)
     throttles_.push_back(std::move(ancestor_throttle));
 
   throttles_.insert(throttles_.begin(),
                     std::make_move_iterator(throttles_to_register.begin()),
                     std::make_move_iterator(throttles_to_register.end()));
 }
 
+bool NavigationHandleImpl::IsSelfReferentialURL() {
+  // about: URLs should be exempted since they are reserved for other purposes
+  // and cannot be the source of infinite recursion. See
+  // https://crbug.com/341858 .
+  if (url_.SchemeIs("about"))
+    return false;
+
+  // Browser-triggered navigations should be exempted.
+  if (!is_renderer_initiated_)
+    return false;
+
+  // We allow one level of self-reference because some sites depend on that,
+  // but we don't allow more than one.
+  bool found_self_reference = false;
+  for (const FrameTreeNode* node = frame_tree_node_->parent(); node;
+       node = node->parent()) {
+    if (EqualIgnoringFragmentIdentifier(node->current_url(), url_)) {
+      if (found_self_reference)
+        return true;
+      found_self_reference = true;
+    }
+  }
+  return false;
+}
+
 }  // namespace content