Fix Self-Referencing OOPIF Infinite Loop

content/browser/frame_host/navigation_handle_impl.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/navigation_handle_impl.h"
 
 #include <iterator>
 
 #include "base/debug/dump_without_crashing.h"
 #include "base/logging.h"
@@ skipping 36 matching lines @@
     NavigationThrottle::ThrottleCheckResult result) {
   *to_update = result;
 }
 
 void NotifyAbandonedTransferNavigation(const GlobalRequestID& id) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
   if (ResourceDispatcherHostImpl* rdh = ResourceDispatcherHostImpl::Get())
     rdh->CancelRequest(id.child_id, id.request_id);
 }
 
+// This is a helper method used in IsSelfReferentialURL.  It checks if two
+// URLs are identical when the URL fragments are removed.
+bool EqualIgnoringFragmentIdentifier(const GURL& a, const GURL& b) {

[nasko, 2017/02/07 19:51:20]

This is actually being implemented in GURL itself as part of another CL. Maybe
just wait for it to land (likely today/tomorrow) and use that directly.

https://codereview.chromium.org/2584513003/diff/1240001/url/gurl.h

[davidsac (gone - try alexmos), 2017/02/10 18:44:26]

Acknowledged.

+  // Compute the length of each URL without its ref. Note that the reference
+  // begin (if it exists) points to the character *after* the '#', so we need
+  // to subtract one.
+  int aLength = a.spec().length();
+  if (a.parsed_for_possibly_invalid_spec().ref.len >= 0)
+    aLength = a.parsed_for_possibly_invalid_spec().ref.begin - 1;
+
+  int bLength = b.spec().length();
+  if (b.parsed_for_possibly_invalid_spec().ref.len >= 0)
+    bLength = b.parsed_for_possibly_invalid_spec().ref.begin - 1;
+
+  if (aLength != bLength)
+    return false;
+
+  const std::string& aString = a.spec();
+  const std::string& bString = b.spec();
+  // FIXME: Abstraction this into a function in WTFString.h.
+  for (int i = 0; i < aLength; ++i) {
+    if (aString[i] != bString[i])
+      return false;
+  }
+  return true;
+}
+
 }  // namespace
 
 // static
 std::unique_ptr<NavigationHandleImpl> NavigationHandleImpl::Create(
     const GURL& url,
     const std::vector<GURL>& redirect_chain,
     FrameTreeNode* frame_tree_node,
     bool is_renderer_initiated,
     bool is_same_page,
     const base::TimeTicks& navigation_start,
@@ skipping 433 matching lines @@
         Referrer(redirect_chain_[0], sanitized_referrer.policy);
   } else {
     sanitized_referrer_ = sanitized_referrer;
   }
   is_external_protocol_ = is_external_protocol;
   request_context_type_ = request_context_type;
   mixed_content_context_type_ = mixed_content_context_type;
   state_ = WILL_SEND_REQUEST;
   complete_callback_ = callback;
 
+  if (IsSelfReferentialURL()) {
+    state_ = CANCELING;
+    RunCompleteCallback(NavigationThrottle::CANCEL);
+    return;
+  }
+
   RegisterNavigationThrottles();
 
   if (IsBrowserSideNavigationEnabled())
     navigation_ui_data_ = GetDelegate()->GetNavigationUIData(this);
 
   // Notify each throttle of the request.
   NavigationThrottle::ThrottleCheckResult result = CheckWillStartRequest();
 
   // If the navigation is not deferred, run the callback.
   if (result != NavigationThrottle::DEFER)
@@ skipping 22 matching lines @@
   response_headers_ = response_headers;
   connection_info_ = connection_info;
   was_redirected_ = true;
   redirect_chain_.push_back(new_url);
   if (new_method != "POST")
     resource_request_body_ = nullptr;
 
   state_ = WILL_REDIRECT_REQUEST;
   complete_callback_ = callback;
 
+  if (IsSelfReferentialURL()) {
+    state_ = CANCELING;
+    RunCompleteCallback(NavigationThrottle::CANCEL);
+    return;
+  }
+
   // Notify each throttle of the request.
   NavigationThrottle::ThrottleCheckResult result = CheckWillRedirectRequest();
 
   // If the navigation is not deferred, run the callback.
   if (result != NavigationThrottle::DEFER)
     RunCompleteCallback(result);
 }
 
 void NavigationHandleImpl::WillProcessResponse(
     RenderFrameHostImpl* render_frame_host,
@@ skipping 316 matching lines @@
   std::unique_ptr<content::NavigationThrottle> ancestor_throttle =
       content::AncestorThrottle::MaybeCreateThrottleFor(this);
   if (ancestor_throttle)
     throttles_.push_back(std::move(ancestor_throttle));
 
   throttles_.insert(throttles_.begin(),
                     std::make_move_iterator(throttles_to_register.begin()),
                     std::make_move_iterator(throttles_to_register.end()));
 }
 
+bool NavigationHandleImpl::IsSelfReferentialURL() {
+  // about: URLs should be exempted since they are reserved for other purposes
+  // and cannot be the source of infinite recursion. See
+  // https://crbug.com/341858 .
+  if (url_.SchemeIs("about"))
+    return false;
+
+  // Browser-triggered navigations should be exempted.
+  if (!is_renderer_initiated_)
+    return false;
+
+  // We allow one level of self-reference because some sites depend on that,
+  // but we don't allow more than one.
+  bool found_self_reference = false;
+  for (const FrameTreeNode* node = frame_tree_node_->parent(); node;
+       node = node->parent()) {
+    if (EqualIgnoringFragmentIdentifier(node->current_url(), url_)) {
+      if (found_self_reference)
+        return true;
+      found_self_reference = true;
+    }
+  }
+  return false;
+}
+
 }  // namespace content