Fix Self-Referencing OOPIF Infinite Loop

content/browser/frame_host/navigation_handle_impl.cc

Index: content/browser/frame_host/navigation_handle_impl.cc
diff --git a/content/browser/frame_host/navigation_handle_impl.cc b/content/browser/frame_host/navigation_handle_impl.cc
index eba07da522c327c1ceb5d2da68d6918584214342..91a639973f954e4a6ec1f5e9371d1169b1de4192 100644
--- a/content/browser/frame_host/navigation_handle_impl.cc
+++ b/content/browser/frame_host/navigation_handle_impl.cc
@@ -438,6 +438,12 @@ void NavigationHandleImpl::WillStartRequest(
   state_ = WILL_SEND_REQUEST;
   complete_callback_ = callback;
 
+  if (IsSelfReferentialURL()) {
+    state_ = CANCELING;
+    RunCompleteCallback(NavigationThrottle::CANCEL);
+    return;
+  }
+
   RegisterNavigationThrottles();
 
   if (IsBrowserSideNavigationEnabled())
@@ -475,6 +481,12 @@ void NavigationHandleImpl::WillRedirectRequest(
   state_ = WILL_REDIRECT_REQUEST;
   complete_callback_ = callback;
 
+  if (IsSelfReferentialURL()) {
+    state_ = CANCELING;
+    RunCompleteCallback(NavigationThrottle::CANCEL);
+    return;
+  }
+
   // Notify each throttle of the request.
   NavigationThrottle::ThrottleCheckResult result = CheckWillRedirectRequest();
 
@@ -807,4 +819,34 @@ void NavigationHandleImpl::RegisterNavigationThrottles() {
   }
 }
 
+bool NavigationHandleImpl::IsSelfReferentialURL() {
+  // about: URLs should be exempted since they are reserved for other purposes
+  // and cannot be the source of infinite recursion. BUG=341858

[alexmos, 2017/01/06 02:27:29]

nit: For referencing bug numbers, it's more common to use "See
https://crbug.com/341858."

[davidsac (gone - try alexmos), 2017/01/19 18:26:23]

Done.

+  if (url_.SchemeIs("about"))
+    return false;
+
+  // Browser-triggered navigations should be exempted.
+  if (!is_renderer_initiated_)
+    return false;
+
+  // We allow one level of self-reference because some sites depend on that,
+  // but we don't allow more than one.
+  bool found_self_reference = false;
+  for (const FrameTreeNode* node = frame_tree_node_->parent(); node;
+       node = node->parent()) {
+    url::Replacements<char> replacements;

[alexmos, 2017/01/06 02:27:29]

I think this might become more readable if you declared a helper (e.g.,
EqualIgnoringFragmentIdentifier(url1, url2)) in the anonymous namespace, similar
to the one we had in Blink, and used it here.

[davidsac (gone - try alexmos), 2017/01/19 18:26:23]

Done.

+    replacements.ClearRef();
+    replacements.ClearUsername();

[alexmos, 2017/01/06 02:27:29]

Why do you clear out username and password as well?  Just clearing the # should
be sufficient.

[davidsac (gone - try alexmos), 2017/01/19 18:26:23]

Done.

+    replacements.ClearPassword();
+    if (node->current_url().ReplaceComponents(replacements) ==
+        url_.ReplaceComponents(replacements)) {
+      if (found_self_reference) {

[alexmos, 2017/01/06 02:27:29]

nit: { not necessary

[davidsac (gone - try alexmos), 2017/01/19 18:26:23]

Done.

+        return true;
+      }
+      found_self_reference = true;
+    }
+  }
+  return false;
+}
+
 }  // namespace content