Block renderer-initiated main frame navigations to data URLs

third_party/WebKit/Source/core/loader/FrameLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights
  * reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  * (http://www.torchmobile.com/)
  * Copyright (C) 2008 Alp Toker <alp@atoker.com>
  * Copyright (C) Research In Motion Limited 2009. All rights reserved.
  * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
  * Copyright (C) 2011 Google Inc. All rights reserved.
@@ skipping 865 matching lines @@
 
   KURL url = request.resourceRequest().url();
   if (m_frame->script().executeScriptIfJavaScriptURL(url, nullptr))
     return false;
 
   if (!request.originDocument()->getSecurityOrigin()->canDisplay(url)) {
     reportLocalLoadFailed(m_frame, url.elidedString());
     return false;
   }
 
+  // Block content-initiated, top-frame navigations to data URLs. Allow if the
+  // top frame of the initiator is already a data URL so that links, redirects
+  // et.c. on data URLs aren't broken.
+  if (m_frame->isMainFrame() && url.protocol() == "data") {
+    // TODO: Check request()->downloadToFile()
+    bool canLoadDataURL = true;
+    if (request.originDocument()->frame()->tree().top()->isLocalFrame()) {
+      Document* topFrameDocument =
+          toLocalFrame(request.originDocument()->frame()->tree().top())
+              ->document();
+      canLoadDataURL =
+          topFrameDocument->url().protocol() == "data" ||
+          topFrameDocument->getSecurityOrigin()->canNavigateInTopFrame(url);
+    } else {
+      RemoteFrame* topFrame =
+          toRemoteFrame(request.originDocument()->frame()->tree().top());
+      // TODO(meacer): We don't know the URL of the remote frame, so this is
+      // only an estimate.
+      canLoadDataURL =
+          topFrame->securityContext()->getSecurityOrigin()->isUnique() ||
+          topFrame->securityContext()
+              ->getSecurityOrigin()
+              ->canNavigateInTopFrame(url);
+    }
+    if (!canLoadDataURL) {
+      reportTopLevelNavigationFailed(m_frame, url.elidedString());
+      return false;
+    }
+  }
+
   if (!request.form() && request.frameName().isEmpty())
     request.setFrameName(m_frame->document()->baseTarget());
   return true;
 }
 
 static bool shouldNavigateTargetFrame(NavigationPolicy policy) {
   switch (policy) {
     case NavigationPolicyCurrentTab:
       return true;
 
@@ skipping 221 matching lines @@
 void FrameLoader::reportLocalLoadFailed(LocalFrame* frame, const String& url) {
   DCHECK(!url.isEmpty());
   if (!frame)
     return;
 
   frame->document()->addConsoleMessage(
       ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel,
                              "Not allowed to load local resource: " + url));
 }
 
+void FrameLoader::reportTopLevelNavigationFailed(LocalFrame* frame,
+                                                 const String& url) {
+  DCHECK(!url.isEmpty());
+  if (!frame)
+    return;
+
+  frame->document()->addConsoleMessage(ConsoleMessage::create(
+      SecurityMessageSource, ErrorMessageLevel,
+      "Not allowed to top-level navigate to resource: " + url));
+}
+
 void FrameLoader::stopAllLoaders() {
   if (m_frame->document()->pageDismissalEventBeingDispatched() !=
       Document::NoDismissal)
     return;
 
   // If this method is called from within this method, infinite recursion can
   // occur (3442218). Avoid this.
   if (m_inStopAllLoaders)
     return;
 
@@ skipping 764 matching lines @@
       frameLoadRequest.clientRedirect());
 
   loader->setLoadType(loadType);
   loader->setNavigationType(navigationType);
   loader->setReplacesCurrentHistoryItem(loadType ==
                                         FrameLoadTypeReplaceCurrentItem);
   return loader;
 }
 
 }  // namespace blink