Block renderer-initiated main frame navigations to data URLs

third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp

 /*
  * Copyright (C) 2007 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 12 matching lines @@
  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "platform/weborigin/SecurityOrigin.h"
 
 #include <memory>
 #include "platform/RuntimeEnabledFeatures.h"
+#include "platform/network/NetworkUtils.h"
 #include "platform/weborigin/KURL.h"
 #include "platform/weborigin/KnownPorts.h"
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityPolicy.h"
 #include "platform/weborigin/URLSecurityOriginMap.h"
 #include "platform/wtf/HexNumber.h"
 #include "platform/wtf/NotFound.h"
 #include "platform/wtf/PtrUtil.h"
 #include "platform/wtf/StdLibExtras.h"
 #include "platform/wtf/text/StringBuilder.h"
@@ skipping 286 matching lines @@
     return protocol_ == protocol ||
            SecurityPolicy::IsAccessToURLWhiteListed(this, url);
 
   if (SchemeRegistry::ShouldTreatURLSchemeAsLocal(protocol))
     return CanLoadLocalResources() ||
            SecurityPolicy::IsAccessToURLWhiteListed(this, url);
 
   return true;
 }
 
+bool SecurityOrigin::CanNavigateInTopFrame(const KURL& url) const {
+  if (universal_access_)

[dcheng, 2017/04/15 00:11:24]

I assume this exception is required for layout tests?

If so, maybe we can use LayoutTestSupport::IsRunningLayoutTest() to avoid having
to add this to SecurityOrigin?

(It seems like the rest of this logic is not SecurityOrigin dependent)

[meacer, 2017/04/15 00:53:53]

As we discussed offline, it's not required for layout tests. I kept it in to be
consistent with other checks (e.g. canDisplay method above). Since there is no
equivalent of this bit on the browser side, I'm removing this and moving the
rest of the checks to FrameLoader.cpp.

+    return true;
+
+  // Block content-initiated loads of data URLs in the top frame. If the mime
+  // type is supported, the URL will eventually be rendered, so block it here.
+  // Otherwise, the load might be handled by a plugin or end up as a download,
+  // so allow it to let the embedder figure out what to do with it.
+  if (url.ProtocolIsData() && NetworkUtils::IsDataURLMimeTypeSupported(url)) {
+    return false;
+  }
+  return true;
+}
+
 bool SecurityOrigin::IsPotentiallyTrustworthy() const {
   ASSERT(protocol_ != "data");
   if (IsUnique())
     return is_unique_origin_potentially_trustworthy_;
 
   if (SchemeRegistry::ShouldTreatURLSchemeAsSecure(protocol_) || IsLocal() ||
       IsLocalhost())
     return true;
 
   if (SecurityPolicy::IsOriginWhiteListedTrustworthy(*this))
@@ skipping 268 matching lines @@
                               &canon_output, &out_host);
   } else {
     *success = url::CanonicalizeHost(host.Characters16(),
                                      url::Component(0, host.length()),
                                      &canon_output, &out_host);
   }
   return String::FromUTF8(canon_output.data(), canon_output.length());
 }
 
 }  // namespace blink