Block renderer-initiated main frame navigations to data URLs

content/browser/loader/async_resource_handler.cc

Index: content/browser/loader/async_resource_handler.cc
diff --git a/content/browser/loader/async_resource_handler.cc b/content/browser/loader/async_resource_handler.cc
index 7d146f318664e9ad242c45493dca151121d06d04..2d9ceb91416a5446f855bbdea22e05c86c8fe3d2 100644
--- a/content/browser/loader/async_resource_handler.cc
+++ b/content/browser/loader/async_resource_handler.cc
@@ -17,7 +17,10 @@
 #include "base/memory/shared_memory.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/stringprintf.h"
 #include "base/time/time.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/browser/frame_host/render_frame_host_impl.h"
 #include "content/browser/loader/netlog_observer.h"
 #include "content/browser/loader/resource_buffer.h"
 #include "content/browser/loader/resource_controller.h"
@@ -28,6 +31,8 @@
 #include "content/common/resource_messages.h"
 #include "content/common/resource_request_completion_status.h"
 #include "content/common/view_messages.h"
+#include "content/public/browser/render_frame_host.h"
+#include "content/public/browser/web_contents.h"
 #include "content/public/common/content_features.h"
 #include "content/public/common/resource_response.h"
 #include "ipc/ipc_message_macros.h"
@@ -54,6 +59,9 @@ static int kMaxAllocationSize = 1024 * 32;
 const int kNumLeadingChunk = 2;
 const int kInlinedLeadingChunkSize = 2048;
 
+const char kDataUrlConsoleError[] =
+    "Not allowed to top-level navigate to resource: %s";
+
 void GetNumericArg(const std::string& name, int* result) {
   const std::string& value =
       base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(name);
@@ -72,6 +80,35 @@ void InitializeResourceBufferConstants() {
   GetNumericArg("resource-buffer-max-allocation-size", &kMaxAllocationSize);
 }
 
+// Determines if the current navigation pointed by |render_process_id| and
+// |render_frame_host_id| is renderer initiated and calls |callback| with
+// the result.
+void CheckNavigationIsRendererInitiated(

[meacer, 2017/03/16 19:53:21]

This is probably very wrong to do, so suggestions welcome :)

+    int render_process_id,
+    int render_frame_host_id,
+    const base::Callback<void(bool)>& callback) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+  RenderFrameHostImpl* rfh =
+      RenderFrameHostImpl::FromID(render_process_id, render_frame_host_id);
+  DCHECK(rfh);
+  const bool should_cancel = rfh->navigation_handle()->IsRendererInitiated();
+  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+                          base::Bind(callback, should_cancel));
+}
+
+void AddConsoleMessage(
+    const content::ResourceRequestInfo::WebContentsGetter& web_contents_getter,
+    const GURL& url) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+  WebContents* contents = web_contents_getter.Run();
+  DCHECK(contents);
+  if (contents) {
+    contents->GetMainFrame()->AddMessageToConsole(
+        CONSOLE_MESSAGE_LEVEL_ERROR,
+        base::StringPrintf(kDataUrlConsoleError, url.spec().c_str()));
+  }
+}
+
 // This enum is used for logging a histogram and should not be reordered.
 enum ExpectedContentSizeResult {
   EQ_RESPONSE_BODY = 0,
@@ -296,6 +333,44 @@ void AsyncResourceHandler::OnResponseStarted(
   // or of having to layout the new content twice.
   DCHECK(!has_controller());
 
+  // Block renderer-initiated, top-frame, non-download data URL navigations.
+  // Renderer-initiated check is done on the UI thread.
+  ResourceRequestInfoImpl* info = GetRequestInfo();
+  if (request()->url().SchemeIs("data") &&
+      info->requester_info()->IsRenderer() && info->IsMainFrame() &&
+      !info->IsDownload()) {
+    int render_process_id, render_frame_id;
+    if (info->GetAssociatedRenderFrame(&render_process_id, &render_frame_id)) {
+      BrowserThread::PostTask(
+          BrowserThread::UI, FROM_HERE,
+          base::Bind(
+              &CheckNavigationIsRendererInitiated, render_process_id,
+              render_frame_id,
+              base::Bind(&AsyncResourceHandler::OnResponseStartedInternal,
+                         base::Unretained(this), response,
+                         base::Passed(std::move(controller)))));
+      return;
+    }
+  }
+  OnResponseStartedInternal(response, std::move(controller), false);
+}
+
+void AsyncResourceHandler::OnResponseStartedInternal(
+    ResourceResponse* response,
+    std::unique_ptr<ResourceController> controller,
+    bool should_cancel) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+  ResourceRequestInfoImpl* info = GetRequestInfo();
+
+  if (should_cancel) {
+    BrowserThread::PostTask(
+        BrowserThread::UI, FROM_HERE,
+        base::Bind(&AddConsoleMessage, info->GetWebContentsGetterForRequest(),
+                   request()->url()));
+    controller->Cancel();
+    return;
+  }
+
   response_started_ticks_ = base::TimeTicks::Now();
 
   // We want to send a final upload progress message prior to sending the
@@ -306,7 +381,6 @@ void AsyncResourceHandler::OnResponseStarted(
     upload_progress_tracker_ = nullptr;
   }
 
-  const ResourceRequestInfoImpl* info = GetRequestInfo();
   ResourceMessageFilter* filter = GetFilter();
   if (!filter) {
     controller->Cancel();