Block renderer-initiated main frame navigations to data URLs

content/browser/frame_host/data_url_navigation_throttle.cc

Index: content/browser/frame_host/data_url_navigation_throttle.cc
diff --git a/content/browser/frame_host/data_url_navigation_throttle.cc b/content/browser/frame_host/data_url_navigation_throttle.cc
new file mode 100644
index 0000000000000000000000000000000000000000..7239196c5f53e018919193b5a37c64d98f5f01c4
--- /dev/null
+++ b/content/browser/frame_host/data_url_navigation_throttle.cc
@@ -0,0 +1,77 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/frame_host/data_url_navigation_throttle.h"
+
+#include "base/memory/ptr_util.h"
+#include "base/strings/stringprintf.h"
+#include "content/browser/frame_host/frame_tree.h"
+#include "content/browser/frame_host/frame_tree_node.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/public/browser/navigation_handle.h"
+#include "content/public/browser/render_frame_host.h"
+#include "content/public/common/console_message_level.h"
+#include "url/url_constants.h"
+
+namespace content {
+
+namespace {
+const char kConsoleError[] =
+    "Not allowed to top-level navigate to resource: %s";
+
+bool MayBlockDataUrlNavigation(NavigationHandle* navigation_handle) {
+  // TODO(meacer): This doesn't properly handle window.open calls.
+  //               - For standard mime types (html, image etc), this is only a
+  //                 problem if PlzNavigate is enabled because otherwise checks
+  //                 are done in the renderer.
+  //               - For mime types handled by plugins (e.g. PDF), this is a
+  //                 problem for both PlzNavigate and non-PlzNavigate as there
+  //                 are no renderer side checks.
+  //               Proper implementation is blocked on crbug.com/651895.
+  NavigationHandleImpl* handle =
+      static_cast<NavigationHandleImpl*>(navigation_handle);
+  RenderFrameHost* top_frame =
+      handle->frame_tree_node()->frame_tree()->root()->current_frame_host();
+  return handle->GetURL().SchemeIs(url::kDataScheme) &&
+         handle->IsInMainFrame() && handle->IsRendererInitiated() &&
+         !top_frame->GetLastCommittedURL().SchemeIs(url::kDataScheme);
+}
+}
+
+DataUrlNavigationThrottle::DataUrlNavigationThrottle(
+    NavigationHandle* navigation_handle)
+    : NavigationThrottle(navigation_handle) {}
+
+DataUrlNavigationThrottle::~DataUrlNavigationThrottle() {}
+
+NavigationThrottle::ThrottleCheckResult
+DataUrlNavigationThrottle::WillProcessResponse() {
+  if (MayBlockDataUrlNavigation(navigation_handle()) &&

[nasko, 2017/03/30 23:15:45]

Why do you need to call this method here? If it failed before, it wouldn't have
created the throttle object, right? Between creation time and this point, none
of the checks will change, except for redirects to data URLs, which will have to
be allowed to avoid breaking webRequest extension API.

[meacer, 2017/04/05 22:33:28]

Done, only checking for download here.

+      !navigation_handle()->IsDownload()) {
+    RenderFrameHost* top_frame =
+        static_cast<NavigationHandleImpl*>(navigation_handle())
+            ->frame_tree_node()
+            ->frame_tree()
+            ->root()
+            ->current_frame_host();
+    top_frame->AddMessageToConsole(
+        CONSOLE_MESSAGE_LEVEL_ERROR,
+        base::StringPrintf(kConsoleError,
+                           navigation_handle()->GetURL().spec().c_str()));
+    return CANCEL;
+  }
+  return PROCEED;
+}
+
+// static
+std::unique_ptr<NavigationThrottle>
+DataUrlNavigationThrottle::CreateThrottleForNavigation(
+    NavigationHandle* navigation_handle) {
+  return MayBlockDataUrlNavigation(navigation_handle)
+             ? base::WrapUnique(
+                   new DataUrlNavigationThrottle(navigation_handle))
+             : nullptr;
+}
+
+}  // namespace content