third_party/WebKit/Source/core/loader/FrameLoader.cpp - Issue 2702503002: Block renderer-initiated main frame navigations to data URLs

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/loader/FrameLoader.cpp

Issue 2702503002: Block renderer-initiated main frame navigations to data URLs (Closed)

Patch Set: nasko comments, fix most tests Created 3 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« content/public/browser/navigation_handle.h ('K') | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/platform/network/NetworkUtils.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp

diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp

index 597cb1b1b0fa65389667095eee27b036cf4d37c7..8ad62d8ea31f6ccaf43e84af30e71be7817b0f26 100644

--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp

+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp

@@ -883,6 +883,36 @@ bool FrameLoader::prepareRequestForThisFrame(FrameLoadRequest& request) {

return false;

}

+ // Block content-initiated, top-frame navigations to data URLs. Allow if the

+ // top frame of the initiator is already a data URL so that links, redirects

+ // et.c. on data URLs aren't broken.

+ if (m_frame->isMainFrame() && url.protocol() == "data") {

+ // TODO: Check request()->downloadToFile()

+ bool canLoadDataURL = true;

+ if (request.originDocument()->frame()->tree().top()->isLocalFrame()) {

+ Document* topFrameDocument =

+ toLocalFrame(request.originDocument()->frame()->tree().top())

+ ->document();

+ canLoadDataURL =

+ topFrameDocument->url().protocol() == "data" ||

+ topFrameDocument->getSecurityOrigin()->canNavigateInTopFrame(url);

+ } else {

+ RemoteFrame* topFrame =

+ toRemoteFrame(request.originDocument()->frame()->tree().top());

+ // TODO(meacer): We don't know the URL of the remote frame, so this is

+ // only an estimate.

+ canLoadDataURL =

+ topFrame->securityContext()->getSecurityOrigin()->isUnique() ||

+ topFrame->securityContext()

+ ->getSecurityOrigin()

+ ->canNavigateInTopFrame(url);

+ }

+ if (!canLoadDataURL) {

+ reportTopLevelNavigationFailed(m_frame, url.elidedString());

+ return false;

+ }

if (!request.form() && request.frameName().isEmpty())

request.setFrameName(m_frame->document()->baseTarget());

return true;

@@ -1124,6 +1154,17 @@ void FrameLoader::reportLocalLoadFailed(LocalFrame* frame, const String& url) {

"Not allowed to load local resource: " + url));

}

+void FrameLoader::reportTopLevelNavigationFailed(LocalFrame* frame,

+ const String& url) {

+ DCHECK(!url.isEmpty());

+ if (!frame)

+ return;

+ frame->document()->addConsoleMessage(ConsoleMessage::create(

+ SecurityMessageSource, ErrorMessageLevel,

+ "Not allowed to top-level navigate to resource: " + url));

void FrameLoader::stopAllLoaders() {

if (m_frame->document()->pageDismissalEventBeingDispatched() !=

Document::NoDismissal)