Block renderer-initiated main frame navigations to data URLs

third_party/WebKit/Source/core/loader/FrameLoader.cpp

Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index 0e912d0ee3572277b017634eef4b7a51279c924d..4560f86dc70716af16de8b56e4bfe71b109b9a3c 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -743,6 +743,17 @@ bool FrameLoader::prepareRequestForThisFrame(FrameLoadRequest& request) {
     return false;
   }
 
+  // Block content-initiated, top-frame navigations to data URLs.
+  if (m_frame->isMainFrame() &&
+      !request.resourceRequest().isSameDocumentNavigation() &&
+      !m_frame->client()->allowContentInitiatedDataUrlNavigations(
+          request.originDocument()->url()) &&
+      !request.originDocument()->getSecurityOrigin()->canNavigateInTopFrame(
+          url)) {
+    reportTopLevelNavigationFailed(m_frame, url.elidedString());
+    return false;
+  }
+
   if (!request.form() && request.frameName().isEmpty())
     request.setFrameName(m_frame->document()->baseTarget());
   return true;
@@ -979,6 +990,17 @@ void FrameLoader::reportLocalLoadFailed(LocalFrame* frame, const String& url) {
                              "Not allowed to load local resource: " + url));
 }
 
+void FrameLoader::reportTopLevelNavigationFailed(LocalFrame* frame,
+                                                 const String& url) {
+  DCHECK(!url.isEmpty());
+  if (!frame)
+    return;
+
+  frame->document()->addConsoleMessage(ConsoleMessage::create(
+      SecurityMessageSource, ErrorMessageLevel,
+      "Not allowed to top-level navigate to resource: " + url));
+}
+
 void FrameLoader::stopAllLoaders() {
   if (m_frame->document()->pageDismissalEventBeingDispatched() !=
       Document::NoDismissal)