Block renderer-initiated main frame navigations to data URLs

third_party/WebKit/Source/core/loader/FrameLoader.cpp

Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index 8cd77648a4dd0116286c5cf0df7be66d44d27041..7203ef8a2cfd4b84370797a8c79ef740909036aa 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -748,6 +748,17 @@ bool FrameLoader::PrepareRequestForThisFrame(FrameLoadRequest& request) {
     return false;
   }
 
+  // Block content-initiated, top-frame navigations to data URLs.
+  if (frame_->IsMainFrame() &&
+      !request.GetResourceRequest().IsSameDocumentNavigation() &&
+      !frame_->Client()->AllowContentInitiatedDataUrlNavigations(
+          request.OriginDocument()->Url()) &&
+      !request.OriginDocument()->GetSecurityOrigin()->CanNavigateInTopFrame(
+          url)) {
+    ReportTopLevelNavigationFailed(frame_, url.ElidedString());
+    return false;
+  }
+
   if (!request.Form() && request.FrameName().IsEmpty())
     request.SetFrameName(frame_->GetDocument()->BaseTarget());
   return true;
@@ -987,6 +998,17 @@ void FrameLoader::ReportLocalLoadFailed(LocalFrame* frame, const String& url) {
                              "Not allowed to load local resource: " + url));
 }
 
+void FrameLoader::ReportTopLevelNavigationFailed(LocalFrame* frame,
+                                                 const String& url) {
+  DCHECK(!url.IsEmpty());
+  if (!frame)
+    return;
+
+  frame->GetDocument()->AddConsoleMessage(ConsoleMessage::Create(
+      kSecurityMessageSource, kErrorMessageLevel,
+      "Not allowed to top-level navigate to resource: " + url));
+}
+
 void FrameLoader::StopAllLoaders() {
   if (frame_->GetDocument()->PageDismissalEventBeingDispatched() !=
       Document::kNoDismissal)