Index: ios/web/web_state/ui/crw_web_controller.mm |
diff --git a/ios/web/web_state/ui/crw_web_controller.mm b/ios/web/web_state/ui/crw_web_controller.mm |
index 4452fed22046f6e61a63a78c8d0c5e3b4c7b6357..34c2dfab192a89fd782e372f482e0dbed8af79b8 100644 |
--- a/ios/web/web_state/ui/crw_web_controller.mm |
+++ b/ios/web/web_state/ui/crw_web_controller.mm |
@@ -2296,6 +2296,22 @@ const NSTimeInterval kSnapshotOverlayTransition = 0.5; |
- (void)executeUserJavaScript:(NSString*)script |
completionHandler:(web::JavaScriptResultBlock)completion { |
+ // For security reasons executing JavaScript on pages with app-specific URLs |
lpromero
2017/03/23 12:43:48
Nit: Add a comma after "reasons".
Eugene But (OOO till 7-30)
2017/03/23 17:45:08
Done.
|
+ // is not allowed, because those pages may have elevated privileges. |
+ GURL lastCommittedURL = self.webState->GetLastCommittedURL(); |
+ if (web::GetWebClient()->IsAppSpecificURL(lastCommittedURL)) { |
+ if (completion) { |
+ dispatch_async(dispatch_get_main_queue(), ^{ |
+ base::scoped_nsobject<NSError> error([[NSError alloc] |
+ initWithDomain:web::kJSEvaluationErrorDomain |
+ code:web::JS_EVALUATION_ERROR_CODE_NO_WEB_VIEW |
+ userInfo:nil]); |
+ completion(nil, error); |
+ }); |
+ } |
+ return; |
+ } |
+ |
[self setUserInteractionRegistered:YES]; |
[self executeJavaScript:script completionHandler:completion]; |
} |