Block data URL navigations with RenderFrameImpl::DecidePolicyForNavigation

content/renderer/render_frame_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_frame_impl.h"
 
 #include <map>
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "base/auto_reset.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
 #include "base/debug/alias.h"
 #include "base/debug/asan_invalid_access.h"
 #include "base/debug/crash_logging.h"
 #include "base/debug/dump_without_crashing.h"
+#include "base/feature_list.h"
 #include "base/files/file.h"
 #include "base/i18n/char_iterator.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "base/memory/shared_memory.h"
 #include "base/memory/weak_ptr.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/field_trial_params.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/process/process.h"
 #include "base/stl_util.h"
 #include "base/strings/string16.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/task_runner_util.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/time.h"
 #include "base/trace_event/trace_event.h"
 #include "build/build_config.h"
 #include "cc/base/switches.h"
+#include "components/mime_util/mime_util.h"
 #include "content/child/appcache/appcache_dispatcher.h"
 #include "content/child/feature_policy/feature_policy_platform.h"
 #include "content/child/quota_dispatcher.h"
 #include "content/child/request_extra_data.h"
 #include "content/child/service_worker/service_worker_handle_reference.h"
 #include "content/child/service_worker/service_worker_network_provider.h"
 #include "content/child/service_worker/service_worker_provider_context.h"
 #include "content/child/service_worker/web_service_worker_provider_impl.h"
 #include "content/child/v8_value_converter_impl.h"
 #include "content/child/web_url_loader_impl.h"
@@ skipping 541 matching lines @@
 
     case FrameMsg_Navigate_Type::RELOAD_BYPASSING_CACHE:
       return WebFrameLoadType::kReloadBypassingCache;
 
     default:
       NOTREACHED();
       return WebFrameLoadType::kStandard;
   }
 }
 
+bool IsDataURLMimeTypeSupported(const GURL& url) {
+  std::string utf8_mime_type;
+  std::string utf8_charset;
+  if (net::DataURL::Parse(url, &utf8_mime_type, &utf8_charset, nullptr)) {
+    return mime_util::IsSupportedMimeType(utf8_mime_type);
+  }
+  return false;
+}
+
 RenderFrameImpl::CreateRenderFrameImplFunction g_create_render_frame_impl =
     nullptr;
 
 WebString ConvertRelativePathToHtmlAttribute(const base::FilePath& path) {
   DCHECK(!path.IsAbsolute());
   return WebString::FromUTF8(
       std::string("./") +
       path.NormalizePathSeparatorsTo(FILE_PATH_LITERAL('/')).AsUTF8Unsafe());
 }
 
@@ skipping 4729 matching lines @@
   // A content initiated navigation may have originated from a link-click,
   // script, drag-n-drop operation, etc.
   // info.extraData is only non-null if this is a redirect. Use the extraData
   // initiation information for redirects, and check pending_navigation_params_
   // otherwise.
   bool is_content_initiated =
       info.extra_data ? static_cast<DocumentState*>(info.extra_data)
                             ->navigation_state()
                             ->IsContentInitiated()
                       : !IsBrowserInitiated(pending_navigation_params_.get());
+  const bool is_top_level = IsTopLevelNavigation(frame_);
 
   // Webkit is asking whether to navigate to a new URL.
   // This is fine normally, except if we're showing UI from one security
   // context and they're trying to navigate to a different context.
   const GURL& url = info.url_request.Url();
 
+  // Block renderer-initiated loads of data URLs in the top frame. If the mime
+  // type of the data URL is supported, the URL will eventually be rendered, so
+  // block it here. Otherwise, the load might be handled by a plugin or end up
+  // as a download, so allow it to let the embedder figure out what to do with
+  // it.
+  if (is_content_initiated && is_top_level && url.SchemeIs(url::kDataScheme) &&
+      url.spec() != kUnreachableWebDataURL && IsDataURLMimeTypeSupported(url) &&
+      !base::FeatureList::IsEnabled(
+          features::kAllowContentInitiatedDataUrlNavigations)) {
+    LOG(ERROR) << ">> BLOCKING!!!! " << url;
+    if (info.extra_data) {
+      LOG(ERROR) << ">> NavigationState.IsContentInitiated : "
+                 << static_cast<DocumentState*>(info.extra_data)
+                        ->navigation_state()
+                        ->IsContentInitiated();
+    } else {
+      LOG(ERROR) << ">> IsBrowserInitiated(pending_navigation_params_.get(): "
+                 << IsBrowserInitiated(pending_navigation_params_.get());
+    }
+    AddMessageToConsole(
+        CONSOLE_MESSAGE_LEVEL_ERROR,
+        "Not allowed to top-level navigate to resource: " + url.spec());
+    return blink::kWebNavigationPolicyIgnore;
+  }
+
   // With PlzNavigate, the redirect list is available for the first url. So
   // maintain the old behavior of not classifying the first URL in the chain as
   // a redirect.
   bool is_redirect =
       info.extra_data ||
       (pending_navigation_params_ &&
        !pending_navigation_params_->request_params.redirects.empty() &&
        (!IsBrowserSideNavigationEnabled() ||
         url != pending_navigation_params_->request_params.redirects[0]));
 
@@ skipping 11 matching lines @@
       Send(new FrameHostMsg_NavigationHandledByEmbedder(routing_id_));
     }
     return blink::kWebNavigationPolicyIgnore;
   }
 #endif
 
   Referrer referrer(
       RenderViewImpl::GetReferrerFromRequest(frame_, info.url_request));
 
   // If the browser is interested, then give it a chance to look at the request.
-  if (is_content_initiated && IsTopLevelNavigation(frame_) &&
+  if (is_content_initiated && is_top_level &&
       render_view_->renderer_preferences_
           .browser_handles_all_top_level_requests) {
     OpenURL(url, IsHttpPost(info.url_request),
             GetRequestBodyForWebURLRequest(info.url_request),
             GetWebURLRequestHeaders(info.url_request), referrer,
             info.default_policy, info.replaces_current_history_item, false);
     return blink::kWebNavigationPolicyIgnore;  // Suppress the load here.
   }
 
   // Back/forward navigations in newly created subframes should be sent to the
@@ skipping 1594 matching lines @@
       policy(info.default_policy),
       replaces_current_history_item(info.replaces_current_history_item),
       history_navigation_in_new_child_frame(
           info.is_history_navigation_in_new_child_frame),
       client_redirect(info.is_client_redirect),
       cache_disabled(info.is_cache_disabled),
       form(info.form),
       source_location(info.source_location) {}
 
 }  // namespace content