| Index: content/renderer/render_frame_impl.cc
|
| diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
|
| index 32ad5da72f24ffd359bdddac2004fb1b10c34c3d..3698780a36d7340fc2a18af019e1c266782d3696 100644
|
| --- a/content/renderer/render_frame_impl.cc
|
| +++ b/content/renderer/render_frame_impl.cc
|
| @@ -16,6 +16,7 @@
|
| #include "base/debug/asan_invalid_access.h"
|
| #include "base/debug/crash_logging.h"
|
| #include "base/debug/dump_without_crashing.h"
|
| +#include "base/feature_list.h"
|
| #include "base/files/file.h"
|
| #include "base/i18n/char_iterator.h"
|
| #include "base/logging.h"
|
| @@ -36,6 +37,7 @@
|
| #include "base/trace_event/trace_event.h"
|
| #include "build/build_config.h"
|
| #include "cc/base/switches.h"
|
| +#include "components/mime_util/mime_util.h"
|
| #include "content/child/appcache/appcache_dispatcher.h"
|
| #include "content/child/feature_policy/feature_policy_platform.h"
|
| #include "content/child/quota_dispatcher.h"
|
| @@ -597,6 +599,15 @@ WebFrameLoadType ReloadFrameLoadTypeFor(
|
| }
|
| }
|
|
|
| +bool IsDataURLMimeTypeSupported(const GURL& url) {
|
| + std::string utf8_mime_type;
|
| + std::string utf8_charset;
|
| + if (net::DataURL::Parse(url, &utf8_mime_type, &utf8_charset, nullptr)) {
|
| + return mime_util::IsSupportedMimeType(utf8_mime_type);
|
| + }
|
| + return false;
|
| +}
|
| +
|
| RenderFrameImpl::CreateRenderFrameImplFunction g_create_render_frame_impl =
|
| nullptr;
|
|
|
| @@ -5346,12 +5357,38 @@ WebNavigationPolicy RenderFrameImpl::DecidePolicyForNavigation(
|
| ->navigation_state()
|
| ->IsContentInitiated()
|
| : !IsBrowserInitiated(pending_navigation_params_.get());
|
| + const bool is_top_level = IsTopLevelNavigation(frame_);
|
|
|
| // Webkit is asking whether to navigate to a new URL.
|
| // This is fine normally, except if we're showing UI from one security
|
| // context and they're trying to navigate to a different context.
|
| const GURL& url = info.url_request.Url();
|
|
|
| + // Block renderer-initiated loads of data URLs in the top frame. If the mime
|
| + // type of the data URL is supported, the URL will eventually be rendered, so
|
| + // block it here. Otherwise, the load might be handled by a plugin or end up
|
| + // as a download, so allow it to let the embedder figure out what to do with
|
| + // it.
|
| + if (is_content_initiated && is_top_level && url.SchemeIs(url::kDataScheme) &&
|
| + url.spec() != kUnreachableWebDataURL && IsDataURLMimeTypeSupported(url) &&
|
| + !base::FeatureList::IsEnabled(
|
| + features::kAllowContentInitiatedDataUrlNavigations)) {
|
| + LOG(ERROR) << ">> BLOCKING!!!! " << url;
|
| + if (info.extra_data) {
|
| + LOG(ERROR) << ">> NavigationState.IsContentInitiated : "
|
| + << static_cast<DocumentState*>(info.extra_data)
|
| + ->navigation_state()
|
| + ->IsContentInitiated();
|
| + } else {
|
| + LOG(ERROR) << ">> IsBrowserInitiated(pending_navigation_params_.get(): "
|
| + << IsBrowserInitiated(pending_navigation_params_.get());
|
| + }
|
| + AddMessageToConsole(
|
| + CONSOLE_MESSAGE_LEVEL_ERROR,
|
| + "Not allowed to top-level navigate to resource: " + url.spec());
|
| + return blink::kWebNavigationPolicyIgnore;
|
| + }
|
| +
|
| // With PlzNavigate, the redirect list is available for the first url. So
|
| // maintain the old behavior of not classifying the first URL in the chain as
|
| // a redirect.
|
| @@ -5383,7 +5420,7 @@ WebNavigationPolicy RenderFrameImpl::DecidePolicyForNavigation(
|
| RenderViewImpl::GetReferrerFromRequest(frame_, info.url_request));
|
|
|
| // If the browser is interested, then give it a chance to look at the request.
|
| - if (is_content_initiated && IsTopLevelNavigation(frame_) &&
|
| + if (is_content_initiated && is_top_level &&
|
| render_view_->renderer_preferences_
|
| .browser_handles_all_top_level_requests) {
|
| OpenURL(url, IsHttpPost(info.url_request),
|
|
|
Chromium Code Reviews
Issue 2787123005:
Block data URL navigations with RenderFrameImpl::DecidePolicyForNavigation (Closed)
