Index: content/renderer/render_frame_impl.cc |
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc |
index 32ad5da72f24ffd359bdddac2004fb1b10c34c3d..3698780a36d7340fc2a18af019e1c266782d3696 100644 |
--- a/content/renderer/render_frame_impl.cc |
+++ b/content/renderer/render_frame_impl.cc |
@@ -16,6 +16,7 @@ |
#include "base/debug/asan_invalid_access.h" |
#include "base/debug/crash_logging.h" |
#include "base/debug/dump_without_crashing.h" |
+#include "base/feature_list.h" |
#include "base/files/file.h" |
#include "base/i18n/char_iterator.h" |
#include "base/logging.h" |
@@ -36,6 +37,7 @@ |
#include "base/trace_event/trace_event.h" |
#include "build/build_config.h" |
#include "cc/base/switches.h" |
+#include "components/mime_util/mime_util.h" |
#include "content/child/appcache/appcache_dispatcher.h" |
#include "content/child/feature_policy/feature_policy_platform.h" |
#include "content/child/quota_dispatcher.h" |
@@ -597,6 +599,15 @@ WebFrameLoadType ReloadFrameLoadTypeFor( |
} |
} |
+bool IsDataURLMimeTypeSupported(const GURL& url) { |
+ std::string utf8_mime_type; |
+ std::string utf8_charset; |
+ if (net::DataURL::Parse(url, &utf8_mime_type, &utf8_charset, nullptr)) { |
+ return mime_util::IsSupportedMimeType(utf8_mime_type); |
+ } |
+ return false; |
+} |
+ |
RenderFrameImpl::CreateRenderFrameImplFunction g_create_render_frame_impl = |
nullptr; |
@@ -5346,12 +5357,38 @@ WebNavigationPolicy RenderFrameImpl::DecidePolicyForNavigation( |
->navigation_state() |
->IsContentInitiated() |
: !IsBrowserInitiated(pending_navigation_params_.get()); |
+ const bool is_top_level = IsTopLevelNavigation(frame_); |
// Webkit is asking whether to navigate to a new URL. |
// This is fine normally, except if we're showing UI from one security |
// context and they're trying to navigate to a different context. |
const GURL& url = info.url_request.Url(); |
+ // Block renderer-initiated loads of data URLs in the top frame. If the mime |
+ // type of the data URL is supported, the URL will eventually be rendered, so |
+ // block it here. Otherwise, the load might be handled by a plugin or end up |
+ // as a download, so allow it to let the embedder figure out what to do with |
+ // it. |
+ if (is_content_initiated && is_top_level && url.SchemeIs(url::kDataScheme) && |
+ url.spec() != kUnreachableWebDataURL && IsDataURLMimeTypeSupported(url) && |
+ !base::FeatureList::IsEnabled( |
+ features::kAllowContentInitiatedDataUrlNavigations)) { |
+ LOG(ERROR) << ">> BLOCKING!!!! " << url; |
+ if (info.extra_data) { |
+ LOG(ERROR) << ">> NavigationState.IsContentInitiated : " |
+ << static_cast<DocumentState*>(info.extra_data) |
+ ->navigation_state() |
+ ->IsContentInitiated(); |
+ } else { |
+ LOG(ERROR) << ">> IsBrowserInitiated(pending_navigation_params_.get(): " |
+ << IsBrowserInitiated(pending_navigation_params_.get()); |
+ } |
+ AddMessageToConsole( |
+ CONSOLE_MESSAGE_LEVEL_ERROR, |
+ "Not allowed to top-level navigate to resource: " + url.spec()); |
+ return blink::kWebNavigationPolicyIgnore; |
+ } |
+ |
// With PlzNavigate, the redirect list is available for the first url. So |
// maintain the old behavior of not classifying the first URL in the chain as |
// a redirect. |
@@ -5383,7 +5420,7 @@ WebNavigationPolicy RenderFrameImpl::DecidePolicyForNavigation( |
RenderViewImpl::GetReferrerFromRequest(frame_, info.url_request)); |
// If the browser is interested, then give it a chance to look at the request. |
- if (is_content_initiated && IsTopLevelNavigation(frame_) && |
+ if (is_content_initiated && is_top_level && |
render_view_->renderer_preferences_ |
.browser_handles_all_top_level_requests) { |
OpenURL(url, IsHttpPost(info.url_request), |