Block redirects to renderer-debug urls.

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index e8af7514fa820f1bcdcc40cd6c4cb44354dacbd6..8d81a75f7486f5ae353d9ab1f406eef61048ae28 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -667,6 +667,23 @@ bool ChildProcessSecurityPolicyImpl::CanRequestURL(
          !net::URLRequest::IsHandledURL(url);
 }
 
+bool ChildProcessSecurityPolicyImpl::CanRedirectToURL(const GURL& url) {
+  if (!url.is_valid())
+    return false;  // Can't redirect to invalid URLs.
+
+  if (IsPseudoScheme(url.scheme())) {

[Charlie Harrison, 2017/07/05 13:52:31]

nit:
const std::string& scheme = url.scheme() and use it below, to avoid a copy.

[arthursonzogni, 2017/07/05 14:52:19]

In this case, for consistency, the same thing should be done in a few similar
places in this file.
I will apply your suggestion everywhere, but in order not to pollute this CL, it
will be in a separate CL.
Please see: https://codereview.chromium.org/2966203002

+    // Redirects to a pseudo scheme (about, javascript, view-source, ...) are
+    // not allowed. An exception is made for <about:blank> and its variations.
+    return url.IsAboutBlank();
+  }
+
+  // Redirects to blob-url or filesystem-url are not allowed.
+  if (url.SchemeIsBlob() || url.SchemeIsFileSystem())
+    return false;
+
+  return IsWebSafeScheme(url.scheme());
+}
+
 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
                                                   const GURL& url) {
   if (!url.is_valid())