Block redirects to renderer-debug urls.

content/browser/frame_host/navigation_request.cc

Index: content/browser/frame_host/navigation_request.cc
diff --git a/content/browser/frame_host/navigation_request.cc b/content/browser/frame_host/navigation_request.cc
index ba72304cea3d0d934f5d8ff0de3e8b4413035f01..34113d12079f64e8123a02d9db4a28248862bfc8 100644
--- a/content/browser/frame_host/navigation_request.cc
+++ b/content/browser/frame_host/navigation_request.cc
@@ -37,6 +37,7 @@
 #include "content/public/browser/storage_partition.h"
 #include "content/public/browser/stream_handle.h"
 #include "content/public/common/appcache_info.h"
+#include "content/public/common/child_process_host.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/origin_util.h"
 #include "content/public/common/request_context_type.h"
@@ -500,6 +501,29 @@ void NavigationRequest::TransferNavigationHandleOwnership(
 void NavigationRequest::OnRequestRedirected(
     const net::RedirectInfo& redirect_info,
     const scoped_refptr<ResourceResponse>& response) {
+  if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanRedirectToURL(
+          redirect_info.new_url)) {
+    DVLOG(1) << "Denied redirect for "
+             << redirect_info.new_url.possibly_invalid_spec();
+    // TODO(arthursonzogni): Consider switching to net::ERR_UNSAFE_REDIRECT
+    // when PlzNavigate is launched.
+    navigation_handle_->set_net_error_code(net::ERR_ABORTED);
+    frame_tree_node_->ResetNavigationRequest(false, true);
+    return;
+  }
+
+  // For non browser initiated navigations we need to check if the source has
+  // access to the URL. We always allow browser initiated requests.

[Charlie Reis, 2017/07/10 21:16:22]

nit: Rephrase last sentence, since browser-initiated requests are still subject
to CanRedirectToURL above.

[arthursonzogni, 2017/07/11 16:21:31]

Done.

+  if (!browser_initiated_ && source_site_instance() &&
+      !ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL(
+          source_site_instance()->GetProcess()->GetID(),
+          redirect_info.new_url)) {
+    DVLOG(1) << "Denied unauthorized redirect for "
+             << redirect_info.new_url.possibly_invalid_spec();
+    navigation_handle_->set_net_error_code(net::ERR_ABORTED);
+    frame_tree_node_->ResetNavigationRequest(false, true);

[Charlie Reis, 2017/07/10 21:16:22]

Don't forget to return early!  :)

[arthursonzogni, 2017/07/11 16:21:31]

:) Done.

+  }
+
   // If a redirect occurs, the original site instance we thought is the
   // destination could change.
   dest_site_instance_ = nullptr;
@@ -538,21 +562,6 @@ void NavigationRequest::OnRequestRedirected(
     return;
   }
 
-  // For non browser initiated navigations we need to check if the source has
-  // access to the URL. We always allow browser initiated requests.
-  // TODO(clamy): Kill the renderer if FilterURL fails?
-  GURL url = common_params_.url;
-  if (!browser_initiated_ && source_site_instance()) {
-    source_site_instance()->GetProcess()->FilterURL(false, &url);
-    // FilterURL sets the URL to about:blank if the CSP checks prevent the
-    // renderer from accessing it.
-    if ((url == url::kAboutBlankURL) && (url != common_params_.url)) {
-      navigation_handle_->set_net_error_code(net::ERR_ABORTED);
-      frame_tree_node_->ResetNavigationRequest(false, true);
-      return;
-    }
-  }
-
   // Compute the SiteInstance to use for the redirect and pass its
   // RenderProcessHost if it has a process. Keep a reference if it has a
   // process, so that the SiteInstance and its associated process aren't deleted