Block redirects to renderer-debug urls.

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index 779aa5b398a5868d21dd407cf5a658a7f22ca328..c285ff22ac52aee6c2a9d12fb2c005c8b2214ac3 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -671,6 +671,30 @@ bool ChildProcessSecurityPolicyImpl::CanRequestURL(
          !net::URLRequest::IsHandledURL(url);
 }
 
+bool ChildProcessSecurityPolicyImpl::CanRedirectToURL(const GURL& url) {
+  if (!url.is_valid())
+    return false;  // Can't redirect to invalid URLs.
+
+  const std::string& scheme = url.scheme();
+
+  if (IsPseudoScheme(scheme)) {
+    // Redirects to a pseudo scheme (about, javascript, view-source, ...) are
+    // not allowed. An exception is made for <about:blank> and its variations.
+    return url.IsAboutBlank();
+  }
+
+  // Note about redirects and special URLs:
+  // * data-url: Blocked by net::DataProtocolHandler::IsSafeRedirectTarget().
+  // Depending on their inner origins and if the request is browser-initiated or
+  // renderer-initiated, blob-urls and filesystem-urls might get blocked by
+  // CanCommitURL or in DocumentLoader::RedirectReceived.
+  // * blob-url: If not blocked, a 'file not found' response will be
+  //             generated in net::BlobURLRequestJob::DidStart().
+  // * filesystem-url: If not blocked, the response is displayed.
+
+  return true;
+}
+
 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
                                                   const GURL& url) {
   if (!url.is_valid())