Index: chrome/browser/extensions/api/app_window/app_window_api.cc |
diff --git a/chrome/browser/extensions/api/app_window/app_window_api.cc b/chrome/browser/extensions/api/app_window/app_window_api.cc |
index c6623e0532280417d43dfa9d36bc177cafa3a36b..adb1b87eda780180f904f7ae92a193d00372b5eb 100644 |
--- a/chrome/browser/extensions/api/app_window/app_window_api.cc |
+++ b/chrome/browser/extensions/api/app_window/app_window_api.cc |
@@ -52,6 +52,8 @@ const char kConflictingBoundsOptions[] = |
"The $1 property cannot be specified for both inner and outer bounds."; |
const char kAlwaysOnTopPermission[] = |
"The \"app.window.alwaysOnTop\" permission is required."; |
+const char kInvalidUrlParameter[] = |
+ "Url passed should be local for security reasons."; |
} // namespace app_window_constants |
const char kNoneFrameOption[] = "none"; |
@@ -158,6 +160,12 @@ bool AppWindowCreateFunction::RunAsync() { |
url = absolute; |
} |
+ // Show error when url passed isn't local |
+ if (GURL(params->url).has_scheme()) { |
benwells
2014/06/18 22:53:37
Looking 10 lines or so up, this is considered fine
Nikhil
2014/06/19 08:26:28
Done.
|
+ error_ = app_window_constants::kInvalidUrlParameter; |
+ return false; |
+ } |
+ |
// TODO(jeremya): figure out a way to pass the opening WebContents through to |
// AppWindow::Create so we can set the opener at create time rather than |
// with a hack in AppWindowCustomBindings::GetView(). |