Show error for invalid url in chrome.app.window.create()

chrome/browser/extensions/api/app_window/app_window_api.cc

Index: chrome/browser/extensions/api/app_window/app_window_api.cc
diff --git a/chrome/browser/extensions/api/app_window/app_window_api.cc b/chrome/browser/extensions/api/app_window/app_window_api.cc
index c6623e0532280417d43dfa9d36bc177cafa3a36b..adb1b87eda780180f904f7ae92a193d00372b5eb 100644
--- a/chrome/browser/extensions/api/app_window/app_window_api.cc
+++ b/chrome/browser/extensions/api/app_window/app_window_api.cc
@@ -52,6 +52,8 @@ const char kConflictingBoundsOptions[] =
     "The $1 property cannot be specified for both inner and outer bounds.";
 const char kAlwaysOnTopPermission[] =
     "The \"app.window.alwaysOnTop\" permission is required.";
+const char kInvalidUrlParameter[] =
+    "Url passed should be local for security reasons.";
 }  // namespace app_window_constants
 
 const char kNoneFrameOption[] = "none";
@@ -158,6 +160,12 @@ bool AppWindowCreateFunction::RunAsync() {
       url = absolute;
   }
 
+  // Show error when url passed isn't local
+  if (GURL(params->url).has_scheme()) {

[benwells, 2014/06/18 22:53:37]

Looking 10 lines or so up, this is considered fine for component apps. Your
change will break those apps. You should combine this code with the bit above
somehow.

[Nikhil, 2014/06/19 08:26:28]

Done.

+    error_ = app_window_constants::kInvalidUrlParameter;
+    return false;
+  }
+
   // TODO(jeremya): figure out a way to pass the opening WebContents through to
   // AppWindow::Create so we can set the opener at create time rather than
   // with a hack in AppWindowCustomBindings::GetView().