Show error for invalid url in chrome.app.window.create()

chrome/browser/extensions/api/app_window/app_window_api.cc

Index: chrome/browser/extensions/api/app_window/app_window_api.cc
diff --git a/chrome/browser/extensions/api/app_window/app_window_api.cc b/chrome/browser/extensions/api/app_window/app_window_api.cc
index c6623e0532280417d43dfa9d36bc177cafa3a36b..969fd9bbc55246d0fed3580b666f069df278e5d2 100644
--- a/chrome/browser/extensions/api/app_window/app_window_api.cc
+++ b/chrome/browser/extensions/api/app_window/app_window_api.cc
@@ -52,6 +52,8 @@ const char kConflictingBoundsOptions[] =
     "The $1 property cannot be specified for both inner and outer bounds.";
 const char kAlwaysOnTopPermission[] =
     "The \"app.window.alwaysOnTop\" permission is required.";
+const char kInvalidUrlParameter[] =
+    "Url passed should be local for security reasons.";

[benwells, 2014/06/19 08:40:32]

Nit: please rephrase as "The URL used for window creation must ..."

[Nikhil, 2014/06/19 08:55:58]

Done.

 }  // namespace app_window_constants
 
 const char kNoneFrameOption[] = "none";
@@ -152,10 +154,15 @@ bool AppWindowCreateFunction::RunAsync() {
   GURL url = GetExtension()->GetResourceURL(params->url);
   // Allow absolute URLs for component apps, otherwise prepend the extension
   // path.
-  if (GetExtension()->location() == extensions::Manifest::COMPONENT) {
-    GURL absolute = GURL(params->url);
-    if (absolute.has_scheme())
+  GURL absolute = GURL(params->url);
+  if (absolute.has_scheme()) {
+    if (GetExtension()->location() == extensions::Manifest::COMPONENT) {
       url = absolute;
+    } else {
+      // Show error when url passed isn't local.
+      error_ = app_window_constants::kInvalidUrlParameter;
+      return false;
+    }
   }
 
   // TODO(jeremya): figure out a way to pass the opening WebContents through to