Allow Signin page to open other chrome:// URLs if login content in <webview>

extensions/browser/guest_view/web_view/web_view_guest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/guest_view/web_view/web_view_guest.h"
 
 #include "base/message_loop/message_loop.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "content/public/browser/browser_context.h"
@@ skipping 857 matching lines @@
   return &javascript_dialog_helper_;
 }
 
 void WebViewGuest::NavigateGuest(const std::string& src,
                                  bool force_navigation) {
   if (src.empty())
     return;
 
   GURL url = ResolveURL(src);
 
-  // Do not allow navigating a guest to schemes other than known safe schemes.
-  // This will block the embedder trying to load unwanted schemes, e.g.
-  // chrome://settings.
-  bool scheme_is_blocked =
-      (!content::ChildProcessSecurityPolicy::GetInstance()->IsWebSafeScheme(
-           url.scheme()) &&
-       !url.SchemeIs(url::kAboutScheme)) ||
-      url.SchemeIs(url::kJavaScriptScheme);
-  if (scheme_is_blocked || !url.is_valid()) {
-    LoadAbort(true /* is_top_level */, url,
-              net::ErrorToShortString(net::ERR_ABORTED));
-    NavigateGuest(url::kAboutBlankURL, true /* force_navigation */);
-    return;
-  }
-  if (!force_navigation && (src_ == url))
-    return;
-
-  GURL validated_url(url);
-  web_contents()->GetRenderProcessHost()->FilterURL(false, &validated_url);
-  // As guests do not swap processes on navigation, only navigations to
-  // normal web URLs are supported.  No protocol handlers are installed for
-  // other schemes (e.g., WebUI or extensions), and no permissions or bindings
-  // can be granted to the guest process.
-  LoadURLWithParams(validated_url,
-                    content::Referrer(),
+  LoadURLWithParams(url, content::Referrer(),
                     ui::PAGE_TRANSITION_AUTO_TOPLEVEL,
-                    web_contents());
-
-  src_ = validated_url;
+                    force_navigation);
 }
 
 bool WebViewGuest::HandleKeyboardShortcuts(
     const content::NativeWebKeyboardEvent& event) {
   // <webview> outside of Chrome Apps do not handle keyboard shortcuts.
   if (!in_extension())
     return false;
 
   if (event.type != blink::WebInputEvent::RawKeyDown)
     return false;
@@ skipping 194 matching lines @@
     *was_blocked = false;
   RequestNewWindowPermission(disposition,
                              initial_rect,
                              user_gesture,
                              new_contents);
 }
 
 content::WebContents* WebViewGuest::OpenURLFromTab(
     content::WebContents* source,
     const content::OpenURLParams& params) {
+  // There are two use cases to consider from a security perspective:
+  // 1.) Renderer-initiated navigation to chrome:// must always be blocked even
+  //     if the <webview> is in WebUI. This is handled by
+  //     WebViewGuest::LoadURLWithParams. WebViewGuest::NavigateGuest will also
+  //     call LoadURLWithParams. CreateNewGuestWebViewWindow creates a new
+  //     WebViewGuest which will call NavigateGuest in DidInitialize.
+  // 2.) The Language Settings context menu item should always work, both in
+  //     Chrome Apps and WebUI. This is a browser initiated request and so
+  //     we pass it along to the embedder's WebContentsDelegate to get the
+  //     browser to perform the action for the <webview>.
+  if (!params.is_renderer_initiated) {
+    if (!owner_web_contents()->GetDelegate())
+      return nullptr;
+    return owner_web_contents()->GetDelegate()->OpenURLFromTab(
+        owner_web_contents(), params);
+  }
+
   // If the guest wishes to navigate away prior to attachment then we save the
   // navigation to perform upon attachment. Navigation initializes a lot of
   // state that assumes an embedder exists, such as RenderWidgetHostViewGuest.
   // Navigation also resumes resource loading which we don't want to allow
   // until attachment.
   if (!attached()) {
     WebViewGuest* opener = GetOpener();
     auto it = opener->pending_new_windows_.find(this);
     if (it == opener->pending_new_windows_.end())
       return nullptr;
     const NewWindowInfo& info = it->second;
     NewWindowInfo new_window_info(params.url, info.name);
     new_window_info.changed = new_window_info.url != info.url;
     it->second = new_window_info;
     return nullptr;
   }
+
+  // This code path is taken if RenderFrameImpl::DecidePolicyForNavigation
+  // decides that a fork should happen. At the time of writing this comment,
+  // the only way a well behaving guest could hit this code path is if it
+  // navigates to a URL that's associated with the default search engine.
+  // This list of URLs is generated by chrome::GetSearchURLs. Validity checks
+  // are performed inside LoadURLWithParams such that if the guest attempts
+  // to navigate to a URL that it is not allowed to navigate to, a 'loadabort'
+  // event will fire in the embedder, and the guest will be navigated to
+  // about:blank.
   if (params.disposition == CURRENT_TAB) {
-    // This can happen for cross-site redirects.
-    LoadURLWithParams(params.url, params.referrer, params.transition, source);
-    return source;
+    LoadURLWithParams(params.url, params.referrer, params.transition,
+                      true /* force_navigation */);
+    return web_contents();
   }
 
+  // This code path is taken if Ctrl+Click, middle click or any of the
+  // keyboard/mouse combinations are used to open a link in a new tab/window.
+  // This code path is also taken on client-side redirects from about:blank.
   CreateNewGuestWebViewWindow(params);
   return nullptr;
 }
 
 void WebViewGuest::WebContentsCreated(WebContents* source_contents,
                                       int opener_render_frame_id,
                                       const base::string16& frame_name,
                                       const GURL& target_url,
                                       content::WebContents* new_contents) {
   auto guest = WebViewGuest::FromWebContents(new_contents);
   CHECK(guest);
   guest->SetOpener(this);
   std::string guest_name = base::UTF16ToUTF8(frame_name);
   guest->name_ = guest_name;
   pending_new_windows_.insert(
       std::make_pair(guest, NewWindowInfo(target_url, guest_name)));
 }
 
 void WebViewGuest::LoadURLWithParams(const GURL& url,
                                      const content::Referrer& referrer,
                                      ui::PageTransition transition_type,
-                                     content::WebContents* web_contents) {
-  content::NavigationController::LoadURLParams load_url_params(url);
+                                     bool force_navigation) {
+  // Do not allow navigating a guest to schemes other than known safe schemes.
+  // This will block the embedder trying to load unwanted schemes, e.g.
+  // chrome://settings.

[Charlie Reis, 2015/02/19 22:56:28]

nit: chrome://
(settings isn't part of the scheme)

[Fady Samuel, 2015/02/20 00:33:06]

Done.

+  bool scheme_is_blocked =
+      (!content::ChildProcessSecurityPolicy::GetInstance()->IsWebSafeScheme(
+           url.scheme()) &&
+       !url.SchemeIs(url::kAboutScheme)) ||
+      url.SchemeIs(url::kJavaScriptScheme);
+  if (scheme_is_blocked || !url.is_valid()) {
+    LoadAbort(true /* is_top_level */, url,
+              net::ErrorToShortString(net::ERR_ABORTED));
+    NavigateGuest(url::kAboutBlankURL, true /* force_navigation */);
+    return;
+  }
+
+  if (!force_navigation && (src_ == url))
+    return;
+
+  GURL validated_url(url);
+  web_contents()->GetRenderProcessHost()->FilterURL(false, &validated_url);
+  // As guests do not swap processes on navigation, only navigations to
+  // normal web URLs are supported.  No protocol handlers are installed for
+  // other schemes (e.g., WebUI or extensions), and no permissions or bindings
+  // can be granted to the guest process.
+  content::NavigationController::LoadURLParams load_url_params(validated_url);
   load_url_params.referrer = referrer;
   load_url_params.transition_type = transition_type;
   load_url_params.extra_headers = std::string();
   if (is_overriding_user_agent_) {
     load_url_params.override_user_agent =
         content::NavigationController::UA_OVERRIDE_TRUE;
   }
-  web_contents->GetController().LoadURLWithParams(load_url_params);
+  web_contents()->GetController().LoadURLWithParams(load_url_params);
+
+  src_ = validated_url;
 }
 
 void WebViewGuest::RequestNewWindowPermission(
     WindowOpenDisposition disposition,
     const gfx::Rect& initial_bounds,
     bool user_gesture,
     content::WebContents* new_contents) {
   auto guest = WebViewGuest::FromWebContents(new_contents);
   if (!guest)
     return;
@@ skipping 48 matching lines @@
       WebViewGuest::From(owner_web_contents()->GetRenderProcessHost()->GetID(),
                          new_window_instance_id);
   if (!guest)
     return;
 
   if (!allow)
     guest->Destroy();
 }
 
 }  // namespace extensions