When sanitizing serialized navigation entries also take iframes into account

content/public/common/page_state.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/public/common/page_state.h"
 
 #include "base/files/file_path.h"
 #include "base/strings/utf_string_conversions.h"
 #include "content/common/page_state_serialization.h"
+#include "content/public/common/referrer.h"
 
 namespace content {
 namespace {
 
 base::NullableString16 ToNullableString16(const std::string& utf8) {
   return base::NullableString16(base::UTF8ToUTF16(utf8), false);
 }
 
 base::FilePath ToFilePath(const base::NullableString16& s) {
   return base::FilePath::FromUTF16Unsafe(s.string());
@@ skipping 28 matching lines @@
 void RecursivelyRemoveReferrer(ExplodedFrameState* state) {
   state->referrer = base::NullableString16();
   state->referrer_policy = blink::WebReferrerPolicyDefault;
   for (std::vector<ExplodedFrameState>::iterator it = state->children.begin();
        it != state->children.end();
        ++it) {
     RecursivelyRemoveReferrer(&*it);
   }
 }
 
+bool RecursivelyCheckReferrer(ExplodedFrameState* state) {
+  Referrer referrer(GURL(state->referrer.string()), state->referrer_policy);
+  GURL url(state->url_string.string());
+  if (url.SchemeIsHTTPOrHTTPS() &&
+      Referrer::SanitizeForRequest(url, referrer).url != referrer.url) {
+    LOG(ERROR) << "Referrer for request to " << url << " is " << referrer.url
+               << " but should be "
+               << Referrer::SanitizeForRequest(url, referrer).url;
+    return false;
+  }
+  for (std::vector<ExplodedFrameState>::iterator it = state->children.begin();
+       it != state->children.end();
+       ++it) {
+    if (!RecursivelyCheckReferrer(&*it))
+      return false;
+  }
+  return true;
+}
+
 }  // namespace
 
 // static
 PageState PageState::CreateFromEncodedData(const std::string& data) {
   return PageState(data);
 }
 
 // static
 PageState PageState::CreateFromURL(const GURL& url) {
   ExplodedPageState state;
@@ skipping 33 matching lines @@
         body_contains_password_data;
   }
 
   return ToPageState(state);
 }
 
 PageState::PageState() {
 }
 
 bool PageState::IsValid() const {
-  return !data_.empty();
+  if (data_.empty())
+    return false;
+
+  ExplodedPageState state;
+  // This should return false, but tests create invalid page state.
+  if (!DecodePageState(data_, &state))

[marja, 2015/02/23 15:30:04]

What happens to data_ here? Should this branch set it to empty?

[jochen (gone - plz use gerrit), 2015/02/23 16:20:45]

IsValid() is not supposed to modify itself (it's const)

+    return true;
+
+  // TODO(jochen): Remove referrer check once http://crbug.com/450589 is fixed.
+  return RecursivelyCheckReferrer(&state.top);
 }
 
 bool PageState::Equals(const PageState& other) const {
   return data_ == other.data_;
 }
 
 const std::string& PageState::ToEncodedData() const {
   return data_;
 }
 
@@ skipping 41 matching lines @@
 }
 
 PageState::PageState(const std::string& data)
     : data_(data) {
   // TODO(darin): Enable this DCHECK once tests have been fixed up to not pass
   // bogus encoded data to CreateFromEncodedData.
   //DCHECK(IsValid());
 }
 
 }  // namespace content