diff options
| author | japhet@chromium.org <japhet@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-11 20:06:03 +0000 |
|---|---|---|
| committer | japhet@chromium.org <japhet@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-11 20:06:03 +0000 |
| commit | 62e412be33040296440933cb8739ebbdfe44182f (patch) | |
| tree | 017ca3decc0cf9bcc521aee51c0e892f603963d9 | |
| parent | ebc42b2266a2c04caef839b90363e3c52bc5c444 (diff) | |
| download | chromium_src-62e412be33040296440933cb8739ebbdfe44182f.zip chromium_src-62e412be33040296440933cb8739ebbdfe44182f.tar.gz chromium_src-62e412be33040296440933cb8739ebbdfe44182f.tar.bz2 | |
Allow "cross-origin" navigations from about:blank in AreURLsInPageNavigation
This can happen when an iframe is opened, then popualted via a document.write()
from its parent. This will cause the url to change to the parent's url, but the
browser process will not be notified of this url change. If the iframe then
attempts a fragment navigation, it looks like a cross-origin navigation from
about:blank.
BUG=390798
TEST=Added case to NavigationControllerTest.IsInPageNavigation
Review URL: https://codereview.chromium.org/372403002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282679 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | content/browser/frame_host/navigation_controller_impl.cc | 7 | ||||
| -rw-r--r-- | content/browser/frame_host/navigation_controller_impl_unittest.cc | 15 |
2 files changed, 21 insertions, 1 deletions
diff --git a/content/browser/frame_host/navigation_controller_impl.cc b/content/browser/frame_host/navigation_controller_impl.cc index a751ccd..d698686 100644 --- a/content/browser/frame_host/navigation_controller_impl.cc +++ b/content/browser/frame_host/navigation_controller_impl.cc @@ -123,6 +123,13 @@ bool AreURLsInPageNavigation(const GURL& existing_url, RenderFrameHost* rfh) { WebPreferences prefs = rfh->GetRenderViewHost()->GetWebkitPreferences(); bool is_same_origin = existing_url.is_empty() || + // TODO(japhet): We should only permit navigations + // originating from about:blank to be in-page if the + // about:blank is the first document that frame loaded. + // We don't have sufficient information to identify + // that case at the moment, so always allow about:blank + // for now. + existing_url == GURL(url::kAboutBlankURL) || existing_url.GetOrigin() == new_url.GetOrigin() || !prefs.web_security_enabled; if (!is_same_origin && renderer_says_in_page) diff --git a/content/browser/frame_host/navigation_controller_impl_unittest.cc b/content/browser/frame_host/navigation_controller_impl_unittest.cc index ab4d7c5c1..d03a550 100644 --- a/content/browser/frame_host/navigation_controller_impl_unittest.cc +++ b/content/browser/frame_host/navigation_controller_impl_unittest.cc @@ -3072,8 +3072,21 @@ TEST_F(NavigationControllerTest, DontShowRendererURLInNewTabAfterCommit) { // regression for bug 1126349. TEST_F(NavigationControllerTest, IsInPageNavigation) { NavigationControllerImpl& controller = controller_impl(); - // Navigate to URL with no refs. const GURL url("http://www.google.com/home.html"); + + // If the renderer claims it performed an in-page navigation from + // about:blank, trust the renderer. + // This can happen when an iframe is created and populated via + // document.write(), then tries to perform a fragment navigation. + // TODO(japhet): We should only trust the renderer if the about:blank + // was the first document in the given frame, but we don't have enough + // information to identify that case currently. + const GURL blank_url(url::kAboutBlankURL); + main_test_rfh()->SendNavigate(0, blank_url); + EXPECT_TRUE(controller.IsURLInPageNavigation(url, true, + main_test_rfh())); + + // Navigate to URL with no refs. main_test_rfh()->SendNavigate(0, url); // Reloading the page is not an in-page navigation. |