A few fixes to make logging in to Google work.

-use the same blink instance for POSTs instead of going to the shell
-ensure redirects save the callback to the client
-fix UAF sincen any calls to WebURLLoaderClient can delete |this|

Review URL: https://codereview.chromium.org/1071023002

Cr-Commit-Position: refs/heads/master@{#324435}

3 files changed, 16 insertions, 0 deletions

diff --git a/mojo/services/html_viewer/html_document.cc b/mojo/services/html_viewer/html_document.cc
index 16d7e51..df7e27d 100644
--- a/mojo/services/html_viewer/html_document.cc
+++ b/mojo/services/html_viewer/html_document.cc
@@ -91,6 +91,12 @@ bool CanNavigateLocally(blink::WebFrame* frame,
   if (request.extraData())
     return true;
 
+  // mojo::NavigatorHost doesn't accept POSTs, so for now reuse this instance.
+  // TODO(jam): improve this (and copy logic from RenderFrameImpl's version)
+  // when we have multi-process.
+  if (EqualsASCII(request.httpMethod(), "POST"))
+    return true;
+
   // Otherwise we don't know if we're the right app to handle this request. Ask
   // host to do the navigation for us.
   return false;
diff --git a/mojo/services/html_viewer/weburlloader_impl.cc b/mojo/services/html_viewer/weburlloader_impl.cc
index d7c7688..94d242c 100644
--- a/mojo/services/html_viewer/weburlloader_impl.cc
+++ b/mojo/services/html_viewer/weburlloader_impl.cc
@@ -178,9 +178,14 @@ void WebURLLoaderImpl::OnReceivedRedirect(URLResponsePtr url_response) {
   new_request.setHTTPMethod(
       blink::WebString::fromUTF8(url_response->redirect_method));
 
+  base::WeakPtr<WebURLLoaderImpl> self(weak_factory_.GetWeakPtr());
   client_->willSendRequest(this, new_request, ToWebURLResponse(url_response));
   // TODO(darin): Check if new_request was rejected.
 
+  // We may have been deleted during willSendRequest.
+  if (!self)
+    return;
+
   url_loader_->FollowRedirect(
       base::Bind(&WebURLLoaderImpl::OnReceivedResponse,
                  weak_factory_.GetWeakPtr()));
@@ -194,7 +199,11 @@ void WebURLLoaderImpl::ReadMore() {
                                    &buf_size,
                                    MOJO_READ_DATA_FLAG_NONE);
   if (rv == MOJO_RESULT_OK) {
+    base::WeakPtr<WebURLLoaderImpl> self(weak_factory_.GetWeakPtr());
     client_->didReceiveData(this, static_cast<const char*>(buf), buf_size, -1);
+    // We may have been deleted durining didReceiveData.
+    if (!self)
+      return;
     EndReadDataRaw(response_body_stream_.get(), buf_size);
     WaitToReadMore();
   } else if (rv == MOJO_RESULT_SHOULD_WAIT) {
diff --git a/mojo/services/network/url_loader_impl.cc b/mojo/services/network/url_loader_impl.cc
index fd0ece4..11c8590 100644
--- a/mojo/services/network/url_loader_impl.cc
+++ b/mojo/services/network/url_loader_impl.cc
@@ -169,6 +169,7 @@ void URLLoaderImpl::FollowRedirect(
 
   // TODO(darin): Verify that it makes sense to call FollowDeferredRedirect.
   url_request_->FollowDeferredRedirect();
+  callback_ = callback;
 }
 
 void URLLoaderImpl::QueryStatus(