Don't allow sending data URLs to WebUI, unless in a ChromeOS BalloonHost.

BUG=123428
TEST=none


Review URL: http://codereview.chromium.org/10080018

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@132459 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 14 insertions, 0 deletions

diff --git a/chrome/browser/notifications/balloon_host.cc b/chrome/browser/notifications/balloon_host.cc
index 05d7301..9c81d20 100644
--- a/chrome/browser/notifications/balloon_host.cc
+++ b/chrome/browser/notifications/balloon_host.cc
@@ -166,3 +166,14 @@ void BalloonHost::NotifyDisconnect() {
 bool BalloonHost::IsRenderViewReady() const {
   return should_notify_on_disconnect_;
 }
+
+bool BalloonHost::CanLoadDataURLsInWebUI() const {
+#if defined(OS_CHROMEOS)
+  // Chrome OS uses data URLs in WebUI BalloonHosts.  We normally do not allow
+  // data URLs in WebUI renderers, but normal pages cannot target BalloonHosts,
+  // so this should be safe.
+  return true;
+#else
+  return false;
+#endif
+}
diff --git a/chrome/browser/notifications/balloon_host.h b/chrome/browser/notifications/balloon_host.h
index 00b1565..4fbb170 100644
--- a/chrome/browser/notifications/balloon_host.h
+++ b/chrome/browser/notifications/balloon_host.h
@@ -50,6 +50,9 @@ class BalloonHost : public content::WebContentsDelegate,
   // Returns whether the associated render view is ready. Used only for testing.
   bool IsRenderViewReady() const;
 
+  // content::WebContentsDelegate implementation:
+  virtual bool CanLoadDataURLsInWebUI() const OVERRIDE;
+
  protected:
   virtual ~BalloonHost();