In pages rendered in ChromeFrame window open requests or link clicks with target blank which target a different origin

should initiate the navigation in the host browser. We achieve this by performing an origin check on the opener frame
and the URL being opened. If the origins don't match we allow the host browser to handle this navigation.

There is still one issue here as a popup window creation request is still initiated and sent out to the host browser
which initiates a dummy attach external tab navigation. Subsequently while applying policy the OpenURL IPC is sent out
to the host browser which initiates the navigation to the expected URL. This causes a dummy attach external tab entry
to be created in the host browser's history which would have to be deleted.

Fixes bug http://code.google.com/p/chromium/issues/detail?id=46667

Bug=46667
Test=Covered by new chrome frame unit test.

Review URL: http://codereview.chromium.org/2855017

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@50416 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 13 insertions, 0 deletions

diff --git a/chrome/renderer/render_view.cc b/chrome/renderer/render_view.cc
index 693746f..5d5079f 100755
--- a/chrome/renderer/render_view.cc
+++ b/chrome/renderer/render_view.cc
@@ -5172,6 +5172,19 @@ bool RenderView::IsNonLocalTopLevelNavigation(
       return true;
     }
   }
+  // Not interested in reloads.
+  if (type != WebKit::WebNavigationTypeReload &&
+      type != WebKit::WebNavigationTypeFormSubmitted) {
+    // The opener relationship between the new window and the parent allows the
+    // new window to script the parent and vice versa. This is not allowed if
+    // the origins of the two domains are different. This can be treated as a
+    // top level navigation and routed back to the host.
+    WebKit::WebFrame* opener = frame->opener();
+    if (opener) {
+      if (url.GetOrigin() != GURL(opener->url()).GetOrigin())
+        return true;
+    }
+  }
   return false;
 }