Restrict unsafe URLs in Chrome Frame

Further tighten down what URLs can be loaded in Chrome Frame.
Based on the feedback from the security review and code
inspection, restrict about: scheme only to about:blank
and about:version by default. Factor out logic blocking logic
including for URL zone checking so that all ActiveX, ActiveDoc
and NPAPI will follow the same path. As a result we now block
restricted URL zones in NPAPI instance as well.

Another side effect of this refactoring is that the registry
flag, EnableGcfProtocol, is replaced by AllowUnsafeURLs. If
If this flag is set, then all the security related checking
is turned off.

BUG=50741
TEST=By default gcf: works only for about:blank, about:version and 
view-source of http and https. Setting AllowUnsafeURLs to a non
zero value should allow any URL be loaded via gcf:

Review URL: http://codereview.chromium.org/3159006

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@56096 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 1 insertions, 1 deletions

diff --git a/chrome_frame/bho.cc b/chrome_frame/bho.cc
index 62ffa8e..f8d44e6 100644
--- a/chrome_frame/bho.cc
+++ b/chrome_frame/bho.cc
@@ -300,7 +300,7 @@ void Bho::ProcessOptInUrls(IWebBrowser2* browser, BSTR url) {
 #endif
 
   std::wstring current_url(url, SysStringLen(url));
-  if (IsValidUrlScheme(current_url, false)) {
+  if (IsValidUrlScheme(GURL(current_url), false)) {
     bool cf_protocol = StartsWith(current_url, kChromeProtocolPrefix, false);
     if (!cf_protocol && IsOptInUrl(current_url.c_str())) {
       DLOG(INFO) << "Opt-in URL. Switching to cf.";