diff options
| author | creis@chromium.org <creis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-05-04 17:26:54 +0000 |
|---|---|---|
| committer | creis@chromium.org <creis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-05-04 17:26:54 +0000 |
| commit | 196159d5d5ca3ec76ddd993738a5d13ae4c46077 (patch) | |
| tree | ccc02248bb37a4a0ab3c4de7990eca660e140235 /content/browser | |
| parent | d54f8a4a7b186b3fdcfcee666b8fadd16f575576 (diff) | |
| download | chromium_src-196159d5d5ca3ec76ddd993738a5d13ae4c46077.zip chromium_src-196159d5d5ca3ec76ddd993738a5d13ae4c46077.tar.gz chromium_src-196159d5d5ca3ec76ddd993738a5d13ae4c46077.tar.bz2 | |
Don't allow targeted navigations across BrowsingInstances.
BUG=126174
TEST=Click a target=foo link again after a WebUI nav in the new window.
Review URL: https://chromiumcodereview.appspot.com/10350013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@135370 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content/browser')
| -rw-r--r-- | content/browser/renderer_host/render_view_host_impl.cc | 4 | ||||
| -rw-r--r-- | content/browser/web_contents/web_contents_impl.cc | 10 | ||||
| -rw-r--r-- | content/browser/web_contents/web_contents_impl.h | 3 |
3 files changed, 14 insertions, 3 deletions
diff --git a/content/browser/renderer_host/render_view_host_impl.cc b/content/browser/renderer_host/render_view_host_impl.cc index 20891c8..4cd062f 100644 --- a/content/browser/renderer_host/render_view_host_impl.cc +++ b/content/browser/renderer_host/render_view_host_impl.cc @@ -1258,7 +1258,7 @@ void RenderViewHostImpl::OnMsgOpenURL(const GURL& url, GetProcess()->GetID(), false, &validated_url); delegate_->RequestOpenURL( - validated_url, referrer, disposition, source_frame_id); + this, validated_url, referrer, disposition, source_frame_id); } void RenderViewHostImpl::OnMsgDidContentsPreferredSizeChange( @@ -1490,6 +1490,8 @@ bool RenderViewHostImpl::IsFullscreen() const { } void RenderViewHostImpl::OnMsgFocus() { + // Note: We allow focus and blur from swapped out RenderViewHosts, even when + // the active RenderViewHost is in a different BrowsingInstance (e.g., WebUI). delegate_->Activate(); } diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc index c7ac5bf..4164a98 100644 --- a/content/browser/web_contents/web_contents_impl.cc +++ b/content/browser/web_contents/web_contents_impl.cc @@ -2337,10 +2337,18 @@ void WebContentsImpl::DocumentOnLoadCompletedInMainFrame( content::Details<int>(&page_id)); } -void WebContentsImpl::RequestOpenURL(const GURL& url, +void WebContentsImpl::RequestOpenURL(RenderViewHost* rvh, + const GURL& url, const content::Referrer& referrer, WindowOpenDisposition disposition, int64 source_frame_id) { + // If this came from a swapped out RenderViewHost, we only allow the request + // if we are still in the same BrowsingInstance. + if (static_cast<RenderViewHostImpl*>(rvh)->is_swapped_out() && + !rvh->GetSiteInstance()->IsRelatedSiteInstance(GetSiteInstance())) { + return; + } + // Delegate to RequestTransferURL because this is just the generic // case where |old_request_id| is empty. RequestTransferURL(url, referrer, disposition, source_frame_id, diff --git a/content/browser/web_contents/web_contents_impl.h b/content/browser/web_contents/web_contents_impl.h index b330375..594a05c 100644 --- a/content/browser/web_contents/web_contents_impl.h +++ b/content/browser/web_contents/web_contents_impl.h @@ -282,7 +282,8 @@ class CONTENT_EXPORT WebContentsImpl virtual void DocumentOnLoadCompletedInMainFrame( content::RenderViewHost* render_view_host, int32 page_id) OVERRIDE; - virtual void RequestOpenURL(const GURL& url, + virtual void RequestOpenURL(content::RenderViewHost* rvh, + const GURL& url, const content::Referrer& referrer, WindowOpenDisposition disposition, int64 source_frame_id) OVERRIDE; |