Add a second line of defense against URL spoofs, killing the renderer instead.

BUG=86758
TEST=Shouldn't be reached.


Review URL: http://codereview.chromium.org/7483002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@93828 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 0 deletions

diff --git a/content/browser/tab_contents/navigation_controller.cc b/content/browser/tab_contents/navigation_controller.cc
index 649b149..3ffbad2 100644
--- a/content/browser/tab_contents/navigation_controller.cc
+++ b/content/browser/tab_contents/navigation_controller.cc
@@ -19,6 +19,7 @@
 #include "content/browser/tab_contents/navigation_entry.h"
 #include "content/browser/tab_contents/tab_contents.h"
 #include "content/browser/tab_contents/tab_contents_delegate.h"
+#include "content/browser/user_metrics.h"
 #include "content/common/content_constants.h"
 #include "content/common/navigation_types.h"
 #include "content/common/notification_service.h"
@@ -621,6 +622,13 @@ NavigationType::Type NavigationController::ClassifyNavigation(
     // back/forward entries (not likely since we'll usually tell it to navigate
     // to such entries). It could also mean that the renderer is smoking crack.
     NOTREACHED();
+
+    // Because the unknown entry has committed, we risk showing the wrong URL in
+    // release builds. Instead, we'll kill the renderer process to be safe.
+    LOG(ERROR) << "terminating renderer for bad navigation: " << params.url;
+    UserMetrics::RecordAction(UserMetricsAction("BadMessageTerminate_NC"));
+    if (tab_contents_->GetSiteInstance()->HasProcess())
+      tab_contents_->GetSiteInstance()->GetProcess()->ReceivedBadMessage();
     return NavigationType::NAV_IGNORE;
   }
   NavigationEntry* existing_entry = entries_[existing_entry_index].get();