Merge 177351

> Validate the target URL when opening new windows.
> 
> BUG=170532
> Review URL: https://codereview.chromium.org/11961028

TBR=cevans@chromium.org
Review URL: https://codereview.chromium.org/12010002

git-svn-id: svn://svn.chromium.org/chrome/branches/1364/src@177471 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 1 deletions

diff --git a/content/browser/renderer_host/render_view_host_impl.cc b/content/browser/renderer_host/render_view_host_impl.cc
index b49410c..1c8ed65 100644
--- a/content/browser/renderer_host/render_view_host_impl.cc
+++ b/content/browser/renderer_host/render_view_host_impl.cc
@@ -1084,7 +1084,14 @@ void RenderViewHostImpl::CreateNewWindow(
     int route_id,
     const ViewHostMsg_CreateWindow_Params& params,
     SessionStorageNamespace* session_storage_namespace) {
-  delegate_->CreateNewWindow(route_id, params, session_storage_namespace);
+  ViewHostMsg_CreateWindow_Params validated_params(params);
+  ChildProcessSecurityPolicyImpl* policy =
+      ChildProcessSecurityPolicyImpl::GetInstance();
+  // TODO(cevans): also validate opener_url, opener_security_origin.
+  FilterURL(policy, GetProcess(), false, &validated_params.target_url);
+
+  delegate_->CreateNewWindow(route_id, validated_params,
+                             session_storage_namespace);
 }
 
 void RenderViewHostImpl::CreateNewWidget(int route_id,