From 8d5cb21f876a51c4fddcb90954e0dd819a09a7a5 Mon Sep 17 00:00:00 2001 From: "japhet@chromium.org" Date: Wed, 4 Jun 2014 09:00:39 +0000 Subject: Trust the renderer's same-document navigation flag if it is a same-origin nav. Currently in AreURLsInPageNavigation, we only trust renderer_says_in_page if the before and after urls are identical. This prevents us from correctly classifying history.pushState and history.replaceState navigations as in-page. Navigations via the history API are required to be same-origin, but can differ by more than just the ref component, so we get the correct behavior without the renderer process being able to lie about a cross-origin navigation. BUG=138324 TEST=Added cases to NavigationControllerTest.IsInPageNavigation Review URL: https://codereview.chromium.org/304763002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@274734 0039d316-1c4b-4281-b951-d872f2087c98 --- content/browser/frame_host/navigation_controller_impl.h | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'content/browser/frame_host/navigation_controller_impl.h') diff --git a/content/browser/frame_host/navigation_controller_impl.h b/content/browser/frame_host/navigation_controller_impl.h index 7ec82f3..7a06ba66 100644 --- a/content/browser/frame_host/navigation_controller_impl.h +++ b/content/browser/frame_host/navigation_controller_impl.h @@ -159,15 +159,11 @@ class CONTENT_EXPORT NavigationControllerImpl // whether a navigation happened without loading anything, the same URL could // be a reload, while only a different ref would be in-page (pages can't clear // refs without reload, only change to "#" which we don't count as empty). - bool IsURLInPageNavigation(const GURL& url) const { - return IsURLInPageNavigation(url, false, NAVIGATION_TYPE_UNKNOWN); - } - + // // The situation is made murkier by history.replaceState(), which could // provide the same URL as part of an in-page navigation, not a reload. So - // we need this form which lets the (untrustworthy) renderer resolve the - // ambiguity, but only when the URLs are equal. This should be safe since the - // origin isn't changing. + // we need to let the (untrustworthy) renderer resolve the ambiguity, but + // only when the URLs are on the same origin. bool IsURLInPageNavigation( const GURL& url, bool renderer_says_in_page, -- cgit v1.1