Don't preserve NavigationEntry for failed navigations with invalid URLs.

The formatting logic may rewrite such URLs into an unsafe state.  This
is a first step before preventing navigations to invalid URLs entirely.

Bug: 850824
Change-Id: I71743bfb4b610d55ce901ee8902125f934a2bb23
Reviewed-on: https://chromium-review.googlesource.com/c/1252942Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#597304}

chrome/browser/chrome_navigation_browsertest.cc

@@ -449,6 +449,32 @@ IN_PROC_BROWSER_TEST_F(ChromeNavigationPortMappedBrowserTest,
   EXPECT_EQ(GURL(), new_web_contents->GetLastCommittedURL());
 }
 
+// Ensure that a failed navigation in a new tab will not leave an invalid
+// visible URL, which may be formatted in an unsafe way in the omnibox.
+// See https://crbug.com/850824.
+IN_PROC_BROWSER_TEST_F(ChromeNavigationBrowserTest,
+                       ClearInvalidPendingURLOnFail) {
+  GURL initial_url = embedded_test_server()->GetURL(
+      "/frame_tree/invalid_link_to_new_window.html");
+
+  // Navigate to a page with a link that opens an invalid URL in a new window.
+  ui_test_utils::NavigateToURL(browser(), initial_url);
+  content::WebContents* main_contents =
+      browser()->tab_strip_model()->GetActiveWebContents();
+
+  // Simulate a click on the link and wait for the new window.
+  content::WebContentsAddedObserver new_tab_observer;
+  EXPECT_TRUE(ExecuteScript(main_contents, "simulateClick()"));
+  content::WebContents* new_contents = new_tab_observer.GetWebContents();
+
+  // The load in the new window should fail.
+  EXPECT_FALSE(WaitForLoadStop(new_contents));
+
+  // Ensure that there is no pending entry or visible URL.
+  EXPECT_EQ(nullptr, new_contents->GetController().GetPendingEntry());
+  EXPECT_EQ(GURL(), new_contents->GetVisibleURL());
+}
+
 // A test performing two simultaneous navigations, to ensure code in chrome/,
 // such as tab helpers, can handle those cases.
 // This test starts a browser-initiated cross-process navigation, which is

chrome/test/data/frame_tree/invalid_link_to_new_window.html

+<!doctype html>
+<html>
+<head>
+<script>
+function simulateClick() {
+  var evt = new MouseEvent("click", {});
+  target = document.getElementById("invalid_url_link");
+  return target.dispatchEvent(evt);
+}
+</script>
+</head>
+<body>
+<a href="a.a:@javascript:foo()"
+   id="invalid_url_link"
+   target="win">Link to invalid URL in new window</a>
+</body>
+</html>

content/browser/frame_host/navigator_impl.cc

@@ -765,9 +765,14 @@ void NavigatorImpl::DiscardPendingEntryIfNeeded(int expected_pending_entry_id) {
   // allow the view to clear the pending entry and typed URL if the user
   // requests (e.g., hitting Escape with focus in the address bar).
   //
+  // Do not leave the pending entry visible if it has an invalid URL, since this
+  // might be formatted in an unexpected or unsafe way.
+  // TODO(creis): Block navigations to invalid URLs in https://crbug.com/850824.
+  //
   // Note: don't touch the transient entry, since an interstitial may exist.
-  bool should_preserve_entry = controller_->IsUnmodifiedBlankTab() ||
-                               delegate_->ShouldPreserveAbortedURLs();
+  bool should_preserve_entry = pending_entry->GetURL().is_valid() &&
+                               (controller_->IsUnmodifiedBlankTab() ||
+                                delegate_->ShouldPreserveAbortedURLs());
   if (pending_entry != controller_->GetVisibleEntry() ||
       !should_preserve_entry) {
     controller_->DiscardPendingEntry(true);