Do not remove %s token when validating (un)registerProtocolHandler's URL

The HTML specifications [1] indicates that the "%s" token is preserved when parsing the URL and this is important to properly perform syntax validation. Currently, Chrome removes the token, which means that something like "ht%stp://example.org" is treated as a valid URL and bypasses the security check. This is however treated as invalid for the browser process validation and so leads to a crash (bad IPC message). The WPT tests are updated to provide the correct expectations. Those for which the %s token is inside the protocol are treated as relative URLs and are valid. Others where the %s token is inside the hostname or port should raise syntax errors. [1] https://html.spec.whatwg.org/multipage/system-state.html#normalize-protocol-handler-parameters Bug: 1112377 Change-Id: I962bcfdd593223568fc72475efeb299adaa72236 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2335434Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Frédéric Wang <fwang@igalia.com> Cr-Commit-Position: refs/heads/master@{#796404}

Do not remove %s token when validating (un)registerProtocolHandler's URL
The HTML specifications [1] indicates that the "%s" token is preserved when parsing the URL and this is important to properly perform syntax validation. Currently, Chrome removes the token, which means that something like "ht%stp://example.org" is treated as a valid URL and bypasses the security check. This is however treated as invalid for the browser process validation and so leads to a crash (bad IPC message). The WPT tests are updated to provide the correct expectations. Those for which the %s token is inside the protocol are treated as relative URLs and are valid. Others where the %s token is inside the hostname or port should raise syntax errors. [1] https://html.spec.whatwg.org/multipage/system-state.html#normalize-protocol-handler-parameters Bug: 1112377 Change-Id: I962bcfdd593223568fc72475efeb299adaa72236 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2335434Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Frédéric Wang <fwang@igalia.com> Cr-Commit-Position: refs/heads/master@{#796404}
5857da64 · Frédéric Wang · Commit Bot · 008d0a49 · 5857da64 · 5857da64
Commit 5857da64 authored Aug 10, 2020 by Frédéric Wang Committed by Commit Bot Aug 10, 2020
2 changed files
--- a/third_party/blink/renderer/modules/navigatorcontentutils/navigator_content_utils.cc
+++ b/third_party/blink/renderer/modules/navigatorcontentutils/navigator_content_utils.cc
@@ -87,9 +87,7 @@ static bool VerifyCustomHandlerURLSecurity(const LocalDOMWindow& window,
 static bool VerifyCustomHandlerURL(const LocalDOMWindow& window,
                                   const String& user_url,
                                   ExceptionState& exception_state) {
-  String new_url = user_url;
-  new_url.Remove(user_url.Find(kToken), base::size(kToken) - 1);
-  KURL full_url = window.CompleteURL(new_url);
+  KURL full_url = window.CompleteURL(user_url);
  KURL base_url = window.BaseURL();
  String error_message;


--- a/third_party/blink/web_tests/external/wpt/html/webappapis/system-state-and-capabilities/the-navigator-object/protocol.https.html
+++ b/third_party/blink/web_tests/external/wpt/html/webappapis/system-state-and-capabilities/the-navigator-object/protocol.https.html
@@ -24,6 +24,10 @@ test(() => {
 [
  '%s',
  'foo/%s',
+  `%s${location.href}`,
+  location.href.replace(location.protocol,
+    `${location.protocol[0]}%s${location.protocol.substring(1)}`),
+  location.href.replace(location.protocol, `${location.protocol}%s`),
  location.href + '/%s',
  location.href + '#%s',
  location.href + '?foo=%s',
@@ -45,6 +49,10 @@ test(() => {
 [
  '',
  '%S',
+  'http://%s.com',
+  'http://%s.example.com',
+  location.href.replace(location.hostname, `%s${location.hostname}`),
+  location.href.replace(location.port, `%s${location.port}`),
  location.href + '',
  location.href + '/%',
  location.href + '/%a',
@@ -64,8 +72,6 @@ test(() => {
 });

 [
-  'http://%s.com',
-  'http://%s.example.com',
  'http://example.com/%s',
  'https://example.com/%s',
  'http://foobar.example.com/%s',