Allow "cross-origin" navigations from about:blank in AreURLsInPageNavigation

This can happen when an iframe is opened, then popualted via a document.write() from its parent. This will cause the url to change to the parent's url, but the browser process will not be notified of this url change. If the iframe then attempts a fragment navigation, it looks like a cross-origin navigation from about:blank. BUG=390798 TEST=Added case to NavigationControllerTest.IsInPageNavigation Review URL: https://codereview.chromium.org/372403002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282679 0039d316-1c4b-4281-b951-d872f2087c98

Allow "cross-origin" navigations from about:blank in AreURLsInPageNavigation
This can happen when an iframe is opened, then popualted via a document.write() from its parent. This will cause the url to change to the parent's url, but the browser process will not be notified of this url change. If the iframe then attempts a fragment navigation, it looks like a cross-origin navigation from about:blank. BUG=390798 TEST=Added case to NavigationControllerTest.IsInPageNavigation Review URL: https://codereview.chromium.org/372403002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282679 0039d316-1c4b-4281-b951-d872f2087c98
62e412be · japhet@chromium.org · ebc42b22 · 62e412be · 62e412be
Commit 62e412be authored Jul 11, 2014 by japhet@chromium.org
2 changed files
--- a/content/browser/frame_host/navigation_controller_impl.cc
+++ b/content/browser/frame_host/navigation_controller_impl.cc
@@ -123,6 +123,13 @@ bool AreURLsInPageNavigation(const GURL& existing_url,
                             RenderFrameHost* rfh) {
  WebPreferences prefs = rfh->GetRenderViewHost()->GetWebkitPreferences();
  bool is_same_origin = existing_url.is_empty() ||
+                        // TODO(japhet): We should only permit navigations
+                        // originating from about:blank to be in-page if the
+                        // about:blank is the first document that frame loaded.
+                        // We don't have sufficient information to identify
+                        // that case at the moment, so always allow about:blank
+                        // for now.
+                        existing_url == GURL(url::kAboutBlankURL) ||
                        existing_url.GetOrigin() == new_url.GetOrigin() ||
                        !prefs.web_security_enabled;
  if (!is_same_origin && renderer_says_in_page)

--- a/content/browser/frame_host/navigation_controller_impl_unittest.cc
+++ b/content/browser/frame_host/navigation_controller_impl_unittest.cc
@@ -3072,8 +3072,21 @@ TEST_F(NavigationControllerTest, DontShowRendererURLInNewTabAfterCommit) {
 // regression for bug 1126349.
 TEST_F(NavigationControllerTest, IsInPageNavigation) {
  NavigationControllerImpl& controller = controller_impl();
-  // Navigate to URL with no refs.
  const GURL url("http://www.google.com/home.html");
+
+  // If the renderer claims it performed an in-page navigation from
+  // about:blank, trust the renderer.
+  // This can happen when an iframe is created and populated via
+  // document.write(), then tries to perform a fragment navigation.
+  // TODO(japhet): We should only trust the renderer if the about:blank
+  // was the first document in the given frame, but we don't have enough
+  // information to identify that case currently.
+  const GURL blank_url(url::kAboutBlankURL);
+  main_test_rfh()->SendNavigate(0, blank_url);
+  EXPECT_TRUE(controller.IsURLInPageNavigation(url, true,
+      main_test_rfh()));
+
+  // Navigate to URL with no refs.
  main_test_rfh()->SendNavigate(0, url);

  // Reloading the page is not an in-page navigation.