[Merge to M-58] Add a warning for the deprecation of content-initiated data URL navigations

This CL adds a console warning when a page navigates the top level frame to a
data URL.

The browser tests are added to WebContentsImpl tests to be consistent with
the view-source URL tests.

This CL also updates most of the layout tests to avoid loading data URLs at
the top level. The only exceptions are xss-DENIED-* tests which will be updated
when the actual blocking happens.

BUG=594215,699277
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2694903007
Cr-Commit-Position: refs/heads/master@{#455226}
(cherry picked from commit b29954e)

Review-Url: https://codereview.chromium.org/2734783010 .
Cr-Commit-Position: refs/branch-heads/3029@{#68}
Cr-Branched-From: 939b32e-refs/heads/master@{#454471}

Author: meacer

content/browser/frame_host/navigation_handle_impl.cc

@@ -656,6 +656,14 @@ void NavigationHandleImpl::DidCommitNavigation(
   } else {
     state_ = DID_COMMIT;
   }
+
+  if (url_.SchemeIs(url::kDataScheme) && IsInMainFrame() &&
+      IsRendererInitiated()) {
+    GetRenderFrameHost()->AddMessageToConsole(
+        CONSOLE_MESSAGE_LEVEL_WARNING,
+        "Upcoming versions will block content-initiated top frame navigations "
+        "to data: URLs. For more information, see https://goo.gl/BaZAea.");
+  }
 }
 
 void NavigationHandleImpl::Transfer() {

content/browser/web_contents/web_contents_impl_browsertest.cc

@@ -4,6 +4,7 @@
 
 #include "base/macros.h"
 #include "base/run_loop.h"
+#include "base/strings/pattern.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "build/build_config.h"
@@ -845,6 +846,90 @@ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, ViewSourceWebUI) {
                   ->IsViewSourceMode());
 }
 
+namespace {
+const char kDataUrlWarningPattern[] =
+    "Upcoming versions will block content-initiated top frame navigations*";
+
+// This class listens for console messages other than the data: URL warning. It
+// fails the test if it sees a data: URL warning.
+class NoDataURLWarningConsoleObserverDelegate : public ConsoleObserverDelegate {
+ public:
+  using ConsoleObserverDelegate::ConsoleObserverDelegate;
+  // WebContentsDelegate method:
+  bool DidAddMessageToConsole(WebContents* source,
+                              int32_t level,
+                              const base::string16& message,
+                              int32_t line_no,
+                              const base::string16& source_id) override {
+    std::string ascii_message = base::UTF16ToASCII(message);
+    EXPECT_FALSE(base::MatchPattern(ascii_message, kDataUrlWarningPattern));
+    return ConsoleObserverDelegate::DidAddMessageToConsole(
+        source, level, message, line_no, source_id);
+  }
+};
+
+}  // namespace
+
+// Test that a direct navigation to a data URL doesn't show a console warning.
+IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, DataURLDirectNavigation) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+  const GURL kUrl(embedded_test_server()->GetURL("/simple_page.html"));
+
+  NoDataURLWarningConsoleObserverDelegate console_delegate(
+      shell()->web_contents(), "FINISH");
+  shell()->web_contents()->SetDelegate(&console_delegate);
+
+  NavigateToURL(
+      shell(),
+      GURL("data:text/html,<html><script>console.log('FINISH');</script>"));
+  console_delegate.Wait();
+  EXPECT_TRUE(shell()->web_contents()->GetURL().SchemeIs(url::kDataScheme));
+  EXPECT_FALSE(
+      base::MatchPattern(console_delegate.message(), kDataUrlWarningPattern));
+}
+
+// Test that window.open to a data URL shows a console warning.
+IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest,
+                       DataURLWindowOpen_ShouldWarn) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+  const GURL kUrl(embedded_test_server()->GetURL("/simple_page.html"));
+  NavigateToURL(shell(), kUrl);
+
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(ExecuteScript(shell()->web_contents(),
+                            "window.open('data:text/plain,test');"));
+  Shell* new_shell = new_shell_observer.GetShell();
+
+  ConsoleObserverDelegate console_delegate(
+      new_shell->web_contents(),
+      "Upcoming versions will block content-initiated top frame navigations*");
+  new_shell->web_contents()->SetDelegate(&console_delegate);
+  console_delegate.Wait();
+  EXPECT_TRUE(new_shell->web_contents()->GetURL().SchemeIs(url::kDataScheme));
+}
+
+// Test that a content initiated navigation to a data URL shows a console
+// warning.
+IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, DataURLRedirect_ShouldWarn) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+  const GURL kUrl(embedded_test_server()->GetURL("/simple_page.html"));
+  NavigateToURL(shell(), kUrl);
+
+  ConsoleObserverDelegate console_delegate(
+      shell()->web_contents(),
+      "Upcoming versions will block content-initiated top frame navigations*");
+  shell()->web_contents()->SetDelegate(&console_delegate);
+  EXPECT_TRUE(ExecuteScript(shell()->web_contents(),
+                            "window.location.href = 'data:text/plain,test';"));
+  console_delegate.Wait();
+  EXPECT_TRUE(shell()
+                  ->web_contents()
+                  ->GetController()
+                  .GetLastCommittedEntry()
+                  ->GetURL()
+                  .SchemeIs(url::kDataScheme));
+}
+
 IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, NewNamedWindow) {
   ASSERT_TRUE(embedded_test_server()->Start());
 

third_party/WebKit/LayoutTests/fast/dom/Window/mozilla-focus-blur-expected.txt

@@ -4,8 +4,8 @@ This test is adopted from mozilla's tests.
 
 PASS: The focus should not have been changed!
 PASS: The focus should not have been changed!
-PASS: The focus should not have been changed with URL=data:text/html,<script>opener.focus();opener.postMessage("", "*");</script>
-PASS: The focus should not have been changed with URL=data:text/html,<script>blur();opener.postMessage("", "*");</script>
+PASS: The focus should not have been changed with URL=resources/mozilla-focus-blur-popup-opener-focus.html
+PASS: The focus should not have been changed with URL=resources/mozilla-focus-blur-popup-blur.html
 PASS: The last opened window should be able to get focus
 PASS: All tests finished
 

third_party/WebKit/LayoutTests/fast/dom/Window/mozilla-focus-blur.html

@@ -73,11 +73,11 @@
 }
 
 function test3() {
-    focusShouldNotChange2('data:text/html,<script>opener.focus();opener.postMessage("", "*");<\/script>', test4);
+    focusShouldNotChange2('resources/mozilla-focus-blur-popup-opener-focus.html', test4);
 }
 
 function test4() {
-    focusShouldNotChange2('data:text/html,<script>blur();opener.postMessage("", "*");<\/script>', test5);
+    focusShouldNotChange2('resources/mozilla-focus-blur-popup-blur.html', test5);
 }
 
 function test5()

third_party/WebKit/LayoutTests/fast/dom/Window/resources/file-origin-window-open-frame.html

@@ -8,5 +8,5 @@
   }
   top.postMessage(exc ? '' + exc : null, '*');
 });
-newWindow = window.open('data:text/html,<script>opener.postMessage("runTest","*");</scr' + 'ipt>');
+newWindow = window.open('file-origin-window-open-popup.html');
 </script>

third_party/WebKit/LayoutTests/fast/dom/Window/resources/file-origin-window-open-popup.html

@@ -0,0 +1 @@
+<script>opener.postMessage("runTest","*");</script>

third_party/WebKit/LayoutTests/fast/dom/Window/resources/mozilla-focus-blur-popup-blur.html

@@ -0,0 +1 @@
+<script>blur();opener.postMessage("", "*");</script>

third_party/WebKit/LayoutTests/fast/dom/Window/resources/mozilla-focus-blur-popup-opener-focus.html

@@ -0,0 +1 @@
+<script>opener.focus();opener.postMessage("", "*");</script>

third_party/WebKit/LayoutTests/fast/dom/id-attribute-shared-expected.txt

@@ -1 +1 @@
-PASS
+Hooray, you got here! That means the test succeeded!

third_party/WebKit/LayoutTests/fast/dom/id-attribute-shared.html

@@ -24,7 +24,7 @@
     document.body.appendChild(object1);
     input = iframe.contentDocument.createElement('input');
     document.body.appendChild(input);
-    noderef1 = input.parentElement; 
+    noderef1 = input.parentElement;
     node2.appendChild(noderef1);
     embed = document.createElement('embed');
     object1.id = 4294967294;
@@ -43,7 +43,7 @@
     template2content.appendChild(object2);
     gc();
     object2.cloneNode();
-    document.location='data:text/html,<body>PASS<script>if (window.testRunner) testRunner.notifyDone()</scr' + 'ipt></body>';
+    document.location = 'Window/resources/destination.html';
 }
 
 runTest();

third_party/WebKit/LayoutTests/fast/events/move-event-handler-between-framehosts.html

@@ -25,7 +25,7 @@
         testRunner.waitUntilDone();
         testRunner.setCanOpenWindows();
     }
-    window2 = window.open('data:text/html,<div id="div" onscroll="function() {}"></div>');
+    window2 = window.open('resources/move-event-handler-between-framehosts-popup.html');
     window2.addEventListener("load", window2Loaded, false);
 }
 

third_party/WebKit/LayoutTests/fast/events/onunload-clears-onbeforeunload.html

@@ -9,7 +9,7 @@
 }
 
 window.addEventListener('beforeunload', before, false);
-window.onunload = unload; 
+window.onunload = unload;
 
 function before()
 {
@@ -24,7 +24,7 @@
 
 function load()
 {
-    location = "data:text/html,If you didn't hit an assert you PASS.<script>if (window.testRunner) testRunner.notifyDone(); </" + "script>";
+    location = "resources/onunload-clears-onbeforeunload-success.html";
 }
 
 </script>

third_party/WebKit/LayoutTests/fast/events/onunload-expected.txt

@@ -1,2 +1,2 @@
 CONSOLE ERROR: Blocked alert('unload') during unload.
-You should have seen an unload alert appear.
+You should only see one unload alert appear.

third_party/WebKit/LayoutTests/fast/events/onunload-not-on-body-expected.txt

@@ -1,2 +1,2 @@
 CONSOLE ERROR: Blocked alert('unload') during unload.
-you should only see one unload alert appear.
+You should only see one unload alert appear.

third_party/WebKit/LayoutTests/fast/events/onunload-not-on-body.html

@@ -8,7 +8,7 @@
 
 function load()
 {
-    location = "data:text/html,you should only see one unload alert appear.<script>if (window.testRunner) testRunner.notifyDone(); </" + "script>";
+    location = "resources/onunload-single-alert-success.html";
 }
 
 function unload()

third_party/WebKit/LayoutTests/fast/events/onunload-window-property-expected.txt

@@ -1,2 +1,2 @@
 CONSOLE ERROR: Blocked alert('unload') during unload.
-You should have seen an unload alert appear.
+You should only see one unload alert appear.

third_party/WebKit/LayoutTests/fast/events/onunload-window-property.html

@@ -16,7 +16,7 @@
 function load()
 {
     window.onunload = unload;
-    location = "data:text/html,You should have seen an unload alert appear.<script>if (window.testRunner) testRunner.notifyDone(); </" + "script>";
+    location = "resources/onunload-single-alert-success.html";
 }
 
 </script>

third_party/WebKit/LayoutTests/fast/events/onunload.html

@@ -8,7 +8,7 @@
 
 function load()
 {
-    location = "data:text/html,You should have seen an unload alert appear.<script>if (window.testRunner) testRunner.notifyDone(); </" + "script>";
+    location = "resources/onunload-single-alert-success.html";
 }
 
 function unload()

third_party/WebKit/LayoutTests/fast/events/page-visibility-unload.html

@@ -9,7 +9,7 @@
 function load()
 {
     document.addEventListener("visibilitychange", onVisibilityChange, false);
-    location = "data:text/html,You should have seen a warning message for alert dialog.<script>if (window.testRunner) testRunner.notifyDone(); </" + "script>";
+    location = "resources/page-visibility-alert-success.html";
 }
 
 function onVisibilityChange()

third_party/WebKit/LayoutTests/fast/events/pageshow-pagehide-on-back-uncached.html

@@ -14,7 +14,7 @@
         setTimeout(function() { if (window.testRunner) testRunner.notifyDone(); }, 10);
     } else {
         window.name = "pageshow/pagehide";
-        setTimeout('window.location = "data:text/html,<script>history.back();</scr" + "ipt>"', 0);
+        setTimeout('window.location = "../../resources/back.html"', 0);
     }
 }
 

third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-untrusted-mouse-click-expected.txt

@@ -1,4 +1,4 @@
 
-open a new window 
+open a new window
 The JavaScript created (untrusted) event inside a user-initiated (trusted) event should not cache the UserGesture status. This test is for bug https://bugs.webkit.org/show_bug.cgi?id=50508.
 PASSED

third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-untrusted-mouse-click.html

@@ -27,7 +27,7 @@
     }
 }
 
-function dispatchEvent(obj, evt)  { 
+function dispatchEvent(obj, evt)  {
     return function() {
         return obj.dispatchEvent(evt);
     }
@@ -37,12 +37,13 @@
     var evt = document.createEvent("MouseEvents");
     evt.initMouseEvent("click", true, true, window,
         0, 0, 0, 0, 0, false, false, false, false, 0, null);
-    var cb = document.getElementById("anchor"); 
+    var cb = document.getElementById("anchor");
     setTimeout(dispatchEvent(cb, evt), 100);
 }
 
 function openWindow(evt) {
-    window.open("data:text/html\, try to open new window", "_blank");
+    // Try to open a new window.
+    window.open("about:blank", "_blank");
     // If we enabled the popup blocker, the new window should be blocked.
     // The windowCount should still be 1.
     var expectedWindowCount = 1;
@@ -78,6 +79,6 @@
 </script>
 <body onload="window.setTimeout(test, 0);">
 <input type="button" onclick="simulateClick();" value="click me" id="btn"><br>
-<a onclick="openWindow(event)" id="anchor"> open a new window </a><br>
+<a onclick="openWindow(event)" id="anchor">open a new window</a><br>
 The JavaScript created (untrusted) event inside a user-initiated (trusted) event should not cache the UserGesture status. This test is for bug https://bugs.webkit.org/show_bug.cgi?id=50508.
 <div id="console">FAILED</div>

third_party/WebKit/LayoutTests/fast/events/resources/move-event-handler-between-framehosts-popup.html

@@ -0,0 +1 @@
+<div id="div" onscroll="function() {}"></div>

third_party/WebKit/LayoutTests/fast/events/resources/onunload-clears-onbeforeunload-success.html

@@ -0,0 +1,2 @@
+If you didn't hit an assert you PASS.
+<script>if (window.testRunner) testRunner.notifyDone(); </script>

third_party/WebKit/LayoutTests/fast/events/resources/onunload-single-alert-success.html

@@ -0,0 +1,2 @@
+You should only see one unload alert appear.
+<script>if (window.testRunner) testRunner.notifyDone(); </script>

third_party/WebKit/LayoutTests/fast/events/resources/page-visibility-alert-success.html

@@ -0,0 +1,3 @@
+You should have seen a warning message for alert dialog.
+<script>if (window.testRunner) testRunner.notifyDone(); </script>
+

third_party/WebKit/LayoutTests/fast/files/null-origin-string.html

@@ -1,7 +1,10 @@
 <!DOCTYPE html>
 <html>
 <body>
-<script> /* This script will be executed in a subframe. */
+<script>
+/* This script will be executed in a subframe. Do not use double slash comments
+   or double quotes in this script tag, they break the test because of innerText
+   call below. */
 function runTest()
 {
     eventSender.beginDragWithFiles(['resources/UTF8.txt']);
@@ -15,8 +18,7 @@
     var reader = new FileReader();
     reader.readAsText(file);
     console.log('Started reading...');
-
-    top.location = 'data:text/html,<p>PASS if no crash.</p><script>testRunner.notifyDone()</scr' + 'ipt>';
+    top.postMessage('navigateToSuccess', '*');
 }
 </script>
 
@@ -25,7 +27,16 @@
     testRunner.dumpAsText();
     testRunner.waitUntilDone();
 }
-document.write('<iframe src="data:text/html,<input type=file id=file onchange=\'onInputFileChange()\'><script>' + document.getElementsByTagName("script")[0].innerText + 'runTest()</scr' + 'ipt>" style="left:0px;top:0px"></iframe>');
+document.write(
+    '<script>' +
+    'window.onmessage = function(evt){' +
+    '  if (evt.data == "navigateToSuccess") {' +
+    '    window.location = "resources/notify-no-crash.html";' +
+    '  }' +
+    '}' +
+    '</scr' + 'ipt>' +
+    '<iframe src="data:text/html,<input type=file id=file onchange=\'onInputFileChange()\'><script>' +
+    document.getElementsByTagName("script")[0].innerText + 'runTest()</scr' + 'ipt>" style="left:0px;top:0px"></iframe>');
 </script>
 
 <p>Test that using FileReader from a document with unique origin doesn't cause a crash.</p>

third_party/WebKit/LayoutTests/fast/files/resources/notify-no-crash.html

@@ -0,0 +1,2 @@
+PASS if no crash.
+<script>if (window.testRunner) testRunner.notifyDone()</script>

third_party/WebKit/LayoutTests/fast/forms/button-state-restore.html

@@ -31,8 +31,8 @@
             input.value = "FAIL";
 
             var form = document.getElementById("form");
-            
-            // Submit form in a timeout to make sure that we create a new back/forward list item.            
+
+            // Submit form in a timeout to make sure that we create a new back/forward list item.
             setTimeout(function() {form.submit();}, 0);
         }
     </script>
@@ -49,6 +49,6 @@
     <button type="button" name="foo">Button</button>
     <input id="input" type="button" name="foo" value="PASS">
     <input id="beenHere">
-    <form action="data:text/html,<script>history.back()</script>" method="POST" id="form"></form>
+    <form action="../../resources/back.html" method="POST" id="form"></form>
 </body>
 </html>

third_party/WebKit/LayoutTests/fast/forms/multiple-form-submission-protection-mouse.html

@@ -43,7 +43,7 @@
 <li>Click on "Click 2" to submit form to this window. Single word "SUCCESS" should replace the contents of this document.
 </ol>
 <p>If either event doesn't occur, the test has failed.
-<form method="post" name="test" action="data:text/html,<script>if (opener) { opener.postMessage('trololo', '*'); window.close(); } else { document.write('SUCCESS'); window.testRunner && testRunner.notifyDone(); }</script>">
+<form method="post" name="test" action="resources/multiple-form-submission-protection-post-target.html">
 <input type="button" id="button1" value="Click 1" onclick="submitTo('_new')">
 <input type="button" id="button2" value="Click 2" onclick="submitTo('_self')">
 </form>

third_party/WebKit/LayoutTests/fast/forms/radio/state-restore-radio-group.html

@@ -9,7 +9,7 @@
 
 <input id=emptyOnFirstVisit>
 <div id=parent>
-<form action="data:text/html,<script>history.back()&lt;/script>" id=form1>
+<form action="../../../resources/back.html" id=form1>
 <input name=user type=radio id=input1>
 <input checked name=user type=radio id=input2>
 </form>

third_party/WebKit/LayoutTests/fast/forms/resources/multiple-form-submission-protection-post-target.html

@@ -0,0 +1,9 @@
+<script>
+if (opener) {
+  opener.postMessage('trololo', '*');
+  window.close();
+} else {
+  document.write('SUCCESS');
+  window.testRunner && testRunner.notifyDone();
+}
+</script>