BASELINE: Update Chromium to 49.0.2623.111

Change-Id: I5f8c7bd936a259c7229924aba755ae6064ac9240
Reviewed-by: Joerg Bornemann <joerg.bornemann@theqtcompany.com>

9 files changed, 121 insertions, 25 deletions

diff --git a/chromium/content/browser/android/web_contents_observer_proxy.cc b/chromium/content/browser/android/web_contents_observer_proxy.cc
index 22ab07c2ed6..d176f61f21b 100644
--- a/chromium/content/browser/android/web_contents_observer_proxy.cc
+++ b/chromium/content/browser/android/web_contents_observer_proxy.cc
@@ -81,6 +81,9 @@ void WebContentsObserverProxy::DidStartLoading() {
   ScopedJavaLocalRef<jobject> obj(java_observer_);
   ScopedJavaLocalRef<jstring> jstring_url(
       ConvertUTF8ToJavaString(env, web_contents()->GetVisibleURL().spec()));
+  if (auto entry = web_contents()->GetController().GetPendingEntry()) {
+    base_url_of_last_started_data_url_ = entry->GetBaseURLForDataURL();
+  }
   Java_WebContentsObserverProxy_didStartLoading(env, obj.obj(),
                                                 jstring_url.obj());
 }
@@ -90,6 +93,8 @@ void WebContentsObserverProxy::DidStopLoading() {
   ScopedJavaLocalRef<jobject> obj(java_observer_);
   std::string url_string = web_contents()->GetLastCommittedURL().spec();
   SetToBaseURLForDataURLIfNeeded(&url_string);
+  // DidStopLoading is the last event we should get.
+  base_url_of_last_started_data_url_ = GURL::EmptyGURL();
   ScopedJavaLocalRef<jstring> jstring_url(ConvertUTF8ToJavaString(
       env, url_string));
   Java_WebContentsObserverProxy_didStopLoading(env, obj.obj(),
@@ -304,8 +309,16 @@ void WebContentsObserverProxy::SetToBaseURLForDataURLIfNeeded(
   NavigationEntry* entry =
       web_contents()->GetController().GetLastCommittedEntry();
   // Note that GetBaseURLForDataURL is only used by the Android WebView.
-  if (entry && !entry->GetBaseURLForDataURL().is_empty())
+  // FIXME: Should we only return valid specs and "about:blank" for invalid
+  // ones? This may break apps.
+  if (entry && !entry->GetBaseURLForDataURL().is_empty()) {
     *url = entry->GetBaseURLForDataURL().possibly_invalid_spec();
+  } else if (!base_url_of_last_started_data_url_.is_empty()) {
+    // NavigationController can lose the pending entry and recreate it without
+    // a base URL if there has been a loadUrl("javascript:...") after
+    // loadDataWithBaseUrl.
+    *url = base_url_of_last_started_data_url_.possibly_invalid_spec();
+  }
 }
 
 bool RegisterWebContentsObserverProxy(JNIEnv* env) {
diff --git a/chromium/content/browser/android/web_contents_observer_proxy.h b/chromium/content/browser/android/web_contents_observer_proxy.h
index 23464053b26..e22edbbdf84 100644
--- a/chromium/content/browser/android/web_contents_observer_proxy.h
+++ b/chromium/content/browser/android/web_contents_observer_proxy.h
@@ -83,6 +83,7 @@ class WebContentsObserverProxy : public WebContentsObserver {
                            bool was_ignored_by_handler);
 
   base::android::ScopedJavaGlobalRef<jobject> java_observer_;
+  GURL base_url_of_last_started_data_url_;
 
   DISALLOW_COPY_AND_ASSIGN(WebContentsObserverProxy);
 };
diff --git a/chromium/content/browser/frame_host/navigation_controller_impl_browsertest.cc b/chromium/content/browser/frame_host/navigation_controller_impl_browsertest.cc
index 8e9a73c69ad..5ead3764296 100644
--- a/chromium/content/browser/frame_host/navigation_controller_impl_browsertest.cc
+++ b/chromium/content/browser/frame_host/navigation_controller_impl_browsertest.cc
@@ -199,6 +199,46 @@ IN_PROC_BROWSER_TEST_F(NavigationControllerBrowserTest,
   }
 }
 
+IN_PROC_BROWSER_TEST_F(NavigationControllerBrowserTest,
+                       FragmentNavigateFromLoadDataWithBaseURL) {
+  const GURL base_url("http://baseurl");
+  const GURL history_url("http://historyurl");
+  const std::string data =
+      "<html><body>"
+      "  <p id=\"frag\"><a id=\"fraglink\" href=\"#frag\">in-page nav</a></p>"
+      "</body></html>";
+
+  const NavigationControllerImpl& controller =
+      static_cast<const NavigationControllerImpl&>(
+          shell()->web_contents()->GetController());
+
+  // Load data and commit.
+  TestNavigationObserver same_tab_observer(shell()->web_contents(), 1);
+#if defined(OS_ANDROID)
+  shell()->LoadDataAsStringWithBaseURL(history_url, data, base_url);
+#else
+  shell()->LoadDataWithBaseURL(history_url, data, base_url);
+#endif
+  same_tab_observer.Wait();
+  EXPECT_EQ(1, controller.GetEntryCount());
+  const GURL data_url = controller.GetLastCommittedEntry()->GetURL();
+
+  // Perform a fragment navigation using a javascript: URL.
+  GURL js_url("javascript:document.location = '#frag';");
+  NavigateToURL(shell(), js_url);
+  EXPECT_EQ(2, controller.GetEntryCount());
+  NavigationEntryImpl* entry = controller.GetLastCommittedEntry();
+  // TODO(boliu): These expectations maybe incorrect due to crbug.com/561034.
+  EXPECT_TRUE(entry->GetBaseURLForDataURL().is_empty());
+  EXPECT_TRUE(entry->GetHistoryURLForDataURL().is_empty());
+  EXPECT_EQ(data_url, entry->GetVirtualURL());
+  EXPECT_EQ(data_url, entry->GetURL());
+
+  // Passes if renderer is still alive.
+  EXPECT_TRUE(
+      ExecuteScript(shell()->web_contents(), "console.log('Success');"));
+}
+
 IN_PROC_BROWSER_TEST_F(NavigationControllerBrowserTest, UniqueIDs) {
   const NavigationControllerImpl& controller =
       static_cast<const NavigationControllerImpl&>(
diff --git a/chromium/content/browser/frame_host/navigator_impl.cc b/chromium/content/browser/frame_host/navigator_impl.cc
index ea89de66283..2acedd76a19 100644
--- a/chromium/content/browser/frame_host/navigator_impl.cc
+++ b/chromium/content/browser/frame_host/navigator_impl.cc
@@ -438,6 +438,19 @@ void NavigatorImpl::DidNavigate(
 
   bool is_navigation_within_page = controller_->IsURLInPageNavigation(
       params.url, params.was_within_same_page, render_frame_host);
+
+  // If a frame claims it navigated within page, it must be the current frame,
+  // not a pending one.
+  if (is_navigation_within_page &&
+      render_frame_host !=
+          render_frame_host->frame_tree_node()
+              ->render_manager()
+              ->current_frame_host()) {
+    bad_message::ReceivedBadMessage(render_frame_host->GetProcess(),
+                                    bad_message::NC_IN_PAGE_NAVIGATION);
+    is_navigation_within_page = false;
+  }
+
   if (ui::PageTransitionIsMainFrame(params.transition)) {
     if (delegate_) {
       // When overscroll navigation gesture is enabled, a screenshot of the page
diff --git a/chromium/content/browser/frame_host/navigator_impl_unittest.cc b/chromium/content/browser/frame_host/navigator_impl_unittest.cc
index efb85766a81..28cce0799b7 100644
--- a/chromium/content/browser/frame_host/navigator_impl_unittest.cc
+++ b/chromium/content/browser/frame_host/navigator_impl_unittest.cc
@@ -1146,4 +1146,34 @@ TEST_F(NavigatorTestWithBrowserSideNavigation,
   }
 }
 
+namespace {
+void SetWithinPage(const GURL& url,
+                   FrameHostMsg_DidCommitProvisionalLoad_Params* params) {
+  params->was_within_same_page = true;
+  params->url = url;
+}
+}
+
+// A renderer process might try and claim that a cross site navigation was
+// within the same page by setting was_within_same_page = true for
+// FrameHostMsg_DidCommitProvisionalLoad. Such case should be detected on the
+// browser side and the renderer process should be killed.
+TEST_F(NavigatorTestWithBrowserSideNavigation, CrossSiteClaimWithinPage) {
+  const GURL kUrl1("http://www.chromium.org/");
+  const GURL kUrl2("http://www.google.com/");
+
+  contents()->NavigateAndCommit(kUrl1);
+  FrameTreeNode* node = main_test_rfh()->frame_tree_node();
+
+  // Navigate to a different site.
+  int entry_id = RequestNavigation(node, kUrl2);
+  main_test_rfh()->PrepareForCommit();
+
+  // Claim that the navigation was within same page.
+  int bad_msg_count = process()->bad_msg_count();
+  GetSpeculativeRenderFrameHost(node)->SendNavigateWithModificationCallback(
+      0, entry_id, true, kUrl2, base::Bind(SetWithinPage, kUrl1));
+  EXPECT_EQ(process()->bad_msg_count(), bad_msg_count + 1);
+}
+
 }  // namespace content
diff --git a/chromium/content/browser/frame_host/render_widget_host_view_guest.cc b/chromium/content/browser/frame_host/render_widget_host_view_guest.cc
index 6d4a1811c5b..9240afb45a9 100644
--- a/chromium/content/browser/frame_host/render_widget_host_view_guest.cc
+++ b/chromium/content/browser/frame_host/render_widget_host_view_guest.cc
@@ -234,12 +234,6 @@ void RenderWidgetHostViewGuest::SetTooltipText(
 void RenderWidgetHostViewGuest::OnSwapCompositorFrame(
     uint32_t output_surface_id,
     scoped_ptr<cc::CompositorFrame> frame) {
-  if (!guest_ || !guest_->attached()) {
-    // We shouldn't hang on to a surface while we are detached.
-    ClearCompositorSurfaceIfNecessary();
-    return;
-  }
-
   last_scroll_offset_ = frame->metadata.root_scroll_offset;
   // When not using surfaces, the frame just gets proxied to
   // the embedder's renderer to be composited.
@@ -298,6 +292,11 @@ void RenderWidgetHostViewGuest::OnSwapCompositorFrame(
   DCHECK(ack_pending_count_ < 1000);
   surface_factory_->SubmitCompositorFrame(surface_id_, std::move(frame),
                                           ack_callback);
+  // If after detaching we are sent a frame, we should finish processing it, and
+  // then we should clear the surface so that we are not holding resources we
+  // no longer need.
+  if (!guest_ || !guest_->attached())
+    ClearCompositorSurfaceIfNecessary();
 }
 
 bool RenderWidgetHostViewGuest::OnMessageReceived(const IPC::Message& msg) {
diff --git a/chromium/content/renderer/media/media_stream_audio_processor.cc b/chromium/content/renderer/media/media_stream_audio_processor.cc
index 1deb1e42753..79988e22e84 100644
--- a/chromium/content/renderer/media/media_stream_audio_processor.cc
+++ b/chromium/content/renderer/media/media_stream_audio_processor.cc
@@ -102,15 +102,8 @@ void RecordProcessingState(AudioTrackProcessingStates state) {
 }
 
 bool IsDelayAgnosticAecEnabled() {
-  // Note: It's important to query the field trial state first, to ensure that
-  // UMA reports the correct group.
-  const std::string group_name =
-      base::FieldTrialList::FindFullName("UseDelayAgnosticAEC");
   base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
-  if (command_line->HasSwitch(switches::kDisableDelayAgnosticAec))
-    return false;
-
-  return (group_name == "Enabled" || group_name == "DefaultEnabled");
+  return !command_line->HasSwitch(switches::kDisableDelayAgnosticAec);
 }
 
 // Checks if the default minimum starting volume value for the AGC is overridden
diff --git a/chromium/content/renderer/render_frame_impl.cc b/chromium/content/renderer/render_frame_impl.cc
index 592cd085d2a..7aeebd2bb30 100644
--- a/chromium/content/renderer/render_frame_impl.cc
+++ b/chromium/content/renderer/render_frame_impl.cc
@@ -2872,7 +2872,7 @@ void RenderFrameImpl::didCreateDataSource(blink::WebLocalFrame* frame,
 
   // The rest of RenderView assumes that a WebDataSource will always have a
   // non-null NavigationState.
-  UpdateNavigationState(document_state);
+  UpdateNavigationState(document_state, false /* was_within_same_page */);
 
   // DocumentState::referred_by_prefetcher_ is true if we are
   // navigating from a page that used prefetching using a link on that
@@ -3442,7 +3442,7 @@ void RenderFrameImpl::didNavigateWithinPage(blink::WebLocalFrame* frame,
   // UpdateNavigationState conveniently takes care of this for us.
   DocumentState* document_state =
       DocumentState::FromDataSource(frame->dataSource());
-  UpdateNavigationState(document_state);
+  UpdateNavigationState(document_state, true /* was_within_same_page */);
   static_cast<NavigationStateImpl*>(document_state->navigation_state())
       ->set_was_within_same_page(true);
 
@@ -5598,7 +5598,8 @@ NavigationState* RenderFrameImpl::CreateNavigationStateFromPending() {
   return NavigationStateImpl::CreateContentInitiated();
 }
 
-void RenderFrameImpl::UpdateNavigationState(DocumentState* document_state) {
+void RenderFrameImpl::UpdateNavigationState(DocumentState* document_state,
+                                            bool was_within_same_page) {
   if (pending_navigation_params_) {
     // If this is a browser-initiated load that doesn't override
     // navigation_start, set it here.
@@ -5610,12 +5611,17 @@ void RenderFrameImpl::UpdateNavigationState(DocumentState* document_state) {
 
     const CommonNavigationParams& common_params =
         pending_navigation_params_->common_params;
-    bool load_data = !common_params.base_url_for_data_url.is_empty() &&
-                     !common_params.history_url_for_data_url.is_empty() &&
-                     common_params.url.SchemeIs(url::kDataScheme);
-    document_state->set_was_load_data_with_base_url_request(load_data);
-    if (load_data)
-      document_state->set_data_url(common_params.url);
+    // The |set_was_load_data_with_base_url_request| state should not change for
+    // an in-page navigation, so skip updating it from the in-page navigation
+    // params in this case.
+    if (!was_within_same_page) {
+      bool load_data = !common_params.base_url_for_data_url.is_empty() &&
+                       !common_params.history_url_for_data_url.is_empty() &&
+                       common_params.url.SchemeIs(url::kDataScheme);
+      document_state->set_was_load_data_with_base_url_request(load_data);
+      if (load_data)
+        document_state->set_data_url(common_params.url);
+    }
 
     pending_navigation_params_.reset();
   } else {
diff --git a/chromium/content/renderer/render_frame_impl.h b/chromium/content/renderer/render_frame_impl.h
index 72fd2a752d2..923af0849a4 100644
--- a/chromium/content/renderer/render_frame_impl.h
+++ b/chromium/content/renderer/render_frame_impl.h
@@ -908,7 +908,8 @@ class CONTENT_EXPORT RenderFrameImpl
 
   // Sets the NavigationState on the DocumentState based on
   // the value of |pending_navigation_params_|.
-  void UpdateNavigationState(DocumentState* document_state);
+  void UpdateNavigationState(DocumentState* document_state,
+                             bool was_within_same_page);
 
 #if defined(OS_ANDROID)
   blink::WebMediaPlayer* CreateAndroidWebMediaPlayer(