Cherrypick "Allow universal access from file if flag is set and url is file scheme."

Fixes a crash when WebView apps which have enabled
WebSettings.setAllowUniversalFileAccessFromFiles(true) try to call JS
history functions with URLs that are from a non-file:// origin, which is
used by some Cordova apps.

> BUG=449075
> TEST=content_unittests --gtest_filter=NavigationControllerTest.IsInPageNavigation
>
> Review URL: https://codereview.chromium.org/855883002
>
> Cr-Commit-Position: refs/heads/master@{#313051}

Bug: 19173646

2 files changed, 31 insertions, 3 deletions

diff --git a/content/browser/frame_host/navigation_controller_impl.cc b/content/browser/frame_host/navigation_controller_impl.cc
index 4be5a3ce4a..3f13f31df2 100644
--- a/content/browser/frame_host/navigation_controller_impl.cc
+++ b/content/browser/frame_host/navigation_controller_impl.cc
@@ -129,7 +129,9 @@ bool AreURLsInPageNavigation(const GURL& existing_url,
                         // for now.
                         existing_url == GURL(url::kAboutBlankURL) ||
                         existing_url.GetOrigin() == new_url.GetOrigin() ||
-                        !prefs.web_security_enabled;
+                        !prefs.web_security_enabled ||
+                        (prefs.allow_universal_access_from_file_urls &&
+                         existing_url.SchemeIs(url::kFileScheme));
   if (!is_same_origin && renderer_says_in_page)
       rfh->GetProcess()->ReceivedBadMessage();
   return is_same_origin && renderer_says_in_page;
diff --git a/content/browser/frame_host/navigation_controller_impl_unittest.cc b/content/browser/frame_host/navigation_controller_impl_unittest.cc
index 8961f43f47..1198920422 100644
--- a/content/browser/frame_host/navigation_controller_impl_unittest.cc
+++ b/content/browser/frame_host/navigation_controller_impl_unittest.cc
@@ -3138,15 +3138,41 @@ TEST_F(NavigationControllerTest, IsInPageNavigation) {
   EXPECT_TRUE(controller.IsURLInPageNavigation(other_url, true,
       main_test_rfh()));
 
-  // Don't believe the renderer if it claims a cross-origin navigation is
-  // in-page.
+  // Test allow_universal_access_from_file_urls flag.
   const GURL different_origin_url("http://www.example.com");
   MockRenderProcessHost* rph =
       static_cast<MockRenderProcessHost*>(main_test_rfh()->GetProcess());
+  WebPreferences prefs = test_rvh()->GetWebkitPreferences();
+  prefs.allow_universal_access_from_file_urls = true;
+  test_rvh()->UpdateWebkitPreferences(prefs);
+  prefs = test_rvh()->GetWebkitPreferences();
+  EXPECT_TRUE(prefs.allow_universal_access_from_file_urls);
+  // Allow in page navigation if existing URL is file scheme.
+  const GURL file_url("file:///foo/index.html");
+  main_test_rfh()->SendNavigate(0, file_url);
+  EXPECT_EQ(0, rph->bad_msg_count());
+  EXPECT_TRUE(controller.IsURLInPageNavigation(different_origin_url, true,
+      main_test_rfh()));
   EXPECT_EQ(0, rph->bad_msg_count());
+  // Don't honor allow_universal_access_from_file_urls if existing URL is
+  // not file scheme.
+  main_test_rfh()->SendNavigate(0, url);
   EXPECT_FALSE(controller.IsURLInPageNavigation(different_origin_url, true,
       main_test_rfh()));
   EXPECT_EQ(1, rph->bad_msg_count());
+
+  // Remove allow_universal_access_from_file_urls flag.
+  prefs.allow_universal_access_from_file_urls = false;
+  test_rvh()->UpdateWebkitPreferences(prefs);
+  prefs = test_rvh()->GetWebkitPreferences();
+  EXPECT_FALSE(prefs.allow_universal_access_from_file_urls);
+
+  // Don't believe the renderer if it claims a cross-origin navigation is
+  // in-page.
+  EXPECT_EQ(1, rph->bad_msg_count());
+  EXPECT_FALSE(controller.IsURLInPageNavigation(different_origin_url, true,
+      main_test_rfh()));
+  EXPECT_EQ(2, rph->bad_msg_count());
 }
 
 // Some pages can have subframes with the same base URL (minus the reference) as