Issue 594215  was meant to disallow top-frame navigation to data URLs. It's possible we can't do that on iOS since we don't control WKWebView.

+meacer, +euegenebut, can you follow up here? Marking as low severity for now since we allowed data URLs for a long time before getting rid of them.

Blocking data:// URLs should be doable on iOS. Mustafa, could you please confirm that we should block all data:// URL responses, unless the navigation's transition type is PAGE_TRANSITION_TYPED or the load will result in Download Manager presentation.

Thanks!

The logic to check whether to block on non-iOS platforms uses is_browser_initiated bit on the navigation. Is that available on iOS?

If not, PAGE_TRANSITION_TYPED + Download Manager sounds like a good approximation to me but you might want to check with navigation folks as well.

Thanks Mustafa! Do you know which content API we use for checking is_browser_initiated bit? 

Sorry, it's IsRendererInitiated, not browser :) It's in NavigationHandle: https://cs.chromium.org/chromium/src/content/browser/frame_host/blocked_scheme_navigation_throttle.cc?rcl=49993008676b4624600f439cbb91eb4fbc8b15b3&l=57

(Note that we also have a blink side check to determine if the data URL's mime type is going to be rendered or downloaded: https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/loader/frame_loader.cc?rcl=49993008676b4624600f439cbb91eb4fbc8b15b3&l=702. This kicks in for things like <a href="data:...">)

Thanks! iOS has NavigationContext::IsRendererInitiated, which is the same flag as NavigationHandle::IsRendererInitiated().

Could you please clarify what should be done with renderer-initiated downloads. Block or Allow?

Downloads should always be fine whether renderer or browser initiated (the blocking is only concerned about rendering the data URL inside a tab).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/23263d5acb19cb17be4548a7bfd80135f098f064

commit 23263d5acb19cb17be4548a7bfd80135f098f064
Author: Eugene But <eugenebut@google.com>
Date: Tue Oct 09 00:25:52 2018

Block rendering data URLs for renderer-initiated main frame navigations.

This increased the complexity for already complex method, so there
will be follow up CL with refactoring.

testWindowOpenWithAboutNewTabScript test was removed as invalid.

Bug:  890558 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-cronet;luci.chromium.try:ios-simulator-full-configs
Change-Id: I41d9ef0b1fee7551e358cc3f651776a4cb7f8b7e
Reviewed-on: https://chromium-review.googlesource.com/c/1266607
Reviewed-by: Mohammad Refaat <mrefaat@chromium.org>
Commit-Queue: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#597751}
[modify] https://crrev.com/23263d5acb19cb17be4548a7bfd80135f098f064/ios/chrome/browser/web/window_open_by_dom_egtest.mm
[modify] https://crrev.com/23263d5acb19cb17be4548a7bfd80135f098f064/ios/testing/data/http_server_files/window_open.html
[modify] https://crrev.com/23263d5acb19cb17be4548a7bfd80135f098f064/ios/web/web_state/ui/crw_web_controller.mm
[modify] https://crrev.com/23263d5acb19cb17be4548a7bfd80135f098f064/ios/web/web_state/ui/crw_web_controller_unittest.mm

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Hi pickrrya@ - thanks for the report - the VRP panel decided to award $500. Cheers!

A member of our finance team will be in touch to arrange payment. Also, how would you like to be credited in our release notes?

Awesome, thanks! Please credit "Ryan Pickren (ryanpickren.com)"

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot