Add WebUI allowlist for Alloy-style browsers (fixes #3763)

include/cef_api_hash.h

@@ -42,13 +42,13 @@
 // way that may cause binary incompatibility with other builds. The universal
 // hash value will change if any platform is affected whereas the platform hash
 // values will change only if that particular platform is affected.
-#define CEF_API_HASH_UNIVERSAL "bb414cc95e84099084c9476c468846e483ef7a0f"
+#define CEF_API_HASH_UNIVERSAL "3c4bef13c1801f001305b1bc3af84039b2426943"
 #if defined(OS_WIN)
-#define CEF_API_HASH_PLATFORM "1a921f6a2c91bc5369afce001c37645ef726e804"
+#define CEF_API_HASH_PLATFORM "10e56374e7d422b45eec31ae5d2aa7ef5288621c"
 #elif defined(OS_MAC)
-#define CEF_API_HASH_PLATFORM "8c96e8a60224dc40ec40067b6a515af79dd47f8f"
+#define CEF_API_HASH_PLATFORM "ae9f14019f456db6ad8059f17d1dfd484d4a08d7"
 #elif defined(OS_LINUX)
-#define CEF_API_HASH_PLATFORM "693e114620a780000fbb7334537145caed271c66"
+#define CEF_API_HASH_PLATFORM "84dcdea90daf46d0ba611b1d0f3e42666fb3382d"
 #endif
 
 #ifdef __cplusplus

include/internal/cef_types.h

@@ -491,7 +491,7 @@ typedef struct _cef_settings_t {
   ///
   /// Specify whether signal handlers must be disabled on POSIX systems.
   ///
-  bool disable_signal_handlers;
+  int disable_signal_handlers;
 #endif
 } cef_settings_t;
 

libcef/browser/alloy/alloy_browser_host_impl.cc

@@ -33,6 +33,7 @@
 #include "cef/libcef/common/values_impl.h"
 #include "chrome/browser/file_select_helper.h"
 #include "chrome/browser/picture_in_picture/picture_in_picture_window_manager.h"
+#include "chrome/common/webui_url_constants.h"
 #include "components/input/native_web_keyboard_event.h"
 #include "components/zoom/page_zoom.h"
 #include "content/browser/gpu/compositor_util.h"
@@ -57,6 +58,47 @@ namespace {
 
 static constexpr base::TimeDelta kRecentlyAudibleTimeout = base::Seconds(2);
 
+// List of WebUI hosts that have been tested to work in Alloy-style browsers.
+// Do not add new hosts to this list without also manually testing all related
+// functionality in CEF.
+const char* kAllowedWebUIHosts[] = {
+    chrome::kChromeUIAccessibilityHost,
+    content::kChromeUIBlobInternalsHost,
+    chrome::kChromeUIChromeURLsHost,
+    chrome::kChromeUICreditsHost,
+    content::kChromeUIGpuHost,
+    content::kChromeUIHistogramHost,
+    content::kChromeUIIndexedDBInternalsHost,
+    chrome::kChromeUILicenseHost,
+    content::kChromeUIMediaInternalsHost,
+    chrome::kChromeUINetExportHost,
+    chrome::kChromeUINetInternalsHost,
+    content::kChromeUINetworkErrorHost,
+    content::kChromeUINetworkErrorsListingHost,
+    chrome::kChromeUIPrintHost,
+    content::kChromeUIProcessInternalsHost,
+    content::kChromeUIResourcesHost,
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_LINUX)
+    chrome::kChromeUISandboxHost,
+#endif
+    content::kChromeUIServiceWorkerInternalsHost,
+    chrome::kChromeUISystemInfoHost,
+    chrome::kChromeUITermsHost,
+    chrome::kChromeUIThemeHost,
+    content::kChromeUITracingHost,
+    chrome::kChromeUIVersionHost,
+    content::kChromeUIWebRTCInternalsHost,
+};
+
+bool IsAllowedWebUIHost(const std::string_view& host) {
+  for (auto& allowed_host : kAllowedWebUIHosts) {
+    if (base::EqualsCaseInsensitiveASCII(allowed_host, host)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 }  // namespace
 
 // AlloyBrowserHostImpl static methods.
@@ -567,8 +609,8 @@ bool AlloyBrowserHostImpl::MaybeAllowNavigation(
     // The PDF viewer will load the PDF extension in the guest view, and print
     // preview will load chrome://print in the guest view. The PDF renderer
     // used with PdfUnseasoned will set |params.is_pdf| when loading the PDF
-    // stream (see PdfNavigationThrottle::WillStartRequest). All other
-    // navigations are passed to the owner browser.
+    // stream (see PdfNavigationThrottle::WillStartRequest). All other guest
+    // view navigations are passed to the owner browser.
     CEF_POST_TASK(CEF_UIT,
                   base::BindOnce(
                       base::IgnoreResult(&AlloyBrowserHostImpl::OpenURLFromTab),
@@ -577,6 +619,14 @@ bool AlloyBrowserHostImpl::MaybeAllowNavigation(
     return false;
   }
 
+  if (!is_guest_view && params.url.SchemeIs(content::kChromeUIScheme) &&
+      !IsAllowedWebUIHost(params.url.host_piece())) {
+    // Block navigation to non-allowlisted WebUI pages.
+    LOG(WARNING) << "Navigation to " << params.url.spec()
+                 << " is blocked in Alloy-style browser.";
+    return false;
+  }
+
   return true;
 }
 

tests/cefclient/browser/client_handler_osr.h

@@ -145,7 +145,7 @@ class ClientHandlerOsr : public ClientHandler,
  private:
   // Used to determine the object type.
   virtual const void* GetTypeKey() const override { return &kTypeKey; }
-  static const int kTypeKey = 0;
+  static constexpr int kTypeKey = 0;
 
   // Only accessed on the UI thread.
   OsrDelegate* osr_delegate_;

tests/cefclient/browser/client_handler_std.h

@@ -25,7 +25,7 @@ class ClientHandlerStd : public ClientHandler {
  private:
   // Used to determine the object type.
   virtual const void* GetTypeKey() const override { return &kTypeKey; }
-  static const int kTypeKey = 0;
+  static constexpr int kTypeKey = 0;
 
   // Include the default reference counting implementation.
   IMPLEMENT_REFCOUNTING(ClientHandlerStd);

tests/cefclient/browser/default_client_handler.h

@@ -24,7 +24,7 @@ class DefaultClientHandler : public BaseClientHandler {
  private:
   // Used to determine the object type.
   virtual const void* GetTypeKey() const override { return &kTypeKey; }
-  static const int kTypeKey = 0;
+  static constexpr int kTypeKey = 0;
 
   IMPLEMENT_REFCOUNTING(DefaultClientHandler);
   DISALLOW_COPY_AND_ASSIGN(DefaultClientHandler);