Validate the Origin HTTP header in the browser process.

content/public/browser/content_browser_client.h

Index: content/public/browser/content_browser_client.h
diff --git a/content/public/browser/content_browser_client.h b/content/public/browser/content_browser_client.h
index b9c0f419c5d3e2528301a7f8c637c8aa93bfb551..7f1dd208493ab25fc480045c50b14561daeffb77 100644
--- a/content/public/browser/content_browser_client.h
+++ b/content/public/browser/content_browser_client.h
@@ -217,8 +217,17 @@ class CONTENT_EXPORT ContentBrowserClient {
   // more conservative check than IsSuitableHost, since it is used after a
   // navigation has committed to ensure that the process did not exceed its
   // authority.
+  // This is called on the UI thread.
   virtual bool CanCommitURL(RenderProcessHost* process_host, const GURL& url);
 
+  // Returns true if no URL within |origin| is allowed to commit in the given
+  // process.  Must return false if there exists at least one URL in |origin|
+  // that is allowed to commit.
+  // This is called on the IO thread.
+  virtual bool IsIllegalOrigin(ResourceContext* resource_context,
+                               int child_process_id,
+                               const GURL& origin);

[nasko, 2015/08/14 22:14:43]

Shouldn't we be using url::Origin if this is really an origin?

[Charlie Reis, 2015/08/14 23:23:32]

I debated that, but the value starts as a string (from the HTTP header) and gets
consumed as a GURL (in GetExtensionOrAppByURL).  We would end up with several
non-trivial conversions: string -> GURL -> url::Origin -> GURL.

It may make sense to revisit this as url::Origin gets more widely used, but we
may just want to leave it for now.

[nasko, 2015/08/14 23:36:41]

Acknowledged.

+
   // Returns whether a URL should be allowed to open from a specific context.
   // This also applies in cases where the new URL will open in another process.
   virtual bool ShouldAllowOpenURL(SiteInstance* site_instance, const GURL& url);