Make extensions use a correct same-origin check.

extensions/browser/guest_view/extension_view/extension_view_guest.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/guest_view/extension_view/extension_view_guest.h"
 
 #include <utility>
 
 #include "components/crx_file/id_util.h"
 #include "components/guest_view/browser/guest_view_event.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/common/result_codes.h"
 #include "extensions/browser/api/extensions_api_client.h"
 #include "extensions/browser/bad_message.h"
 #include "extensions/browser/guest_view/extension_view/extension_view_constants.h"
 #include "extensions/browser/guest_view/extension_view/whitelist/extension_view_whitelist.h"
 #include "extensions/common/constants.h"
 #include "extensions/common/extension_messages.h"
 #include "extensions/strings/grit/extensions_strings.h"
+#include "url/origin.h"
 
 using content::WebContents;
 using guest_view::GuestViewBase;
 using guest_view::GuestViewEvent;
 using namespace extensions::api;
 
 namespace extensions {
 
 // static
 const char ExtensionViewGuest::Type[] = "extensionview";
 
 ExtensionViewGuest::ExtensionViewGuest(WebContents* owner_web_contents)
     : GuestView<ExtensionViewGuest>(owner_web_contents) {}
 
 ExtensionViewGuest::~ExtensionViewGuest() {
 }
 
 // static
 GuestViewBase* ExtensionViewGuest::Create(WebContents* owner_web_contents) {
   return new ExtensionViewGuest(owner_web_contents);
 }
 
 bool ExtensionViewGuest::NavigateGuest(const std::string& src,
                                        bool force_navigation) {
   GURL url = extension_url_.Resolve(src);
 
   // If the URL is not valid, about:blank, or the same origin as the extension,
   // then navigate to about:blank.
-  bool url_not_allowed = (url != GURL(url::kAboutBlankURL)) &&
-      (url.GetOrigin() != extension_url_.GetOrigin());
+  bool url_not_allowed = url != GURL(url::kAboutBlankURL) &&
+                         !url::IsSameOriginWith(url, extension_url_);
   if (!url.is_valid() || url_not_allowed)
     return NavigateGuest(url::kAboutBlankURL, true /* force_navigation */);
 
   if (!force_navigation && (url_ == url))
     return false;
 
   web_contents()->GetRenderProcessHost()->FilterURL(false, &url);
   web_contents()->GetController().LoadURL(url, content::Referrer(),
                                           ui::PAGE_TRANSITION_AUTO_TOPLEVEL,
                                           std::string());
@@ skipping 68 matching lines @@
 
   scoped_ptr<base::DictionaryValue> args(new base::DictionaryValue());
   args->SetString(guest_view::kUrl, url_.spec());
   DispatchEventToView(make_scoped_ptr(
       new GuestViewEvent(extensionview::kEventLoadCommit, std::move(args))));
 }
 
 void ExtensionViewGuest::DidNavigateMainFrame(
     const content::LoadCommittedDetails& details,
     const content::FrameNavigateParams& params) {
-  if (attached() && (params.url.GetOrigin() != url_.GetOrigin())) {
+  if (attached() && !url::IsSameOriginWith(params.url, url_)) {
     bad_message::ReceivedBadMessage(web_contents()->GetRenderProcessHost(),
                                     bad_message::EVG_BAD_ORIGIN);
   }
 }
 
 void ExtensionViewGuest::ApplyAttributes(const base::DictionaryValue& params) {
   std::string src;
   params.GetString(extensionview::kAttributeSrc, &src);
   NavigateGuest(src, false /* force_navigation */);
 }
 
 }  // namespace extensions