Make extensions use a correct same-origin check.

extensions/browser/api/web_request/web_request_permissions.cc

Index: extensions/browser/api/web_request/web_request_permissions.cc
diff --git a/extensions/browser/api/web_request/web_request_permissions.cc b/extensions/browser/api/web_request/web_request_permissions.cc
index fd73304e17ace4cc22c45edd7cf531d7f07b6589..eed1b26fd85c596befbfba1239e9afdbf71a7189 100644
--- a/extensions/browser/api/web_request/web_request_permissions.cc
+++ b/extensions/browser/api/web_request/web_request_permissions.cc
@@ -15,6 +15,7 @@
 #include "extensions/common/permissions/permissions_data.h"
 #include "net/url_request/url_request.h"
 #include "url/gurl.h"
+#include "url/origin.h"
 
 using content::ResourceRequestInfo;
 
@@ -130,7 +131,8 @@ bool WebRequestPermissions::CanExtensionAccessURL(
       // anyway.
       if (!((url.SchemeIs(url::kAboutScheme) ||
              extension->permissions_data()->HasHostPermission(url) ||
-             url.GetOrigin() == extension->url()))) {
+             url::Origin(url).IsSameOriginWith(
+                 url::Origin(extension->url()))))) {

[meacer, 2016/02/02 01:35:08]

While you are at it, do you mind applying De Morgan's law here? This seems a bit
easier to reason about:

if (url.SchemeIs(url::kAboutScheme) &&
    !extension->permissions_data()->HasHostPermission(url) &&
    !url::Origin(url).IsSameOriginWith(url::Origin(extension->url()) {
  return false;
}

[palmer, 2016/02/02 23:12:38]

Good idea. But, it should be

    !url.SchemeIs(url::kAboutScheme)

, right?

[meacer, 2016/02/02 23:27:22]

Sure :)

         return false;
       }
       break;