Disallow use of Web Bluetooth from cross-origin iframes.

content/browser/bluetooth/bluetooth_dispatcher_host.cc

Index: content/browser/bluetooth/bluetooth_dispatcher_host.cc
diff --git a/content/browser/bluetooth/bluetooth_dispatcher_host.cc b/content/browser/bluetooth/bluetooth_dispatcher_host.cc
index c7a2dd3c5d1d75e97a7c619156e51d6fee24e341..23718c9339296dd858a2b3304680ccb6f3053c06 100644
--- a/content/browser/bluetooth/bluetooth_dispatcher_host.cc
+++ b/content/browser/bluetooth/bluetooth_dispatcher_host.cc
@@ -1137,13 +1137,18 @@ void BluetoothDispatcherHost::OnRequestDeviceImpl(
   const url::Origin embedding_origin =
       web_contents->GetMainFrame()->GetLastCommittedOrigin();
 
-  if (requesting_origin.unique()) {
-    VLOG(1) << "Request device with unique origin.";
+  // TODO(crbug.com/518042): Enforce correctly-delegated permissions instead of
+  // matching origins. When relaxing this, take care to handle non-sandboxed
+  // unique origins.
+  if (!embedding_origin.IsSameOriginWith(requesting_origin)) {
     Send(new BluetoothMsg_RequestDeviceError(
         thread_id, request_id,
-        WebBluetoothError::REQUEST_DEVICE_WITH_UNIQUE_ORIGIN));
+        WebBluetoothError::REQUEST_DEVICE_FROM_CROSS_ORIGIN_IFRAME));
     return;
   }
+  // The above also excludes unique origins, which are not even same-origin with
+  // themselves.
+  DCHECK(!requesting_origin.unique());
 
   DCHECK(adapter_.get());