Whitelist hangouts.google.com further to allow video effects plugin access.

chrome/renderer/chrome_content_renderer_client.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/renderer/chrome_content_renderer_client.h"
 
 #include <memory>
 #include <utility>
 
 #include "base/command_line.h"
@@ skipping 910 matching lines @@
        manifest_url_path.find("photos/nacl/") == 1);
 
   std::string manifest_fs_host;
   if (manifest_url.SchemeIsFileSystem() && manifest_url.inner_url()) {
     manifest_fs_host = manifest_url.inner_url()->host();
   }
   bool is_hangouts_app =
       // Whitelisted apps must be served over secure scheme.
       app_url.SchemeIsCryptographic() && manifest_url.SchemeIsFileSystem() &&
       manifest_url.inner_url()->SchemeIsCryptographic() &&
-      (base::EndsWith(app_url_host, "talkgadget.google.com",
+      (base::EndsWith(app_url_host, "hangouts.google.com",

[tommi (sloooow) - chröme, 2016/05/16 19:51:56]

It looks like this change doesn't make a difference - is it just moving this
check up or am I missing what the change is?

[AlexZ, 2016/05/17 16:43:56]

Was just making the two lists the same. Moving to single domain check.

+                      base::CompareCase::INSENSITIVE_ASCII) ||
+       base::EndsWith(app_url_host, "talkgadget.google.com",
                       base::CompareCase::INSENSITIVE_ASCII) ||
        base::EndsWith(app_url_host, "plus.google.com",
                       base::CompareCase::INSENSITIVE_ASCII) ||
        base::EndsWith(app_url_host, "plus.sandbox.google.com",
-                      base::CompareCase::INSENSITIVE_ASCII) ||
-       base::EndsWith(app_url_host, "hangouts.google.com",
                       base::CompareCase::INSENSITIVE_ASCII)) &&
       // The manifest must be loaded from the host's FileSystem.
       (manifest_fs_host == app_url_host);
 
   bool is_whitelisted_app = is_photo_app || is_hangouts_app;
 
   bool is_invoked_by_webstore_installed_extension = false;
   bool is_extension_unrestricted = false;
   bool is_extension_force_installed = false;
 #if defined(ENABLE_EXTENSIONS)
@@ skipping 280 matching lines @@
 }
 
 bool ChromeContentRendererClient::AllowPepperMediaStreamAPI(
     const GURL& url) {
 #if !defined(OS_ANDROID)
   // Allow only the Hangouts app to use the MediaStream APIs. It's OK to check
   // the whitelist in the renderer, since we're only preventing access until
   // these APIs are public and stable.
   std::string url_host = url.host();
   if (url.SchemeIs("https") &&
-      (base::EndsWith(url_host, "talkgadget.google.com",
+      (base::EndsWith(url_host, "hangouts.google.com",

[tommi (sloooow) - chröme, 2016/05/16 19:51:56]

I guess this is the real change.  Since this looks like the same list as above
and we missed updating it before, can you extract the list out to where other
whitelists are at the top of the file, e.g.:

const char* const kPredefinedAllowedPepperMediaStreamOrigins[] = {
  "hangouts.google.com",
  "talkgadget.google.com",
  "plus.google.com",
  "plus.sandbox.google.com",
};


and then update this part and the one above to something like:

// Allow access for tests.
if (base::CommandLine::ForCurrentProcess()->HasSwitch(
        switches::kEnablePepperTesting)) {
  return true;
}

if (!url.SchemeIs("https"))  <- should we be using url::kHttpsScheme?
  return false;

if (!base::StartsWith(url.path(), "/hangouts/",
        base::CompareCase::INSENSITIVE_ASCII)) {
  return false;
}

std::string url_host = url.host();
for (const char* entry : kPredefinedAllowedPepperMediaStreamOrigins) {
  if (base::EndsWith(url_host, entry, base::CompareCase::INSENSITIVE_ASCII)
    return true;
}

return false;

[AlexZ, 2016/05/17 16:43:56]

Moving to single domain check.

+                      base::CompareCase::INSENSITIVE_ASCII) ||
+       base::EndsWith(url_host, "talkgadget.google.com",
                       base::CompareCase::INSENSITIVE_ASCII) ||
        base::EndsWith(url_host, "plus.google.com",
                       base::CompareCase::INSENSITIVE_ASCII) ||
        base::EndsWith(url_host, "plus.sandbox.google.com",
                       base::CompareCase::INSENSITIVE_ASCII)) &&
       base::StartsWith(url.path(), "/hangouts/",
                        base::CompareCase::INSENSITIVE_ASCII)) {
     return true;
   }
   // Allow access for tests.
@@ skipping 174 matching lines @@
 // chrome.system.network.getNetworkInterfaces provides the same
 // information. Also, the enforcement of sending and binding UDP is already done
 // by chrome extension permission model.
 bool ChromeContentRendererClient::ShouldEnforceWebRTCRoutingPreferences() {
 #if defined(ENABLE_EXTENSIONS)
   return !IsStandaloneExtensionProcess();
 #else
   return true;
 #endif
 }