Whitelist hangouts.google.com further to allow video effects plugin access.

chrome/renderer/chrome_content_renderer_client.cc

Index: chrome/renderer/chrome_content_renderer_client.cc
diff --git a/chrome/renderer/chrome_content_renderer_client.cc b/chrome/renderer/chrome_content_renderer_client.cc
index b70bbeb30f38116b330225195fd5cc357c2a915f..1a060323fef7a82c452f286e5b795c64f7d7e4d2 100644
--- a/chrome/renderer/chrome_content_renderer_client.cc
+++ b/chrome/renderer/chrome_content_renderer_client.cc
@@ -185,6 +185,10 @@ using extensions::Extension;
 
 namespace {
 
+#if !defined(DISABLE_NACL) || !defined(OS_ANDROID)
+const char* const kGoogleComDomainSuffix = ".google.com";

[Tom Sepez, 2016/05/17 23:23:17]

No, we really don't want to whitelist all of google.com, you'll add another host
to the comparision at line 919

[AlexZ, 2016/05/18 23:05:23]

Done.

+#endif
+
 // Whitelist PPAPI for Android Runtime for Chromium. (See crbug.com/383937)
 #if defined(ENABLE_PLUGINS)
 const char* const kPredefinedAllowedCameraDeviceOrigins[] = {
@@ -912,10 +916,8 @@ bool ChromeContentRendererClient::IsNaClAllowed(
   bool is_photo_app =
       // Whitelisted apps must be served over https.
       app_url.SchemeIsCryptographic() && manifest_url.SchemeIsCryptographic() &&
-      (base::EndsWith(app_url_host, "plus.google.com",

[Tom Sepez, 2016/05/17 23:23:17]

Pre-existing: EndsWith isn't ideal for these kinds of comparisions unless
there's a leading "." in the literal.  Otherwise, things like fooplus.google.com
would match.

[AlexZ, 2016/05/18 23:05:23]

This should actually be an equality test.

-                      base::CompareCase::INSENSITIVE_ASCII) ||
-       base::EndsWith(app_url_host, "plus.sandbox.google.com",
-                      base::CompareCase::INSENSITIVE_ASCII)) &&
+      base::EndsWith(app_url_host, kGoogleComDomainSuffix,
+                     base::CompareCase::INSENSITIVE_ASCII) &&
       manifest_url.DomainIs("ssl.gstatic.com") &&
       (manifest_url_path.find("s2/oz/nacl/") == 1 ||
        manifest_url_path.find("photos/nacl/") == 1);
@@ -928,14 +930,8 @@ bool ChromeContentRendererClient::IsNaClAllowed(
       // Whitelisted apps must be served over secure scheme.
       app_url.SchemeIsCryptographic() && manifest_url.SchemeIsFileSystem() &&
       manifest_url.inner_url()->SchemeIsCryptographic() &&
-      (base::EndsWith(app_url_host, "talkgadget.google.com",
-                      base::CompareCase::INSENSITIVE_ASCII) ||
-       base::EndsWith(app_url_host, "plus.google.com",
-                      base::CompareCase::INSENSITIVE_ASCII) ||
-       base::EndsWith(app_url_host, "plus.sandbox.google.com",
-                      base::CompareCase::INSENSITIVE_ASCII) ||
-       base::EndsWith(app_url_host, "hangouts.google.com",
-                      base::CompareCase::INSENSITIVE_ASCII)) &&
+      base::EndsWith(app_url_host, kGoogleComDomainSuffix,
+                     base::CompareCase::INSENSITIVE_ASCII) &&
       // The manifest must be loaded from the host's FileSystem.
       (manifest_fs_host == app_url_host);
 
@@ -1230,26 +1226,25 @@ ChromeContentRendererClient::OverrideSpeechSynthesizer(
 bool ChromeContentRendererClient::AllowPepperMediaStreamAPI(
     const GURL& url) {
 #if !defined(OS_ANDROID)
-  // Allow only the Hangouts app to use the MediaStream APIs. It's OK to check
-  // the whitelist in the renderer, since we're only preventing access until
-  // these APIs are public and stable.
-  std::string url_host = url.host();
-  if (url.SchemeIs("https") &&
-      (base::EndsWith(url_host, "talkgadget.google.com",
-                      base::CompareCase::INSENSITIVE_ASCII) ||
-       base::EndsWith(url_host, "plus.google.com",
-                      base::CompareCase::INSENSITIVE_ASCII) ||
-       base::EndsWith(url_host, "plus.sandbox.google.com",
-                      base::CompareCase::INSENSITIVE_ASCII)) &&
-      base::StartsWith(url.path(), "/hangouts/",
-                       base::CompareCase::INSENSITIVE_ASCII)) {
-    return true;
-  }
   // Allow access for tests.
   if (base::CommandLine::ForCurrentProcess()->HasSwitch(
           switches::kEnablePepperTesting)) {
     return true;
   }
+
+  if (!url.SchemeIs(url::kHttpsScheme) ||
+      !base::EndsWith(url.host(), kGoogleComDomainSuffix,
+                      base::CompareCase::INSENSITIVE_ASCII)) {
+    return false;
+  }
+
+  // Allow only the Hangouts app to use the MediaStream APIs. It's OK to check
+  // the whitelist in the renderer, since we're only preventing access until
+  // these APIs are public and stable.
+  if (base::StartsWith(url.path(), "/hangouts/",
+                          base::CompareCase::INSENSITIVE_ASCII)) {
+    return true;
+  }
 #endif  // !defined(OS_ANDROID)
   return false;
 }