Resource requests from Save-Page-As should go through CanRequestURL checks.

content/browser/loader/resource_dispatcher_host_impl.cc

Index: content/browser/loader/resource_dispatcher_host_impl.cc
diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc
index d2d0bc1b9e5bfc3cb0b78e5ffbf2ac3215cc6c1a..87f1b739cf1fa9000fab97a560b773d4723aa3ec 100644
--- a/content/browser/loader/resource_dispatcher_host_impl.cc
+++ b/content/browser/loader/resource_dispatcher_host_impl.cc
@@ -1887,10 +1887,20 @@ void ResourceDispatcherHostImpl::BeginSaveFile(const GURL& url,
                         render_frame_route_id, false, context);
   extra_info->AssociateWithRequest(request.get());  // Request takes ownership.
 
-  std::unique_ptr<ResourceHandler> handler(new SaveFileResourceHandler(
+  std::unique_ptr<SaveFileResourceHandler> handler(new SaveFileResourceHandler(
       request.get(), save_item_id, save_package_id, child_id,
       render_frame_route_id, url, save_file_manager_.get()));
 
+  // Check if the renderer is permitted to request the requested URL.
+  if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL(child_id,
+                                                                    url)) {
+    DVLOG(1) << "Denying unauthorized save of " << url.possibly_invalid_spec();
+    handler->MarkAsUnauthorized();
+    // We still begin request processing below (rather than returning here),
+    // because we know MarkAsUnauthorized will cause the request to be

[mmenke, 2016/07/27 18:55:59]

nit (x2):  Avoid "we" in comments, due to ambiguity ("We the code", "We the
programmers", "We the pod people"...)

[Łukasz Anforowicz, 2016/07/27 19:16:50]

Done :-)

+    // cancelled.  See also doc comments for MarkAsUnauthorized.
+  }
+
   BeginRequestInternal(std::move(request), std::move(handler));
 }