Fix extension bindings injection for iframes

extensions/renderer/script_context_set.cc

Index: extensions/renderer/script_context_set.cc
diff --git a/extensions/renderer/script_context_set.cc b/extensions/renderer/script_context_set.cc
index adefb3838becf53f84c3e4b2443eaf9dc34a45e5..33b068c73b9afb3327f44f8d3a01092a374b0cc4 100644
--- a/extensions/renderer/script_context_set.cc
+++ b/extensions/renderer/script_context_set.cc
@@ -140,8 +140,21 @@ const Extension* ScriptContextSet::GetExtensionFromFrameAndWorld(
     // Isolated worlds (content script).
     extension_id = ScriptInjection::GetHostIdForIsolatedWorld(world_id);
   } else {
-    // Extension pages (chrome-extension:// URLs).
-    GURL frame_url = ScriptContext::GetDataSourceURLForFrame(frame);
+    // For looking up the extension associated with this frame, we either want
+    // to use the current url or possibly the data source url (which this frame
+    // may be navigating to shortly), depending on the security origin of the
+    // frame. We don't always want to use the data source url because some
+    // frames (eg iframes and windows created via window.open) briefly contain
+    // an about:blank script context that is scriptable by their parent/opener
+    // before they finish navigating.
+    GURL frame_url = GURL(frame->document().url());

[Devlin, 2016/07/21 00:44:54]

nit: prefer construction over assignment in a case like this.

[asargent_no_longer_on_chrome, 2016/07/21 18:12:22]

Done.

+    GURL data_src_url = ScriptContext::GetDataSourceURLForFrame(frame);
+    if (frame_url.is_empty() && data_src_url.is_valid() &&
+        frame->getSecurityOrigin().canAccess(
+            blink::WebSecurityOrigin::create(data_src_url))) {
+      frame_url = data_src_url;
+    }
+
     frame_url = ScriptContext::GetEffectiveDocumentURL(frame, frame_url,
                                                        use_effective_url);
     extension_id =