Fix a null-deref in Upgrade-Insecure-Request's handling of unique origins.

Fix a null-deref in Upgrade-Insecure-Request's handling of unique origins.

If a page is sandboxed into a unique origin, the current code which enforces
upgrading insecure requests will end up doing dereferencing the origin's
host. Unfortunately the origin has no host, and we end up doing a null-deref
on the StringImpl. Whoops.

This patch aligns our behavior with the spec's mandate to use the protected
resource's URL's host instead:
https://www.w3.org/TR/upgrade-insecure-requests/#delivery. It also changes
the 'isNull' check to an 'isEmpty' check to handle URLs without hosts, like
'data:'.

BUG=643084
Committed: https://crrev.com/33153e2598026b19f247a2c6ee2362124b5aea4e
Cr-Commit-Position: refs/heads/master@{#415921}

[Mike West, 2016-09-01 07:06:58]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-09-01 07:07:08]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Mike West, 2016-09-01 07:10:03]

Description was changed from

==========
Fix a null-deref in Upgrade-Insecure-Request's handling of unique origins.

If a page is sandboxed into a unique origin, the current code which enforces
upgrading insecure requests will end up doing dereferencing the origin's
host. Unfortunately the origin has no host, and we end up doing a null-deref
on the StringImpl. Whoops.

This patch aligns our behavior with the spec's mandate to use the protected
resource's URL's host instead:
https://www.w3.org/TR/upgrade-insecure-requests/#delivery. It also changes
the 'isNull' check to an 'isEmpty' check to handle URLs without hosts, like
'data:'.

BUG=642744
==========

to

==========
Fix a null-deref in Upgrade-Insecure-Request's handling of unique origins.

If a page is sandboxed into a unique origin, the current code which enforces
upgrading insecure requests will end up doing dereferencing the origin's
host. Unfortunately the origin has no host, and we end up doing a null-deref
on the StringImpl. Whoops.

This patch aligns our behavior with the spec's mandate to use the protected
resource's URL's host instead:
https://www.w3.org/TR/upgrade-insecure-requests/#delivery. It also changes
the 'isNull' check to an 'isEmpty' check to handle URLs without hosts, like
'data:'.

BUG=643084
==========

[Mike West, 2016-09-01 07:10:03]

mkwst@chromium.org changed reviewers:
+ jochen@chromium.org

[Mike West, 2016-09-01 07:10:24]

WDYT, Jochen?

FYI: elawrence@.

[Mike West, 2016-09-01 07:12:01]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-09-01 07:12:14]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[jochen (gone - plz use gerrit), 2016-09-01 07:12:19]

lgtm

[commit-bot: I haz the power, 2016-09-01 08:01:48]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-09-01 08:01:49]

Dry run: Try jobs failed on following builders:
  linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[Mike West, 2016-09-01 08:39:03]

The CQ bit was checked by mkwst@chromium.org

[Mike West, 2016-09-01 08:39:03]

The patchset sent to the CQ was uploaded after l-g-t-m from jochen@chromium.org
Link to the patchset: https://codereview.chromium.org/2295153004/#ps40001
(title: "Test")

[commit-bot: I haz the power, 2016-09-01 08:39:17]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-09-01 10:12:03]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2016-09-01 10:13:30]

Description was changed from

==========
Fix a null-deref in Upgrade-Insecure-Request's handling of unique origins.

If a page is sandboxed into a unique origin, the current code which enforces
upgrading insecure requests will end up doing dereferencing the origin's
host. Unfortunately the origin has no host, and we end up doing a null-deref
on the StringImpl. Whoops.

This patch aligns our behavior with the spec's mandate to use the protected
resource's URL's host instead:
https://www.w3.org/TR/upgrade-insecure-requests/#delivery. It also changes
the 'isNull' check to an 'isEmpty' check to handle URLs without hosts, like
'data:'.

BUG=643084
==========

to

==========
Fix a null-deref in Upgrade-Insecure-Request's handling of unique origins.

If a page is sandboxed into a unique origin, the current code which enforces
upgrading insecure requests will end up doing dereferencing the origin's
host. Unfortunately the origin has no host, and we end up doing a null-deref
on the StringImpl. Whoops.

This patch aligns our behavior with the spec's mandate to use the protected
resource's URL's host instead:
https://www.w3.org/TR/upgrade-insecure-requests/#delivery. It also changes
the 'isNull' check to an 'isEmpty' check to handle URLs without hosts, like
'data:'.

BUG=643084

Committed: https://crrev.com/33153e2598026b19f247a2c6ee2362124b5aea4e
Cr-Commit-Position: refs/heads/master@{#415921}
==========

[commit-bot: I haz the power, 2016-09-01 10:13:31]

Patchset 3 (id:??) landed as
https://crrev.com/33153e2598026b19f247a2c6ee2362124b5aea4e
Cr-Commit-Position: refs/heads/master@{#415921}