Updated suborigin serialization to latest spec proposal

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index 652a7ac175420cba631376bba186834094a5d1f8..c9ad29687048abba29d2bba669e98cba807dc466 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -297,7 +297,9 @@ class ChildProcessSecurityPolicyImpl::SecurityState {
 ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() {
   // We know about these schemes and believe them to be safe.
   RegisterWebSafeScheme(url::kHttpScheme);
+  RegisterWebSafeScheme(kHttpSuboriginScheme);

[nasko, 2016/09/19 22:20:21]

Why not put those in url:: namespace?

[jww, 2016/09/20 00:24:32]

See earlier comments from Mike. Mike prefers them as content-level definitions,
rather than in GURL, since he feels that they're a content-level concept (hence
they're defined in content/public/common/url_constants.h). This has the nice-ish
effect that users of cronet (sp?) don't have to ever see suborigins, at least
for now.

   RegisterWebSafeScheme(url::kHttpsScheme);
+  RegisterWebSafeScheme(kHttpsSuboriginScheme);

[nasko, 2016/09/19 22:20:21]

Registering these here is a bit dangerous, as it will lead us to allow
committing of suborigin URLs, which I don't think we can. Can we?

Why not register it as a PseudoScheme? I think it matches more closely the
semantics of suborigins.

[jww, 2016/09/20 00:24:32]

That is what I did initially. The trick I ran into is when the renderer requests
resources. When the resource request is made, the resource dispatcher checks the
Origin header of the request (specifically at
https://cs.chromium.org/chromium/src/content/browser/loader/resource_dispatch...)
to see if it's a "valid" origin header. However, at this point, the Origin
header, per the pec, is serialized with the suborigin, , and part of what makes
it "valid" is if CanCommitURL passes (which requires a WebSafeScheme). Thus
simple resource requests kill the renderer if they're coming from a suborigin.

So maybe this needs to change? But my intuition is that this is, in a sense,
commitable, since a renderer has this effective origin for making requests. What
do you think?

   RegisterWebSafeScheme(url::kFtpScheme);
   RegisterWebSafeScheme(url::kDataScheme);
   RegisterWebSafeScheme("feed");