Disallow navigations to blob URLs with non-canonical origins.

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index 652a7ac175420cba631376bba186834094a5d1f8..32e2eeb8805b525a7f568a3930f52c1188fc8c64 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -579,6 +579,14 @@ bool ChildProcessSecurityPolicyImpl::CanRequestURL(
     return false;
   }
 
+  // https://crbug.com/646278 Valid blob URLs should contain canonically
+  // serialized origins.
+  if (url.SchemeIsBlob() &&

[Charlie Reis, 2016/09/20 16:28:55]

Sanity check: Do we have the same problem for filesystem URLs?

[ncarter (slow), 2016/09/20 17:46:55]

Potentially but the spoof doesn't directly translate; since for filesystem URLs,
GURL actually parses past the scheme.

The behavior I see is that authorities are preserved in inner URLs of filesystem
URLs, but the inner URL is parsed and canonicalized, so spaces get escaped to
%20. We probably should not allow authorities inside of filesystem URLs, but it
may be a spec question.

[Charlie Reis, 2016/09/20 23:19:06]

Acknowledged.

+      !base::StartsWith(url.GetContent(), url::Origin(url).Serialize() + "/",
+                        base::CompareCase::INSENSITIVE_ASCII)) {
+    return false;
+  }
+
   // If the process can commit the URL, it can request it.
   if (CanCommitURL(child_id, url))
     return true;