Lock down the registration of blob:chrome-extension:// URLs

chrome/browser/browser_process_impl.cc

Index: chrome/browser/browser_process_impl.cc
diff --git a/chrome/browser/browser_process_impl.cc b/chrome/browser/browser_process_impl.cc
index 3d002dad6f012a3bcbe1518e242a79e8630b9a7b..85469f8422b1e858518611728d995e722ee6c320 100644
--- a/chrome/browser/browser_process_impl.cc
+++ b/chrome/browser/browser_process_impl.cc
@@ -220,9 +220,12 @@ BrowserProcessImpl::BrowserProcessImpl(
       net_log_path, GetNetCaptureModeFromCommandLine(command_line),
       command_line.GetCommandLineString(), chrome::GetChannelString()));
 
-  ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeScheme(
+  // chrome-extension:// URLs are safe to request anywhere, but may only
+  // commit (including in iframes) in extension processes.

[Charlie Reis, 2016/09/28 22:07:16]

Sanity check: Will this affect DevTools extensions?

[ncarter (slow), 2016/09/29 21:01:45]

Excellent catch. This was a real bug; I've fixed it and added a test.

+  ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeIsolatedScheme(
       extensions::kExtensionScheme);
-  ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeScheme(
+  // TODO(nick): Kill off kExtensionResourceScheme.
+  ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeIsolatedScheme(
       extensions::kExtensionResourceScheme);
   ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeScheme(
       chrome::kChromeSearchScheme);