Lock down the registration of blob:chrome-extension:// URLs

content/browser/blob_storage/blob_dispatcher_host.cc

Index: content/browser/blob_storage/blob_dispatcher_host.cc
diff --git a/content/browser/blob_storage/blob_dispatcher_host.cc b/content/browser/blob_storage/blob_dispatcher_host.cc
index 4f2ed8439f15ee20201f45bef45f5b836ccfb62f..3c326a39f8dcf4097b80aa7d7c5946fa45110a66 100644
--- a/content/browser/blob_storage/blob_dispatcher_host.cc
+++ b/content/browser/blob_storage/blob_dispatcher_host.cc
@@ -304,12 +304,23 @@ void BlobDispatcherHost::OnDecrementBlobRefCount(const std::string& uuid) {
 void BlobDispatcherHost::OnRegisterPublicBlobURL(const GURL& public_url,
                                                  const std::string& uuid) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
-  BlobStorageContext* context = this->context();
+  ChildProcessSecurityPolicyImpl* security_policy =
+      ChildProcessSecurityPolicyImpl::GetInstance();
+
+  // Blob urls have embedded origins. A frame should only be creating blob URLs
+  // in the origin of its current document. Make sure that the origin advertised
+  // on the URL is allowed to be rendered in this process.
+  if (!public_url.SchemeIsBlob() ||
+      !security_policy->CanCommitURL(process_id_, public_url)) {
+    bad_message::ReceivedBadMessage(this, bad_message::BDH_DISALLOWED_ORIGIN);
+    return;
+  }
   if (uuid.empty()) {
     bad_message::ReceivedBadMessage(this,
                                     bad_message::BDH_INVALID_URL_OPERATION);
     return;
   }
+  BlobStorageContext* context = this->context();
   if (!IsInUseInHost(uuid) || context->registry().IsURLMapped(public_url)) {
     UMA_HISTOGRAM_ENUMERATION("Storage.Blob.InvalidURLRegister", BDH_INCREMENT,
                               BDH_TRACING_ENUM_LAST);