Block top-level navigations to nested URLs with extension origins from non-extension processes.

Block top-level navigations to nested URLs with extension origins from non-extension processes.

Before this CL, it was possible for a web iframe with an unblessed
extension frame to exploit the renderer, create a blob: or filesystem:
URL in the extension frame context, then create a new top-level window
and navigate it to that URL, which could end up putting the new window
into a privileged extension process running attacker's code.

BUG=645028
Review-Url: https://codereview.chromium.org/2345473003
Cr-Commit-Position: refs/heads/master@{#419019}
(cherry picked from commit 4bfdc9292a6161980ba9a7a469d2d4515bebc6dd)

Committed: https://chromium.googlesource.com/chromium/src/+/dbf71ae0ae30ffd84974aebf1bc7fefe329d5091

[alexmos, 2016-09-23 16:46:23]

Description was changed from

==========
Block top-level navigations to nested URLs with extension origins from
non-extension processes.

Before this CL, it was possible for a web iframe with an unblessed
extension frame to exploit the renderer, create a blob: or filesystem:
URL in the extension frame context, then create a new top-level window
and navigate it to that URL, which could end up putting the new window
into a privileged extension process running attacker's code.

BUG=645028

Review-Url: https://codereview.chromium.org/2345473003
Cr-Commit-Position: refs/heads/master@{#419019}
(cherry picked from commit 4bfdc9292a6161980ba9a7a469d2d4515bebc6dd)
==========

to

==========
Block top-level navigations to nested URLs with extension origins from
non-extension processes.

Before this CL, it was possible for a web iframe with an unblessed
extension frame to exploit the renderer, create a blob: or filesystem:
URL in the extension frame context, then create a new top-level window
and navigate it to that URL, which could end up putting the new window
into a privileged extension process running attacker's code.

BUG=645028

Review-Url: https://codereview.chromium.org/2345473003
Cr-Commit-Position: refs/heads/master@{#419019}
(cherry picked from commit 4bfdc9292a6161980ba9a7a469d2d4515bebc6dd)

Committed:
https://chromium.googlesource.com/chromium/src/+/dbf71ae0ae30ffd84974aebf1bc7...
==========

[alexmos, 2016-09-23 16:46:25]

Committed patchset #1 (id:1) manually as
dbf71ae0ae30ffd84974aebf1bc7fefe329d5091.

[alexmos, 2016-10-04 16:41:58]

A revert of this CL (patchset #1 id:1) has been created in
https://codereview.chromium.org/2391643004/ by alexmos@chromium.org.

The reason for reverting is: Broke blob: loads in <webview>.  See
https://bugs.chromium.org/p/chromium/issues/detail?id=652077.