BlobUrlBrowserTest: Add a test exercising blob: URLs from file:// documents.

content/browser/frame_host/render_frame_host_manager.cc

Index: content/browser/frame_host/render_frame_host_manager.cc
diff --git a/content/browser/frame_host/render_frame_host_manager.cc b/content/browser/frame_host/render_frame_host_manager.cc
index 4971162605e15af9aeef844cb10914d3aad81d74..6678eb42ab3196ba1421f3cbc7940ba7ba342746 100644
--- a/content/browser/frame_host/render_frame_host_manager.cc
+++ b/content/browser/frame_host/render_frame_host_manager.cc
@@ -1399,13 +1399,22 @@ RenderFrameHostManager::DetermineSiteInstanceForURL(
                                   SiteInstanceRelation::UNRELATED);
   }
 
-  // Use the source SiteInstance in case of data URLs or about:blank pages,
-  // because the content is then controlled and/or scriptable by the source
-  // SiteInstance.
-  GURL about_blank(url::kAboutBlankURL);
-  if (source_instance &&
-      (dest_url == about_blank || dest_url.scheme() == url::kDataScheme)) {
-    return SiteInstanceDescriptor(source_instance);
+  if (source_instance) {
+    // Use the source SiteInstance in case of data URLs or about:blank pages,
+    // because the content is then controlled and/or scriptable by the source
+    // SiteInstance.
+    GURL about_blank(url::kAboutBlankURL);
+    if (dest_url == about_blank || dest_url.SchemeIs(url::kDataScheme))
+      return SiteInstanceDescriptor(source_instance);
+    // Process transfers for filesystem and blob URLs work similarly:
+    // Although these URLs have origins, they are disallowed in
+    // cross-origin contexts. So the only site instance swap we
+    // allow is to |source_instance|.
+    if (dest_url.SchemeIsBlob() || dest_url.SchemeIsFileSystem()) {
+      // TODO(nick): do we need to check for origin safety? Are we downstream
+      // of existing enforcement or what?
+      return SiteInstanceDescriptor(source_instance);
+    }
   }
 
   // Use the current SiteInstance for same site navigations.