[HBD] Blanket BLOCK on all non-HTTP(s) and non-FILE URLs for Flash.

chrome/browser/plugins/plugin_utils.cc

Index: chrome/browser/plugins/plugin_utils.cc
diff --git a/chrome/browser/plugins/plugin_utils.cc b/chrome/browser/plugins/plugin_utils.cc
index 582d098b1380424bcca1aa64cad2f0986093c9c5..9b3540cc37accb27e1360a0c9696771870c3801c 100644
--- a/chrome/browser/plugins/plugin_utils.cc
+++ b/chrome/browser/plugins/plugin_utils.cc
@@ -5,10 +5,12 @@
 #include "chrome/browser/plugins/plugin_utils.h"
 
 #include "base/values.h"
+#include "chrome/common/chrome_features.h"
 #include "chrome/common/plugin_utils.h"
 #include "components/content_settings/core/browser/host_content_settings_map.h"
 #include "content/public/common/webplugininfo.h"
 #include "url/gurl.h"
+#include "url/origin.h"
 
 namespace {
 
@@ -17,12 +19,15 @@ const char kFlashPluginID[] = "adobe-flash-player";
 void GetPluginContentSettingInternal(
     const HostContentSettingsMap* host_content_settings_map,
     bool use_javascript_setting,
-    const GURL& policy_url,
+    const url::Origin& policy_origin,
     const GURL& plugin_url,
     const std::string& resource,
     ContentSetting* setting,
     bool* uses_default_content_setting,
     bool* is_managed) {
+  GURL policy_url =
+      policy_origin.unique() ? GURL() : GURL(policy_origin.Serialize());
+
   std::unique_ptr<base::Value> value;
   content_settings::SettingInfo info;
   bool uses_plugin_specific_setting = false;
@@ -31,6 +36,18 @@ void GetPluginContentSettingInternal(
         policy_url, policy_url, CONTENT_SETTINGS_TYPE_JAVASCRIPT, std::string(),
         &info);
   } else {
+    // For non-JavaScript treated plugins (Flash), always return BLOCK if the
+    // top level origin is any scheme other HTTP, HTTPS, or FILE.
+    if (base::FeatureList::IsEnabled(features::kPreferHtmlOverPlugins) &&
+        !policy_url.SchemeIsHTTPOrHTTPS() && !policy_url.SchemeIsFile()) {

[jochen (gone - plz use gerrit), 2016/09/30 10:50:34]

aren't file urls unique as well?

[tommycli, 2016/09/30 17:44:43]

Surprisingly... no. I tested this, And I got:

WebSecurityOrigin isunique: 0 string: null
url::Origin isunique: 0 string: file://

I thought they were unique as well, but they don't seem to be.

[tommycli, 2016/09/30 17:46:21]

+cc dcheng/alexmos - I thought file:// urls were unique, but they don't seem to
be. - in either WebSecurityOrigin or url::Origin.

+      *setting = CONTENT_SETTING_BLOCK;
+      if (uses_default_content_setting)
+        *uses_default_content_setting = true;
+      if (is_managed)
+        *is_managed = true;
+      return;
+    }
+
     content_settings::SettingInfo specific_info;
     std::unique_ptr<base::Value> specific_setting =
         host_content_settings_map->GetWebsiteSetting(
@@ -71,7 +88,7 @@ void GetPluginContentSettingInternal(
 void PluginUtils::GetPluginContentSetting(
     const HostContentSettingsMap* host_content_settings_map,
     const content::WebPluginInfo& plugin,
-    const GURL& policy_url,
+    const url::Origin& policy_url,
     const GURL& plugin_url,
     const std::string& resource,
     ContentSetting* setting,
@@ -86,7 +103,7 @@ void PluginUtils::GetPluginContentSetting(
 // static
 ContentSetting PluginUtils::GetFlashPluginContentSetting(
     const HostContentSettingsMap* host_content_settings_map,
-    const GURL& policy_url,
+    const url::Origin& policy_url,
     const GURL& plugin_url,
     bool* is_managed) {
   ContentSetting plugin_setting = CONTENT_SETTING_DEFAULT;