Lock down creation of "filesystem:chrome-extension://" URLs

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index 004fcb58ee2ca6b3c806b782d2fca69244ee1646..5f1a33c466c9977ba0a8c74b87a8aa9f26aae8aa 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -796,6 +796,12 @@ bool ChildProcessSecurityPolicyImpl::HasPermissionsForFileSystemFile(
   if (!url.is_valid())
     return false;
 
+  // If |url.origin()| is not committable in this process, then this page
+  // should not be able to place content in that origin via the filesystem
+  // API either.
+  if (!CanCommitURL(child_id, url.origin()))
+    return false;

[Charlie Reis, 2016/10/04 22:19:04]

Consider adding a UMA to detect if this is happening too often?

[ncarter (slow), 2016/10/04 23:09:36]

Done.

+
   if (url.path().ReferencesParent())
     return false;