Lock down creation of "filesystem:chrome-extension://" URLs

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index 004fcb58ee2ca6b3c806b782d2fca69244ee1646..0195c5159fa053833fddfce2ef2e586ea28d4ff9 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -796,6 +796,15 @@ bool ChildProcessSecurityPolicyImpl::HasPermissionsForFileSystemFile(
   if (!url.is_valid())
     return false;
 
+  // If |url.origin()| is not committable in this process, then this page
+  // should not be able to place content in that origin via the filesystem
+  // API either.
+  bool can_commit_origin = CanCommitURL(child_id, url.origin());
+  UMA_HISTOGRAM_BOOLEAN("ChildProcessSecurityPolicy.FileSystemCanCommitOrigin",
+                        can_commit_origin);
+  if (!can_commit_origin)
+    return false;
+
   if (url.path().ReferencesParent())
     return false;