Temporarily reintroduce blob/filesystem URL security checks on the IO thread.

chrome/browser/net/chrome_extensions_network_delegate.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/net/chrome_extensions_network_delegate.h"
 
 #include <stdint.h>
 
 #include "base/macros.h"
 #include "net/base/net_errors.h"
 
 #if defined(ENABLE_EXTENSIONS)
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/extensions/api/proxy/proxy_api.h"
 #include "chrome/browser/extensions/event_router_forwarder.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/browser/renderer_host/chrome_navigation_ui_data.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/resource_request_info.h"
+#include "content/public/common/browser_side_navigation_policy.h"
 #include "extensions/browser/api/web_request/web_request_api.h"
 #include "extensions/browser/extension_navigation_ui_data.h"
 #include "extensions/browser/info_map.h"
 #include "extensions/browser/process_manager.h"
+#include "extensions/common/permissions/api_permission.h"
 #include "net/url_request/url_request.h"
 
 using content::BrowserThread;
 using content::ResourceRequestInfo;
 using extensions::ExtensionWebRequestEventRouter;
 
 namespace {
 
 enum RequestStatus { REQUEST_STARTED, REQUEST_DONE };
 
@@ skipping 135 matching lines @@
 
 void ChromeExtensionsNetworkDelegateImpl::ForwardDoneRequestStatus(
     net::URLRequest* request) {
   ForwardRequestStatus(REQUEST_DONE, request, profile_);
 }
 
 int ChromeExtensionsNetworkDelegateImpl::OnBeforeURLRequest(
     net::URLRequest* request,
     const net::CompletionCallback& callback,
     GURL* new_url) {
+  const content::ResourceRequestInfo* info =
+      content::ResourceRequestInfo::ForRequest(request);
+  GURL url(request->url());
+
+  // Block top-level navigations to blob: or filesystem: URLs with extension
+  // origin from non-extension processes.  See https://crbug.com/645028.
+  //
+  // TODO(alexmos): This check is redundant with the one in
+  // ExtensionNavigationThrottle::WillStartRequest, which was introduced in
+  // M56. It is reintroduced temporarily to tighten this blocking for apps with

[mmenke, 2016/10/20 20:52:04]

"It is" meaning this check, not the one in the throttle?

[alexmos, 2016/10/20 21:18:16]

Yes.  Tweaked the comment to say this explicitly.

+  // a "webview" permission on M55/54 (see https://crbug.com/656752).  It will

[mmenke, 2016/10/20 20:52:04]

Could you give me access to the bug?  I want to know what's going on here.

[alexmos, 2016/10/20 21:18:16]

Done.  Also CC'ed you on a couple of linked bugs that you'd need for full
context.

+  // be removed after it's merged.  Unlike the check in
+  // ExtensionNavigationThrottle, this check is incompatible with PlzNavigate
+  // and is disabled for that mode.

[mmenke, 2016/10/20 20:52:04]

Why is this check not compatible with PlzNavigate?

[alexmos, 2016/10/20 21:18:16]

See https://codereview.chromium.org/2411693003.  IIRC, I think with PlzNavigate,
we don't know which process is responsible for the request here, i.e.,
GetChildID() is -1, so we can't use it for the process_map() check.

[alexmos, 2016/10/20 21:23:45]

Just a bit more context: when I originally introduced this blocking, it broke
PlzNavigate tests (see https://crbug.com/647712).  The PlzNavigate exclusion
avoids breaking these tests on ToT.

+  bool is_nested_url = url.SchemeIsFileSystem() || url.SchemeIsBlob();
+  bool is_navigation =
+      info && content::IsResourceTypeFrame(info->GetResourceType());
+  url::Origin origin(url);
+  if (is_nested_url && is_navigation && info->IsMainFrame() &&
+      origin.scheme() == extensions::kExtensionScheme &&
+      !extension_info_map_->process_map().Contains(info->GetChildID()) &&
+      !content::IsBrowserSideNavigationEnabled()) {

[ncarter (slow), 2016/10/20 17:22:32]

To be fully clear, my understanding is that we don't need to merge back the
!content::IsBrowserSideNavigationEnabled() check to M55/M54? (i.e. we don't care
about breaking plznavigate on beta/stable because it's disabled and there's no
field trial). If so then this looks right.

[alexmos, 2016/10/20 17:24:46]

Yes, correct, the plan is not to merge this check back.

+    // Relax this restriction for apps that use <webview>.  See
+    // https://crbug.com/652077.
+    const extensions::Extension* extension =
+        extension_info_map_->extensions().GetByID(origin.host());
+    bool has_webview_permission =
+        extension &&
+        extension->permissions_data()->HasAPIPermission(
+            extensions::APIPermission::kWebView);
+    if (!has_webview_permission)
+      return net::ERR_ABORTED;
+  }
+
   return ExtensionWebRequestEventRouter::GetInstance()->OnBeforeRequest(
       profile_, extension_info_map_.get(),
       GetExtensionNavigationUIData(request), request, callback, new_url);
 }
 
 int ChromeExtensionsNetworkDelegateImpl::OnBeforeStartTransaction(
     net::URLRequest* request,
     const net::CompletionCallback& callback,
     net::HttpRequestHeaders* headers) {
   return ExtensionWebRequestEventRouter::GetInstance()->OnBeforeSendHeaders(
@@ skipping 175 matching lines @@
 }
 
 net::NetworkDelegate::AuthRequiredResponse
 ChromeExtensionsNetworkDelegate::OnAuthRequired(
     net::URLRequest* request,
     const net::AuthChallengeInfo& auth_info,
     const AuthCallback& callback,
     net::AuthCredentials* credentials) {
   return net::NetworkDelegate::AUTH_REQUIRED_RESPONSE_NO_ACTION;
 }