PlzNavigate: Fix the FindInPageControllerTest.SearchWithinSpecialURL browser test.

content/browser/frame_host/navigation_request.cc

Index: content/browser/frame_host/navigation_request.cc
diff --git a/content/browser/frame_host/navigation_request.cc b/content/browser/frame_host/navigation_request.cc
index c13a7e7f346df429cfd58896da678a198019f258..039f18b73494ee673b403549b8b085c7e75a656e 100644
--- a/content/browser/frame_host/navigation_request.cc
+++ b/content/browser/frame_host/navigation_request.cc
@@ -6,6 +6,7 @@
 
 #include <utility>
 
+#include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/devtools/render_frame_devtools_agent_host.h"
 #include "content/browser/frame_host/frame_tree.h"
 #include "content/browser/frame_host/frame_tree_node.h"
@@ -15,6 +16,7 @@
 #include "content/browser/frame_host/navigator.h"
 #include "content/browser/frame_host/navigator_impl.h"
 #include "content/browser/loader/navigation_url_loader.h"
+#include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/browser/service_worker/service_worker_context_wrapper.h"
 #include "content/browser/service_worker/service_worker_navigation_handle.h"
 #include "content/browser/site_instance_impl.h"
@@ -512,9 +514,31 @@ void NavigationRequest::OnRedirectChecksComplete(
     NavigationThrottle::ThrottleCheckResult result) {
   CHECK(result != NavigationThrottle::DEFER);
 
+  // For non browser initiated navigations we need to check if the source and
+  // target site instances both have access to the URL. We always allow
+  // browser initiated requests.
+  bool source_can_request = true;
+  if (!browser_initiated_ && source_site_instance()) {

[ananta, 2016/10/22 03:47:32]

Verified that the browser_initiated_ field is set to false for renderer
initiated navigations like opening a link in a current tab/new tab/window via a
script. Normal link clicks also have the browser_initiated_ flag set to false.

[jam, 2016/10/24 16:59:16]

actually, we should probably do this before throttles run? i.e. line 337 above
where there's a TODO? And maybe instead of just calling CanRequestURL, we call
FilterURL since that does more checks thatn just CPSP?

[ananta, 2016/10/24 19:53:19]

Done

+    source_can_request =
+        ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL(
+            source_site_instance()->GetProcess()->GetID(),
+        common_params_.url);
+  }
+
+  bool renderer_can_request = true;
+  if (!browser_initiated_) {
+    renderer_can_request =
+      ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL(
+          frame_tree_node()->current_frame_host()->GetSiteInstance()->
+              GetProcess()->GetID(),
+          common_params_.url);
+  }
+
   // Abort the request if needed. This will destroy the NavigationRequest.
   if (result == NavigationThrottle::CANCEL_AND_IGNORE ||
-      result == NavigationThrottle::CANCEL) {
+      result == NavigationThrottle::CANCEL ||
+      !source_can_request ||
+      !renderer_can_request) {
     // TODO(clamy): distinguish between CANCEL and CANCEL_AND_IGNORE.
     frame_tree_node_->ResetNavigationRequest(false);
     return;