Tighten IO thread blob/filesystem URL checks for apps with webview permission.

chrome/browser/net/chrome_extensions_network_delegate.cc

Index: chrome/browser/net/chrome_extensions_network_delegate.cc
diff --git a/chrome/browser/net/chrome_extensions_network_delegate.cc b/chrome/browser/net/chrome_extensions_network_delegate.cc
index 5c7e33fad911c45680260f656c09cc40b205be15..8b3324428f129b95a2616ada7bafa218df1f8e59 100644
--- a/chrome/browser/net/chrome_extensions_network_delegate.cc
+++ b/chrome/browser/net/chrome_extensions_network_delegate.cc
@@ -10,12 +10,14 @@
 #include "net/base/net_errors.h"
 
 #if defined(ENABLE_EXTENSIONS)
+#include "base/debug/dump_without_crashing.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/extensions/api/proxy/proxy_api.h"
 #include "chrome/browser/extensions/event_router_forwarder.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/browser/renderer_host/chrome_navigation_ui_data.h"
 #include "content/public/browser/browser_thread.h"
+#include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/resource_request_info.h"
 #include "content/public/common/browser_side_navigation_policy.h"
@@ -209,8 +211,22 @@ int ChromeExtensionsNetworkDelegateImpl::OnBeforeURLRequest(
         extension &&
         extension->permissions_data()->HasAPIPermission(
             extensions::APIPermission::kWebView);
-    if (!has_webview_permission)
+    // Check whether the request is coming from a <webview> guest process via
+    // ChildProcessSecurityPolicy.  A guest process should have already been
+    // granted permission to request |origin| when its WebContents was created.
+    // See https://crbug.com/656752.
+    auto* policy = content::ChildProcessSecurityPolicy::GetInstance();
+    bool from_guest =
+        policy->HasSpecificPermissionForOrigin(info->GetChildID(), origin);
+    if (!has_webview_permission || !from_guest) {
+      // TODO(alexmos): Temporary instrumentation to find any regressions for
+      // this blocking.  Remove after verifying that this is not breaking any
+      // legitimate use cases.
+      base::debug::Alias(&origin);

[mmenke, 2016/10/20 21:00:30]

include base/debug/alias.h.

[mmenke, 2016/10/20 21:00:30]

Also, I don't think this is guaranteed to work?  You'll get the contents of
origin, but not the contents of origin's string, since it's a pointer.  The
general way to do this is to put a fixed length character array on the stack,
and copy up to the first n bytes of origin as a string to it.

[alexmos, 2016/10/21 00:18:56]

Done.

[alexmos, 2016/10/21 00:18:56]

Replaced with the fixed char array.  Thanks for pointing this out!

+      base::debug::Alias(&from_guest);
+      base::debug::DumpWithoutCrashing();
       return net::ERR_ABORTED;
+    }
   }
 
   return ExtensionWebRequestEventRouter::GetInstance()->OnBeforeRequest(