Tighten IO thread blob/filesystem URL checks for apps with webview permission.

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index 0eb5ade6f4a3f8cbe8d310556ae4a064c2d100ae..40e54682a653df0606253de7378c245094534978 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -200,6 +200,10 @@ class ChildProcessSecurityPolicyImpl::SecurityState {
     can_send_midi_sysex_ = true;
   }
 
+  bool CanCommitOrigin(const url::Origin& origin) {
+    return base::ContainsKey(origin_set_, origin);
+  }
+
   // Determine whether permission has been granted to commit |url|.
   bool CanCommitURL(const GURL& url) {
     DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem())
@@ -211,7 +215,7 @@ class ChildProcessSecurityPolicyImpl::SecurityState {
       return scheme_judgment->second;
 
     // Otherwise, check for permission for specific origin.
-    if (base::ContainsKey(origin_set_, url::Origin(url)))
+    if (CanCommitOrigin(url::Origin(url)))
       return true;
 
     // file:// URLs are more granular.  The child may have been given
@@ -926,6 +930,16 @@ bool ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin(int child_id,
   return state->second->CanAccessDataForOrigin(gurl);
 }
 
+bool ChildProcessSecurityPolicyImpl::HasSpecificPermissionForOrigin(
+    int child_id,
+    const url::Origin& origin) {
+  base::AutoLock lock(lock_);
+  SecurityStateMap::iterator state = security_state_.find(child_id);
+  if (state == security_state_.end())
+    return false;
+  return state->second->CanCommitOrigin(origin);
+}
+
 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id,
                                                   const GURL& gurl) {
   // "gurl" can be currently empty in some cases, such as file://blah.