Share schemes needed for mixed content checking between the browser and renderer.

chrome/common/chrome_content_client.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/common/chrome_content_client.h"
 
 #include <stdint.h>
 
 #include <map>
 #include <memory>
@@ skipping 31 matching lines @@
 #include "content/public/common/user_agent.h"
 #include "extensions/common/constants.h"
 #include "extensions/features/features.h"
 #include "gpu/config/gpu_info.h"
 #include "net/http/http_util.h"
 #include "pdf/features.h"
 #include "ppapi/features/features.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/base/layout.h"
 #include "ui/base/resource/resource_bundle.h"
+#include "url/url_constants.h"
 #include "widevine_cdm_version.h"  // In SHARED_INTERMEDIATE_DIR.
 
 #if defined(OS_LINUX)
 #include <fcntl.h>
 #include "chrome/common/component_flash_hint_file_linux.h"
 #include "sandbox/linux/services/credentials.h"
 #endif  // defined(OS_LINUX)
 
 #if defined(OS_WIN)
 #include "base/win/windows_version.h"
@@ skipping 508 matching lines @@
     schemes->standard_schemes.push_back(standard_scheme);
 
 #if defined(OS_ANDROID)
   schemes->referrer_schemes.push_back(chrome::kAndroidAppScheme);
 #endif
 
   schemes->savable_schemes.push_back(extensions::kExtensionScheme);
   schemes->savable_schemes.push_back(chrome::kChromeSearchScheme);
   schemes->savable_schemes.push_back(dom_distiller::kDomDistillerScheme);
 
+  // chrome-search: resources shouldn't trigger insecure content warnings.
   schemes->secure_schemes.push_back(chrome::kChromeSearchScheme);
-  schemes->secure_schemes.push_back(content::kChromeUIScheme);
+
+  // Treat as secure because communication with them is entirely in the browser,
+  // so there is no danger of manipulation or eavesdropping on communication
+  // with them by third parties.
   schemes->secure_schemes.push_back(extensions::kExtensionScheme);
+
   schemes->secure_origins = GetSecureOriginWhitelist();
 
+  schemes->no_access_schemes.push_back(chrome::kChromeNativeScheme);
+
 #if BUILDFLAG(ENABLE_EXTENSIONS)
   if (extensions::feature_util::ExtensionServiceWorkersEnabled())
     schemes->service_worker_schemes.push_back(extensions::kExtensionScheme);
+
+  // As far as Blink is concerned, they should be allowed to receive CORS
+  // requests. At the Extensions layer, requests will actually be blocked unless
+  // overridden by the web_accessible_resources manifest key.
+  // TODO(kalman): See what happens with a service worker.
+  schemes->cors_enabled_schemes.push_back(extensions::kExtensionScheme);
+#endif
+
+#if defined(OS_CHROMEOS)
+  schemes->local_schemes.push_back(content::kExternalFileScheme);
+#endif
+
+#if defined(OS_ANDROID)
+  schemes->local_schemes.push_back(url::kContentScheme);
 #endif
 }
 
 std::string ChromeContentClient::GetProduct() const {
   return ::GetProduct();
 }
 
 std::string ChromeContentClient::GetUserAgent() const {
   return ::GetUserAgent();
 }
@@ skipping 68 matching lines @@
   if (!origin_trial_policy_)
     origin_trial_policy_ = base::MakeUnique<ChromeOriginTrialPolicy>();
   return origin_trial_policy_.get();
 }
 
 #if defined(OS_ANDROID)
 media::MediaClientAndroid* ChromeContentClient::GetMediaClientAndroid() {
   return new ChromeMediaClientAndroid();
 }
 #endif  // OS_ANDROID