Don't kill Chrome Apps that make XHRs from guests.

chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/chrome_content_browser_client_extensions_part.h"
 
 #include <stddef.h>
 
 #include <set>
 
@@ skipping 184 matching lines @@
   // and use HeaderInterceptorResult::KILL for anything not on the list.
   // See https://crbug.com/705128.
   ProfileIOData* io_data = ProfileIOData::FromResourceContext(resource_context);
   InfoMap* extension_info_map = io_data->GetExtensionInfoMap();
   const Extension* extension =
       extension_info_map->extensions().GetExtensionOrAppByURL(origin);
   if (!extension)
     return content::HeaderInterceptorResult::FAIL;
 
   // Check for platform app origins.  These can only be committed by the app
-  // itself, or by one if its guests if there are accessible_resources.
+  // itself, or by one if its guests if it has the webview permission.
   // Processes that incorrectly claim to be an app should be killed.
   const ProcessMap& process_map = extension_info_map->process_map();
   if (extension->is_platform_app() &&
       !process_map.Contains(extension->id(), child_id)) {
-    // This is a platform app origin not in the app's own process.  If there
-    // are no accessible resources, this is illegal.
-    if (!extension->GetManifestData(manifest_keys::kWebviewAccessibleResources))
+    // This is a platform app origin not in the app's own process.  If it cannot
+    // create webviews, this is illegal.
+    if (!extension->permissions_data()->HasAPIPermission(
+            extensions::APIPermission::kWebView))

[lazyboy, 2017/04/06 21:03:29]

nit: {}

[Charlie Reis, 2017/04/06 21:09:15]

Sure.  (Not strictly necessary since the body is still one line, but I agree
that it makes things easier to read here due to the various other indents
nearby.)

       return content::HeaderInterceptorResult::KILL;
 
     // If there are accessible resources, the origin is only legal if the
     // given process is a guest of the app.
     std::string owner_extension_id;
     int owner_process_id;
     WebViewRendererState::GetInstance()->GetOwnerInfo(
         child_id, &owner_process_id, &owner_extension_id);
     const Extension* owner_extension =
         extension_info_map->extensions().GetByID(owner_extension_id);
@@ skipping 644 matching lines @@
     command_line->AppendSwitch(switches::kExtensionProcess);
   }
 }
 
 void ChromeContentBrowserClientExtensionsPart::ResourceDispatcherHostCreated() {
   content::ResourceDispatcherHost::Get()->RegisterInterceptor(
       "Origin", kExtensionScheme, base::Bind(&OnHttpHeaderReceived));
 }
 
 }  // namespace extensions