Don't kill Chrome Apps that make XHRs from guests.

chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc

Index: chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc
diff --git a/chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc b/chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc
index 6bf45963aa2b568c9e7217d0440f37e4599cdb8b..b24d804cd553b4fae70e9d903e822226f4048343 100644
--- a/chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc
+++ b/chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc
@@ -207,9 +207,10 @@ content::HeaderInterceptorResult CheckOriginHeader(
   const ProcessMap& process_map = extension_info_map->process_map();
   if (extension->is_platform_app() &&
       !process_map.Contains(extension->id(), child_id)) {
-    // This is a platform app origin not in the app's own process.  If there
-    // are no accessible resources, this is illegal.
-    if (!extension->GetManifestData(manifest_keys::kWebviewAccessibleResources))
+    // This is a platform app origin not in the app's own process.  If it cannot
+    // create webviews, this is illegal.
+    if (!extension->permissions_data()->HasAPIPermission(
+            extensions::APIPermission::kWebView))

[ncarter (slow), 2017/04/06 17:16:44]

Do we actually need this check, or would just checking the GetOwnerInfo suffice?

(I'm fine with either way, mostly just curious if there's a meaningful
difference)

[Charlie Reis, 2017/04/06 18:15:46]

In theory, the check below that you mention would be sufficient without also
checking for the webview permission.  I think it's probably reasonable to
enforce here that an app shouldn't have a webview without that permission,
though, so I'd like to keep it for now.

       return content::HeaderInterceptorResult::KILL;
 
     // If there are accessible resources, the origin is only legal if the