Disable web payments API on blob: and data: schemes.

components/payments/content/payment_request.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/payments/content/payment_request.h"
 
 #include <string>
 #include <utility>
 
 #include "base/memory/ptr_util.h"
@@ skipping 27 matching lines @@
 
 PaymentRequest::~PaymentRequest() {}
 
 void PaymentRequest::Init(mojom::PaymentRequestClientPtr client,
                           std::vector<mojom::PaymentMethodDataPtr> method_data,
                           mojom::PaymentDetailsPtr details,
                           mojom::PaymentOptionsPtr options) {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
   client_ = std::move(client);
 
-  if (!OriginSecurityChecker::IsOriginSecure(
-          delegate_->GetLastCommittedURL())) {
+  GURL last_committed_url = delegate_->GetLastCommittedURL();

[meacer, 2017/05/02 21:21:54]

nit: const GURL

[please use gerrit instead, 2017/05/03 20:53:51]

Done.

+  if (!OriginSecurityChecker::IsOriginSecure(last_committed_url)) {

[meacer, 2017/05/02 21:21:54]

IsOriginSecure returns true for a bunch of schemes including file, filesystem,
about:blank and data. The allowed_origin check is more restrictive than
IsOriginSecure, so it seems we can remove this check?

[please use gerrit instead, 2017/05/03 20:53:51]

This check is to verify that the renderer is behaving sanely. The renderer
exposes the PaymentRequest API only in secure context. If this condition is hit,
we should immediately terminate connection to the renderer instead of playing
along as in the allowed_origin check.

[meacer, 2017/05/03 21:08:53]

Thanks for the clarification. I didn't notice the OnConnectionTerminated call.

     LOG(ERROR) << "Not in a secure origin";
     OnConnectionTerminated();
     return;
   }
 
-  if (OriginSecurityChecker::IsSchemeCryptographic(
-          delegate_->GetLastCommittedURL()) &&
-      !delegate_->IsSslCertificateValid()) {
+  bool allowed_origin =
+      OriginSecurityChecker::IsSchemeCryptographic(last_committed_url) ||
+      OriginSecurityChecker::IsOriginLocalhostOrFile(last_committed_url);
+  if (!allowed_origin) {
+    LOG(ERROR) << "Only localhost, file://, and cryptographic scheme origins "
+                  "allowed";
+  }
+
+  bool invalid_ssl =
+      OriginSecurityChecker::IsSchemeCryptographic(last_committed_url) &&
+      !delegate_->IsSslCertificateValid();
+  if (invalid_ssl)
     LOG(ERROR) << "SSL certificate is not valid";
+
+  if (!allowed_origin || invalid_ssl) {
     // Don't show UI. Resolve .canMakepayment() with "false". Reject .show()
     // with "NotSupportedError".
     spec_ = base::MakeUnique<PaymentRequestSpec>(
         mojom::PaymentOptions::New(), mojom::PaymentDetails::New(),
         std::vector<mojom::PaymentMethodDataPtr>(), this,
         delegate_->GetApplicationLocale());
     state_ = base::MakeUnique<PaymentRequestState>(
         spec_.get(), this, delegate_->GetApplicationLocale(),
         delegate_->GetPersonalDataManager(), delegate_.get());
     return;
@@ skipping 120 matching lines @@
   binding_.Close();
   delegate_->CloseDialog();
   manager_->DestroyRequest(this);
 }
 
 void PaymentRequest::Pay() {
   state_->GeneratePaymentResponse();
 }
 
 }  // namespace payments