Block navigations to hosted apps non-icon resources with PlzNavigate.

extensions/browser/extension_navigation_throttle.cc

Index: extensions/browser/extension_navigation_throttle.cc
diff --git a/extensions/browser/extension_navigation_throttle.cc b/extensions/browser/extension_navigation_throttle.cc
index 9412f16d6ef98f342a477e7b81046a69956b38f6..3703b8d091d49de272b4cb68499b4d6db68b3a24 100644
--- a/extensions/browser/extension_navigation_throttle.cc
+++ b/extensions/browser/extension_navigation_throttle.cc
@@ -17,6 +17,7 @@
 #include "extensions/common/constants.h"
 #include "extensions/common/extension.h"
 #include "extensions/common/extension_set.h"
+#include "extensions/common/manifest_handlers/icons_handler.h"
 #include "extensions/common/manifest_handlers/web_accessible_resources_info.h"
 #include "extensions/common/manifest_handlers/webview_info.h"
 #include "extensions/common/permissions/api_permission.h"
@@ -65,6 +66,18 @@ ExtensionNavigationThrottle::WillStartOrRedirectRequest() {
     return content::NavigationThrottle::BLOCK_REQUEST;
   }
 
+  // Hosted apps don't have any associated resources outside of icons, so
+  // block any requests to URLs in their extension origin.
+  if (target_extension->is_hosted_app()) {
+    base::StringPiece resource_root_relative_path =
+        url.path_piece().empty() ? base::StringPiece()
+                                 : url.path_piece().substr(1);
+    if (!IconsInfo::GetIcons(target_extension)
+             .ContainsPath(resource_root_relative_path)) {
+      return content::NavigationThrottle::BLOCK_REQUEST;
+    }
+  }
+
   if (navigation_handle()->IsInMainFrame()) {
     // Block top-level navigations to blob: or filesystem: URLs with extension
     // origin from non-extension processes.  See https://crbug.com/645028.