Flip the kRequireSecureOriginsForPepperMediaRequests to enabled by default

chrome/browser/permissions/permission_context_base.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/permissions/permission_context_base.h"
 
 #include <stddef.h>
 
 #include <string>
 #include <utility>
@@ skipping 18 matching lines @@
 #include "chrome/common/chrome_features.h"
 #include "chrome/common/pref_names.h"
 #include "components/content_settings/core/browser/host_content_settings_map.h"
 #include "components/prefs/pref_service.h"
 #include "components/safe_browsing_db/database_manager.h"
 #include "components/variations/variations_associated_data.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/origin_util.h"
+#include "extensions/common/constants.h"
 #include "url/gurl.h"
 
 #if defined(OS_ANDROID)
 #include "chrome/browser/permissions/permission_queue_controller.h"
 #endif
 
 namespace {
 
 const char kPermissionBlockedKillSwitchMessage[] =
     "%s permission has been blocked.";
@@ skipping 170 matching lines @@
     content::RenderFrameHost* render_frame_host,
     const GURL& requesting_origin,
     const GURL& embedding_origin) const {
   // If the permission has been disabled through Finch, block all requests.
   if (IsPermissionKillSwitchOn()) {
     return PermissionResult(CONTENT_SETTING_BLOCK,
                             PermissionStatusSource::KILL_SWITCH);
   }
 
   if (IsRestrictedToSecureOrigins()) {
+    if (!content::IsOriginSecure(requesting_origin)) {
+      return PermissionResult(CONTENT_SETTING_BLOCK,
+                              PermissionStatusSource::UNSPECIFIED);
+    }
+
     // TODO(raymes): We should check the entire chain of embedders here whenever
     // possible as this corresponds to the requirements of the secure contexts
-    // spec and matches what is implemented in blink.
-    if (!content::IsOriginSecure(requesting_origin) ||
+    // spec and matches what is implemented in blink. Right now we just check
+    // the top level and requesting origins. Note: chrome-extension:// origins
+    // are currently exempt from checking the embedder chain. crbug.com/530507.
+    if (!requesting_origin.SchemeIs(extensions::kExtensionScheme) &&

[raymes, 2017/05/22 04:09:39]

timloh: I had to add this exception to make tests pass. Could you please take a
quick look?

[Timothy Loh, 2017/05/22 04:31:18]

Seems reasonable.

         !content::IsOriginSecure(embedding_origin)) {
       return PermissionResult(CONTENT_SETTING_BLOCK,
                               PermissionStatusSource::UNSPECIFIED);
     }
   }
 
   ContentSetting content_setting = GetPermissionStatusInternal(
       render_frame_host, requesting_origin, embedding_origin);
   if (content_setting == CONTENT_SETTING_ASK) {
     PermissionResult result =
@@ skipping 205 matching lines @@
                                       content_settings_storage_type(),
                                       std::string(), content_setting);
 }
 
 ContentSettingsType PermissionContextBase::content_settings_storage_type()
     const {
   if (content_settings_type_ == CONTENT_SETTINGS_TYPE_PUSH_MESSAGING)
     return CONTENT_SETTINGS_TYPE_NOTIFICATIONS;
   return content_settings_type_;
 }