OOR-CORS: Factor out allow/block list calculation logic

This patch factors out allow/block list calculation logic into cors_util so that browser side list management code can reuse the same logic. Also this patch fixes some wrong tests, and refines access list management APIs among network::OriginAccessList, and blink::(Web)SecurityPolicy so that developers are not confused. Bug: 870172 Change-Id: I781b258e2f0ec7ad70065beda0f6eb96923cc690 Reviewed-on: https://chromium-review.googlesource.com/c/1309389Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#605259}

OOR-CORS: Factor out allow/block list calculation logic
This patch factors out allow/block list calculation logic into cors_util so that browser side list management code can reuse the same logic. Also this patch fixes some wrong tests, and refines access list management APIs among network::OriginAccessList, and blink::(Web)SecurityPolicy so that developers are not confused. Bug: 870172 Change-Id: I781b258e2f0ec7ad70065beda0f6eb96923cc690 Reviewed-on: https://chromium-review.googlesource.com/c/1309389Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#605259}
00bb3037 · Takashi Toyoshima · Commit Bot · 46a257d7 · 00bb3037 · 00bb3037
Commit 00bb3037 authored Nov 05, 2018 by Takashi Toyoshima Committed by Commit Bot Nov 05, 2018
16 changed files
--- a/content/shell/test_runner/test_runner.cc
+++ b/content/shell/test_runner/test_runner.cc
@@ -1581,7 +1581,7 @@ void TestRunner::Reset() {
  mock_screen_orientation_client_->ResetData();
  drag_image_.reset();
-  blink::WebSecurityPolicy::ClearOriginAccessAllowList();
+  blink::WebSecurityPolicy::ClearOriginAccessList();
 #if defined(OS_LINUX) || defined(OS_ANDROID) || defined(OS_FUCHSIA)
  blink::WebFontRenderStyle::SetSubpixelPositioning(false);
 #endif

--- a/extensions/common/BUILD.gn
+++ b/extensions/common/BUILD.gn
@@ -102,6 +102,8 @@ if (enable_extensions) {
      "common_manifest_handlers.cc",
      "common_manifest_handlers.h",
      "common_param_traits.h",
+      "cors_util.cc",
+      "cors_util.h",
      "csp_validator.cc",
      "csp_validator.h",
      "dom_action_types.h",
@@ -323,6 +325,7 @@ if (enable_extensions) {
      "//extensions/common/api",
      "//extensions/strings",
      "//net",
+      "//services/network/public/mojom",
      "//third_party/boringssl",
      "//third_party/icu",
      "//third_party/re2",

--- a/extensions/common/DEPS
+++ b/extensions/common/DEPS
@@ -6,6 +6,7 @@ include_rules = [
  "+grit/extensions_strings.h",
  "+libxml",
  "+net",
+  "+services/network/public/mojom/cors_origin_pattern.mojom.h",
  "+third_party/libxml",
  "+third_party/re2",
 ]
--- a/extensions/common/cors_util.cc
+++ b/extensions/common/cors_util.cc
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "extensions/common/cors_util.h"
+#include <utility>
+#include "content/public/common/url_constants.h"
+#include "extensions/common/constants.h"
+#include "extensions/common/extension.h"
+#include "extensions/common/extension_urls.h"
+#include "extensions/common/permissions/permissions_data.h"
+#include "extensions/common/url_pattern_set.h"
+namespace extensions {
+namespace {
+void AddURLPatternSetToList(
+    const URLPatternSet& pattern_set,
+    std::vector<network::mojom::CorsOriginPatternPtr>* list,
+    network::mojom::CORSOriginAccessMatchPriority priority) {
+  static const char* const kSchemes[] = {
+    content::kChromeUIScheme,
+#if defined(OS_CHROMEOS)
+    content::kExternalFileScheme,
+#endif
+    extensions::kExtensionScheme,
+    url::kFileScheme,
+    url::kFtpScheme,
+    url::kHttpScheme,
+    url::kHttpsScheme,
+  };
+  for (const URLPattern& pattern : pattern_set) {
+    for (const char* const scheme : kSchemes) {
+      if (!pattern.MatchesScheme(scheme))
+        continue;
+      list->push_back(network::mojom::CorsOriginPattern::New(
+          scheme, pattern.host(), pattern.match_subdomains(), priority));
+    }
+  }
+}
+}  // namespace
+std::vector<network::mojom::CorsOriginPatternPtr>
+CreateCorsOriginAccessAllowList(const Extension& extension) {
+  std::vector<network::mojom::CorsOriginPatternPtr> allow_list;
+  // Permissions declared by the extension.
+  URLPatternSet origin_permissions =
+      extension.permissions_data()->GetEffectiveHostPermissions();
+  AddURLPatternSetToList(
+      origin_permissions, &allow_list,
+      network::mojom::CORSOriginAccessMatchPriority::kDefaultPriority);
+  // Hosts exempted from the enterprise policy blocklist.
+  // This set intersection is necessary to prevent an enterprise policy from
+  // granting a host permission the extension didn't ask for.
+  URLPatternSet policy_allowed_host_patterns =
+      URLPatternSet::CreateIntersection(
+          extension.permissions_data()->policy_allowed_hosts(),
+          origin_permissions, URLPatternSet::IntersectionBehavior::kDetailed);
+  AddURLPatternSetToList(
+      policy_allowed_host_patterns, &allow_list,
+      network::mojom::CORSOriginAccessMatchPriority::kMediumPriority);
+  return allow_list;
+}
+std::vector<network::mojom::CorsOriginPatternPtr>
+CreateCorsOriginAccessBlockList(const Extension& extension) {
+  std::vector<network::mojom::CorsOriginPatternPtr> block_list;
+  // Hosts blocked by enterprise policy.
+  AddURLPatternSetToList(
+      extension.permissions_data()->policy_blocked_hosts(), &block_list,
+      network::mojom::CORSOriginAccessMatchPriority::kLowPriority);
+  GURL webstore_launch_url = extension_urls::GetWebstoreLaunchURL();
+  block_list.push_back(network::mojom::CorsOriginPattern::New(
+      webstore_launch_url.scheme(), webstore_launch_url.host(), true,
+      network::mojom::CORSOriginAccessMatchPriority::kHighPriority));
+  // TODO(devlin): Should we also block the webstore update URL here? See
+  // https://crbug.com/826946 for a related instance.
+  return block_list;
+}
+}  // namespace extensions
--- a/extensions/common/cors_util.h
+++ b/extensions/common/cors_util.h
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef EXTENSIONS_COMMON_CORS_UTIL_H_
+#define EXTENSIONS_COMMON_CORS_UTIL_H_
+#include <vector>
+#include "services/network/public/mojom/cors_origin_pattern.mojom.h"
+namespace extensions {
+class Extension;
+// Creates a CorsOriginPatternPtr vector that contains allowed origin list
+// for the passed |extension|. Returned vector will be used to register the list
+// to network::NetworkContext and blink::SecurityPolicy.
+std::vector<network::mojom::CorsOriginPatternPtr>
+CreateCorsOriginAccessAllowList(const Extension& extension);
+// Creates a CorsOriginPatternPtr vector that contains blocked origin list
+// for the passed |extension|. Returned vector will be used to register the list
+// to network::NetworkContext and blink::SecurityPolicy.
+std::vector<network::mojom::CorsOriginPatternPtr>
+CreateCorsOriginAccessBlockList(const Extension& extension);
+}  // namespace extensions
+#endif  // EXTENSIONS_COMMON_CORS_UTIL_H_
--- a/extensions/renderer/dispatcher.cc
+++ b/extensions/renderer/dispatcher.cc
@@ -33,6 +33,7 @@
 #include "content/public/renderer/v8_value_converter.h"
 #include "extensions/common/api/messaging/message.h"
 #include "extensions/common/constants.h"
+#include "extensions/common/cors_util.h"
 #include "extensions/common/extension_api.h"
 #include "extensions/common/extension_features.h"
 #include "extensions/common/extension_messages.h"
@@ -1091,9 +1092,9 @@ void Dispatcher::OnUnloaded(const std::string& id) {
  // reloaded with a new messages map.
  EraseL10nMessagesMap(id);
-  // Update the origin access map so that any content scripts injected are no
+  // Update the origin access map so that any content scripts injected no longer
-  // longer allowlisted for extra origins.
+  // have dedicated allow/block lists for extra origins.
-  WebSecurityPolicy::ClearOriginAccessAllowListForOrigin(
+  WebSecurityPolicy::ClearOriginAccessListForOrigin(
      Extension::GetBaseURLFromExtensionId(id));
  // We don't do anything with existing platform-app stylesheets. They will
@@ -1210,74 +1211,27 @@ void Dispatcher::InitOriginPermissions(const Extension* extension) {
 }
 void Dispatcher::UpdateOriginPermissions(const Extension& extension) {
-  static const char* kSchemes[] = {
-    url::kHttpScheme,
-    url::kHttpsScheme,
-    url::kFileScheme,
-    content::kChromeUIScheme,
-    url::kFtpScheme,
-#if defined(OS_CHROMEOS)
-    content::kExternalFileScheme,
-#endif
-    extensions::kExtensionScheme,
-  };
  // Remove all old patterns associated with this extension.
  WebSecurityPolicy::ClearOriginAccessListForOrigin(extension.url());
+  // TODO(toyoshim): Change this delegate call to be available even from the
+  // browser process.
  delegate_->AddOriginAccessPermissions(extension,
                                        IsExtensionActive(extension.id()));
-  URLPatternSet origin_permissions =
+  for (const auto& entry : CreateCorsOriginAccessAllowList(extension)) {
-      extension.permissions_data()->GetEffectiveHostPermissions();
+    WebSecurityPolicy::AddOriginAccessAllowListEntry(
+        extension.url(), WebString::FromUTF8(entry->protocol),
-  // Permissions declared by the extension.
+        WebString::FromUTF8(entry->domain), entry->allow_subdomains,
-  for (const URLPattern& pattern : origin_permissions) {
+        entry->priority);
-    for (const char* scheme : kSchemes) {
-      if (pattern.MatchesScheme(scheme))
-        WebSecurityPolicy::AddOriginAccessAllowListEntry(
-            extension.url(), WebString::FromUTF8(scheme),
-            WebString::FromUTF8(pattern.host()), pattern.match_subdomains(),
-            network::mojom::CORSOriginAccessMatchPriority::kDefaultPriority);
-    }
  }
-  // Hosts blocked by enterprise policy.
+  for (const auto& entry : CreateCorsOriginAccessBlockList(extension)) {
-  for (const URLPattern& pattern :
+    WebSecurityPolicy::AddOriginAccessBlockListEntry(
-       extension.permissions_data()->policy_blocked_hosts()) {
+        extension.url(), WebString::FromUTF8(entry->protocol),
-    for (const char* scheme : kSchemes) {
+        WebString::FromUTF8(entry->domain), entry->allow_subdomains,
-      if (pattern.MatchesScheme(scheme))
+        entry->priority);
-        WebSecurityPolicy::AddOriginAccessBlockListEntry(
-            extension.url(), WebString::FromUTF8(scheme),
-            WebString::FromUTF8(pattern.host()), pattern.match_subdomains(),
-            network::mojom::CORSOriginAccessMatchPriority::kLowPriority);
-    }
  }
-  // Hosts exempted from the enterprise policy blocklist.
-  // This set intersection is necessary to prevent an enterprise policy from
-  // granting a host permission the extension didn't ask for.
-  URLPatternSet overlap = URLPatternSet::CreateIntersection(
-      extension.permissions_data()->policy_allowed_hosts(), origin_permissions,
-      URLPatternSet::IntersectionBehavior::kDetailed);
-  for (const URLPattern& pattern : overlap) {
-    for (const char* scheme : kSchemes) {
-      if (pattern.MatchesScheme(scheme))
-        WebSecurityPolicy::AddOriginAccessAllowListEntry(
-            extension.url(), WebString::FromUTF8(scheme),
-            WebString::FromUTF8(pattern.host()), pattern.match_subdomains(),
-            network::mojom::CORSOriginAccessMatchPriority::kMediumPriority);
-    }
-  };
-  const GURL webstore_launch_url = extension_urls::GetWebstoreLaunchURL();
-  WebSecurityPolicy::AddOriginAccessBlockListEntry(
-      extension.url(), WebString::FromUTF8(webstore_launch_url.scheme()),
-      WebString::FromUTF8(webstore_launch_url.host()), true,
-      network::mojom::CORSOriginAccessMatchPriority::kHighPriority);
-  // TODO(devlin): Should we also block the webstore update URL here? See
-  // https://crbug.com/826946 for a related instance.
 }
 void Dispatcher::EnableCustomElementWhiteList() {

--- a/services/network/cors/cors_url_loader_unittest.cc
+++ b/services/network/cors/cors_url_loader_unittest.cc
@@ -230,8 +230,10 @@ class CORSURLLoaderTest : public testing::Test {
                                  const std::string& domain,
                                  bool allow_subdomains) {
    origin_access_list_.AddAllowListEntryForOrigin(
-        source_origin, protocol, domain, allow_subdomains,
+        source_origin,
-        network::mojom::CORSOriginAccessMatchPriority::kDefaultPriority);
+        network::mojom::CorsOriginPattern::New(
+            protocol, domain, allow_subdomains,
+            network::mojom::CORSOriginAccessMatchPriority::kDefaultPriority));
  }
  static net::RedirectInfo CreateRedirectInfo(

--- a/services/network/public/cpp/cors/origin_access_list.cc
+++ b/services/network/public/cpp/cors/origin_access_list.cc
@@ -14,18 +14,13 @@ OriginAccessList::~OriginAccessList() = default;
 void OriginAccessList::SetAllowListForOrigin(
    const url::Origin& source_origin,
    const std::vector<mojom::CorsOriginPatternPtr>& patterns) {
-  SetForOrigin(source_origin, patterns, &allow_list_,
+  SetForOrigin(source_origin, patterns, &allow_list_);
-               network::mojom::CORSOriginAccessMatchPriority::kDefaultPriority);
 }
 void OriginAccessList::AddAllowListEntryForOrigin(
    const url::Origin& source_origin,
-    const std::string& protocol,
+    const mojom::CorsOriginPatternPtr& pattern) {
-    const std::string& domain,
+  AddForOrigin(source_origin, pattern, &allow_list_);
-    bool allow_subdomains,
-    const network::mojom::CORSOriginAccessMatchPriority priority) {
-  AddForOrigin(source_origin, protocol, domain, allow_subdomains, &allow_list_,
-               priority);
 }
 void OriginAccessList::ClearAllowList() {
@@ -35,18 +30,13 @@ void OriginAccessList::ClearAllowList() {
 void OriginAccessList::SetBlockListForOrigin(
    const url::Origin& source_origin,
    const std::vector<mojom::CorsOriginPatternPtr>& patterns) {
-  SetForOrigin(source_origin, patterns, &block_list_,
+  SetForOrigin(source_origin, patterns, &block_list_);
-               network::mojom::CORSOriginAccessMatchPriority::kDefaultPriority);
 }
 void OriginAccessList::AddBlockListEntryForOrigin(
    const url::Origin& source_origin,
-    const std::string& protocol,
+    const mojom::CorsOriginPatternPtr& pattern) {
-    const std::string& domain,
+  AddForOrigin(source_origin, pattern, &block_list_);
-    bool allow_subdomains,
-    const network::mojom::CORSOriginAccessMatchPriority priority) {
-  AddForOrigin(source_origin, protocol, domain, allow_subdomains, &block_list_,
-               priority);
 }
 void OriginAccessList::ClearBlockList() {
@@ -78,8 +68,7 @@ bool OriginAccessList::IsAllowed(const url::Origin& source_origin,
 void OriginAccessList::SetForOrigin(
    const url::Origin& source_origin,
    const std::vector<mojom::CorsOriginPatternPtr>& patterns,
-    PatternMap* map,
+    PatternMap* map) {
-    const network::mojom::CORSOriginAccessMatchPriority priority) {
  DCHECK(map);
  DCHECK(!source_origin.opaque());
@@ -94,27 +83,23 @@ void OriginAccessList::SetForOrigin(
        pattern->protocol, pattern->domain,
        pattern->allow_subdomains ? OriginAccessEntry::kAllowSubdomains
                                  : OriginAccessEntry::kDisallowSubdomains,
-        priority));
+        pattern->priority));
  }
 }
 // static
-void OriginAccessList::AddForOrigin(
+void OriginAccessList::AddForOrigin(const url::Origin& source_origin,
-    const url::Origin& source_origin,
+                                    const mojom::CorsOriginPatternPtr& pattern,
-    const std::string& protocol,
+                                    PatternMap* map) {
-    const std::string& domain,
-    bool allow_subdomains,
-    PatternMap* map,
-    const network::mojom::CORSOriginAccessMatchPriority priority) {
  DCHECK(map);
  DCHECK(!source_origin.opaque());
  std::string source = source_origin.Serialize();
  (*map)[source].push_back(OriginAccessEntry(
-      protocol, domain,
+      pattern->protocol, pattern->domain,
-      allow_subdomains ? OriginAccessEntry::kAllowSubdomains
+      pattern->allow_subdomains ? OriginAccessEntry::kAllowSubdomains
-                       : OriginAccessEntry::kDisallowSubdomains,
+                                : OriginAccessEntry::kDisallowSubdomains,
-      priority));
+      pattern->priority));
 }
 // static

--- a/services/network/public/cpp/cors/origin_access_list.h
+++ b/services/network/public/cpp/cors/origin_access_list.h
@@ -27,39 +27,29 @@ class COMPONENT_EXPORT(NETWORK_CPP) OriginAccessList {
  ~OriginAccessList();
  // Clears the old allow list for |source_origin|, and set |patterns| to the
-  // allow list.
+  // allow list. When two or more patterns in a list match, the entry with the
+  // higher |priority| takes precedence.
  void SetAllowListForOrigin(
      const url::Origin& source_origin,
      const std::vector<mojom::CorsOriginPatternPtr>& patterns);
-  // Adds a matching pattern for |protocol|, |domain|, and |allow_subdomains|
+  // Adds |pattern| to the allow list for |source_origin|.
-  // to the allow list. When two or more entries in a list match the entry
+  void AddAllowListEntryForOrigin(const url::Origin& source_origin,
-  // with the higher |priority| takes precedence.
+                                  const mojom::CorsOriginPatternPtr& pattern);
-  void AddAllowListEntryForOrigin(
-      const url::Origin& source_origin,
-      const std::string& protocol,
-      const std::string& domain,
-      bool allow_subdomains,
-      const network::mojom::CORSOriginAccessMatchPriority priority);
  // Clears the old allow list.
  void ClearAllowList();
  // Clears the old block list for |source_origin| and set |patterns| to the
-  // block list.
+  // block list. When two or more patterns in a list match, the entry with the
+  // higher |priority| takes precedence.
  void SetBlockListForOrigin(
      const url::Origin& source_origin,
      const std::vector<mojom::CorsOriginPatternPtr>& patterns);
-  // Adds a matching pattern for |protocol|, |domain|, and |allow_subdomains|
+  // Adds |pattern| to the block list for |source_origin|.
-  // to the block list. When two or more entries in a list match the entry
+  void AddBlockListEntryForOrigin(const url::Origin& source_origin,
-  // with the higher |priority| takes precedence.
+                                  const mojom::CorsOriginPatternPtr& pattern);
-  void AddBlockListEntryForOrigin(
-      const url::Origin& source_origin,
-      const std::string& protocol,
-      const std::string& domain,
-      bool allow_subdomains,
-      const network::mojom::CORSOriginAccessMatchPriority priority);
  // Clears the old block list.
  void ClearBlockList();
@@ -76,15 +66,10 @@ class COMPONENT_EXPORT(NETWORK_CPP) OriginAccessList {
  static void SetForOrigin(
      const url::Origin& source_origin,
      const std::vector<mojom::CorsOriginPatternPtr>& patterns,
-      PatternMap* map,
+      PatternMap* map);
-      const network::mojom::CORSOriginAccessMatchPriority priority);
+  static void AddForOrigin(const url::Origin& source_origin,
-  static void AddForOrigin(
+                           const mojom::CorsOriginPatternPtr& pattern,
-      const url::Origin& source_origin,
+                           PatternMap* map);
-      const std::string& protocol,
-      const std::string& domain,
-      bool allow_subdomains,
-      PatternMap* map,
-      const network::mojom::CORSOriginAccessMatchPriority priority);
  static network::mojom::CORSOriginAccessMatchPriority
  GetHighestPriorityOfRuleForOrigin(const std::string& source,
                                    const url::Origin& destination_origin,

--- a/services/network/public/cpp/cors/origin_access_list_unittest.cc
+++ b/services/network/public/cpp/cors/origin_access_list_unittest.cc
@@ -61,8 +61,9 @@ class OriginAccessListTest : public testing::Test {
      const std::string& host,
      bool allow_subdomains,
      const network::mojom::CORSOriginAccessMatchPriority priority) {
-    list_.AddAllowListEntryForOrigin(source_origin_, protocol, host,
+    list_.AddAllowListEntryForOrigin(
-                                     allow_subdomains, priority);
+        source_origin_, network::mojom::CorsOriginPattern::New(
+                            protocol, host, allow_subdomains, priority));
  }
  void SetBlockListEntry(const std::string& protocol,
                         const std::string& host,
@@ -78,8 +79,9 @@ class OriginAccessListTest : public testing::Test {
      const std::string& host,
      bool allow_subdomains,
      const network::mojom::CORSOriginAccessMatchPriority priority) {
-    list_.AddBlockListEntryForOrigin(source_origin_, protocol, host,
+    list_.AddBlockListEntryForOrigin(
-                                     allow_subdomains, priority);
+        source_origin_, network::mojom::CorsOriginPattern::New(
+                            protocol, host, allow_subdomains, priority));
  }
  void ResetLists() {
    std::vector<mojom::CorsOriginPatternPtr> patterns;

--- a/third_party/blink/public/web/web_security_policy.h
+++ b/third_party/blink/public/web/web_security_policy.h
@@ -80,24 +80,15 @@ class WebSecurityPolicy {
      const WebString& destination_host,
      bool allow_destination_subdomains,
      const network::mojom::CORSOriginAccessMatchPriority priority);
-  BLINK_EXPORT static void ClearOriginAccessAllowListForOrigin(
-      const WebURL& source_origin);
-  BLINK_EXPORT static void ClearOriginAccessAllowList();
-  BLINK_EXPORT static void ClearOriginAccessListForOrigin(
-      const WebURL& source_origin);
  BLINK_EXPORT static void AddOriginAccessBlockListEntry(
      const WebURL& source_origin,
      const WebString& destination_protocol,
      const WebString& destination_host,
      bool disallow_destination_subdomains,
      const network::mojom::CORSOriginAccessMatchPriority priority);
+  BLINK_EXPORT static void ClearOriginAccessListForOrigin(
-  BLINK_EXPORT static void AddOriginAccessBlockListEntry(
+      const WebURL& source_origin);
-      const WebURL& source_origin,
+  BLINK_EXPORT static void ClearOriginAccessList();
-      const WebString& destination_protocol,
-      const WebString& destination_host,
-      bool disallow_destination_subdomains);
  // Support for whitelisting origins or hostname patterns to treat them as
  // trustworthy. This method does not do any canonicalization; the caller is

--- a/third_party/blink/renderer/core/exported/web_security_policy.cc
+++ b/third_party/blink/renderer/core/exported/web_security_policy.cc
@@ -77,24 +77,6 @@ void WebSecurityPolicy::AddOriginAccessAllowListEntry(
      destination_host, allow_destination_subdomains, priority);
 }
-void WebSecurityPolicy::ClearOriginAccessAllowListForOrigin(
-    const WebURL& source_origin) {
-  SecurityPolicy::ClearOriginAccessAllowListForOrigin(
-      *SecurityOrigin::Create(source_origin));
-}
-void WebSecurityPolicy::ClearOriginAccessAllowList() {
-  SecurityPolicy::ClearOriginAccessAllowList();
-}
-void WebSecurityPolicy::ClearOriginAccessListForOrigin(
-    const WebURL& source_origin) {
-  scoped_refptr<SecurityOrigin> security_origin =
-      SecurityOrigin::Create(source_origin);
-  SecurityPolicy::ClearOriginAccessAllowListForOrigin(*security_origin);
-  SecurityPolicy::ClearOriginAccessBlockListForOrigin(*security_origin);
-}
 void WebSecurityPolicy::AddOriginAccessBlockListEntry(
    const WebURL& source_origin,
    const WebString& destination_protocol,
@@ -106,6 +88,17 @@ void WebSecurityPolicy::AddOriginAccessBlockListEntry(
      destination_host, allow_destination_subdomains, priority);
 }
+void WebSecurityPolicy::ClearOriginAccessListForOrigin(
+    const WebURL& source_origin) {
+  scoped_refptr<SecurityOrigin> security_origin =
+      SecurityOrigin::Create(source_origin);
+  SecurityPolicy::ClearOriginAccessListForOrigin(*security_origin);
+}
+void WebSecurityPolicy::ClearOriginAccessList() {
+  SecurityPolicy::ClearOriginAccessList();
+}
 void WebSecurityPolicy::AddOriginTrustworthyWhiteList(const WebString& origin) {
  SecurityPolicy::AddOriginTrustworthyWhiteList(origin);
 }

--- a/third_party/blink/renderer/platform/weborigin/security_origin_test.cc
+++ b/third_party/blink/renderer/platform/weborigin/security_origin_test.cc
@@ -48,7 +48,10 @@ namespace blink {
 const uint16_t kMaxAllowedPort = UINT16_MAX;
-class SecurityOriginTest : public testing::Test {};
+class SecurityOriginTest : public testing::Test {
+ private:
+  void TearDown() override { SecurityPolicy::ClearOriginAccessList(); }
+};
 TEST_F(SecurityOriginTest, ValidPortsCreateTupleOrigins) {
  uint16_t ports[] = {0, 80, 443, 5000, kMaxAllowedPort};
@@ -424,8 +427,8 @@ TEST_F(SecurityOriginTest, PunycodeNotUnicode) {
  EXPECT_TRUE(origin->CanRequest(punycode_url));
  EXPECT_FALSE(origin->CanRequest(unicode_url));
-  // Clear enterprise policy allowlist.
+  // Clear enterprise policy allow/block lists.
-  SecurityPolicy::ClearOriginAccessAllowListForOrigin(*origin);
+  SecurityPolicy::ClearOriginAccessListForOrigin(*origin);
  EXPECT_FALSE(origin->CanRequest(punycode_url));
  EXPECT_FALSE(origin->CanRequest(unicode_url));

--- a/third_party/blink/renderer/platform/weborigin/security_policy.cc
+++ b/third_party/blink/renderer/platform/weborigin/security_policy.cc
@@ -243,47 +243,40 @@ void SecurityPolicy::AddOriginAccessAllowListEntry(
    const network::mojom::CORSOriginAccessMatchPriority priority) {
  MutexLocker lock(GetMutex());
  GetOriginAccessList().AddAllowListEntryForOrigin(
-      source_origin.ToUrlOrigin(), WebString(destination_protocol).Utf8(),
+      source_origin.ToUrlOrigin(), network::mojom::CorsOriginPattern::New(
-      WebString(destination_domain).Utf8(), allow_destination_subdomains,
+                                       WebString(destination_protocol).Utf8(),
-      priority);
+                                       WebString(destination_domain).Utf8(),
+                                       allow_destination_subdomains, priority));
 }
-void SecurityPolicy::ClearOriginAccessAllowListForOrigin(
+void SecurityPolicy::AddOriginAccessBlockListEntry(
-    const SecurityOrigin& source_origin) {
+    const SecurityOrigin& source_origin,
+    const String& destination_protocol,
+    const String& destination_domain,
+    bool allow_destination_subdomains,
+    const network::mojom::CORSOriginAccessMatchPriority priority) {
  MutexLocker lock(GetMutex());
-  GetOriginAccessList().SetAllowListForOrigin(
+  GetOriginAccessList().AddBlockListEntryForOrigin(
-      source_origin.ToUrlOrigin(),
+      source_origin.ToUrlOrigin(), network::mojom::CorsOriginPattern::New(
-      std::vector<network::mojom::CorsOriginPatternPtr>());
+                                       WebString(destination_protocol).Utf8(),
+                                       WebString(destination_domain).Utf8(),
+                                       allow_destination_subdomains, priority));
 }
-void SecurityPolicy::ClearOriginAccessBlockListForOrigin(
+void SecurityPolicy::ClearOriginAccessListForOrigin(
    const SecurityOrigin& source_origin) {
  MutexLocker lock(GetMutex());
+  GetOriginAccessList().SetAllowListForOrigin(
+      source_origin.ToUrlOrigin(),
+      std::vector<network::mojom::CorsOriginPatternPtr>());
  GetOriginAccessList().SetBlockListForOrigin(
      source_origin.ToUrlOrigin(),
      std::vector<network::mojom::CorsOriginPatternPtr>());
 }
-void SecurityPolicy::ClearOriginAccessAllowList() {
+void SecurityPolicy::ClearOriginAccessList() {
  MutexLocker lock(GetMutex());
  GetOriginAccessList().ClearAllowList();
-}
-void SecurityPolicy::AddOriginAccessBlockListEntry(
-    const SecurityOrigin& source_origin,
-    const String& destination_protocol,
-    const String& destination_domain,
-    bool allow_destination_subdomains,
-    const network::mojom::CORSOriginAccessMatchPriority priority) {
-  MutexLocker lock(GetMutex());
-  GetOriginAccessList().AddBlockListEntryForOrigin(
-      source_origin.ToUrlOrigin(), WebString(destination_protocol).Utf8(),
-      WebString(destination_domain).Utf8(), allow_destination_subdomains,
-      priority);
-}
-void SecurityPolicy::ClearOriginAccessBlockList() {
-  MutexLocker lock(GetMutex());
  GetOriginAccessList().ClearBlockList();
 }

--- a/third_party/blink/renderer/platform/weborigin/security_policy.h
+++ b/third_party/blink/renderer/platform/weborigin/security_policy.h
@@ -72,19 +72,15 @@ class PLATFORM_EXPORT SecurityPolicy {
      const String& destination_domain,
      bool allow_destination_subdomains,
      const network::mojom::CORSOriginAccessMatchPriority priority);
-  static void ClearOriginAccessAllowListForOrigin(
-      const SecurityOrigin& source_origin);
-  static void ClearOriginAccessBlockListForOrigin(
-      const SecurityOrigin& source_origin);
-  static void ClearOriginAccessAllowList();
  static void AddOriginAccessBlockListEntry(
      const SecurityOrigin& source_origin,
      const String& destination_protocol,
      const String& destination_domain,
      bool allow_destination_subdomains,
      const network::mojom::CORSOriginAccessMatchPriority priority);
-  static void ClearOriginAccessBlockList();
+  static void ClearOriginAccessListForOrigin(
+      const SecurityOrigin& source_origin);
+  static void ClearOriginAccessList();
  static bool IsOriginAccessAllowed(const SecurityOrigin* active_origin,
                                    const SecurityOrigin* target_origin);

--- a/third_party/blink/renderer/platform/weborigin/security_policy_test.cc
+++ b/third_party/blink/renderer/platform/weborigin/security_policy_test.cc
@@ -306,10 +306,7 @@ class SecurityPolicyAccessTest : public testing::Test {
        SecurityOrigin::CreateFromString("https://google.com");
  }
-  void TearDown() override {
+  void TearDown() override { SecurityPolicy::ClearOriginAccessList(); }
-    SecurityPolicy::ClearOriginAccessAllowList();
-    SecurityPolicy::ClearOriginAccessBlockList();
-  }
  const SecurityOrigin* https_example_origin() const {
    return https_example_origin_.get();
@@ -361,7 +358,7 @@ TEST_F(SecurityPolicyAccessTest, IsOriginAccessAllowed) {
                                                     http_example_origin()));
  // Clearing the map should revoke all special access.
-  SecurityPolicy::ClearOriginAccessAllowList();
+  SecurityPolicy::ClearOriginAccessList();
  EXPECT_FALSE(SecurityPolicy::IsOriginAccessAllowed(https_chromium_origin(),
                                                     https_example_origin()));
  EXPECT_FALSE(SecurityPolicy::IsOriginAccessAllowed(
@@ -425,7 +422,7 @@ TEST_F(SecurityPolicyAccessTest,
                                                     https_google_origin()));
 }
-TEST_F(SecurityPolicyAccessTest, ClearOriginAccessAllowListForOrigin) {
+TEST_F(SecurityPolicyAccessTest, ClearOriginAccessListForOrigin) {
  SecurityPolicy::AddOriginAccessAllowListEntry(
      *https_chromium_origin(), "https", "example.com", true,
      network::mojom::CORSOriginAccessMatchPriority::kDefaultPriority);
@@ -436,7 +433,7 @@ TEST_F(SecurityPolicyAccessTest, ClearOriginAccessAllowListForOrigin) {
      *https_example_origin(), "https", "google.com", true,
      network::mojom::CORSOriginAccessMatchPriority::kDefaultPriority);
-  SecurityPolicy::ClearOriginAccessAllowListForOrigin(*https_chromium_origin());
+  SecurityPolicy::ClearOriginAccessListForOrigin(*https_chromium_origin());
  EXPECT_FALSE(SecurityPolicy::IsOriginAccessAllowed(https_chromium_origin(),
                                                     https_example_origin()));