Treat multiply-wrapped URLs as opaque

Bug: 906357
Change-Id: I1fab7e52c71a7358a5f22e2fc99cda064b29918d
Reviewed-on: https://chromium-review.googlesource.com/c/1348257Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610960}

third_party/blink/renderer/platform/weborigin/security_origin.cc

@@ -98,12 +98,14 @@ static bool ShouldTreatAsOpaqueOrigin(const KURL& url) {
   if (!url.IsValid())
     return true;
 
-  // FIXME: Do we need to unwrap the URL further?
   KURL relevant_url;
   if (SecurityOrigin::ShouldUseInnerURL(url)) {
     relevant_url = SecurityOrigin::ExtractInnerURL(url);
     if (!relevant_url.IsValid())
       return true;
+    // If the inner URL is also wrapped, the URL is invalid, so treat as opqaue.
+    if (SecurityOrigin::ShouldUseInnerURL(relevant_url))
+      return true;
   } else {
     relevant_url = url;
   }

third_party/blink/renderer/platform/weborigin/security_origin_test.cc

@@ -697,6 +697,25 @@ TEST_F(SecurityOriginTest, UrlOriginConversions) {
   }
 }
 
+TEST_F(SecurityOriginTest, InvalidWrappedUrls) {
+  const char* kTestCases[] = {
+      "blob:filesystem:ws:b/.",
+      "blob:filesystem:ftp://a/b",
+      "filesystem:filesystem:http://example.org:88/foo/bar",
+      "blob:blob:file://localhost/foo/bar",
+  };
+
+  for (const char* test_url : kTestCases) {
+    scoped_refptr<SecurityOrigin> target_origin =
+        SecurityOrigin::CreateFromString(test_url);
+    EXPECT_TRUE(target_origin->IsOpaque())
+        << test_url << " is not opaque as a blink::SecurityOrigin";
+    url::Origin origin = target_origin->ToUrlOrigin();
+    EXPECT_TRUE(origin.opaque())
+        << test_url << " is not opaque as a url::Origin";
+  }
+}
+
 TEST_F(SecurityOriginTest, EffectiveDomain) {
   constexpr struct {
     const char* expected_effective_domain;