Use process lock as request_initiator_site_lock for process-wide factory

The factory requested by the renderer via
RendererBlinkPlatformImpl::CreateNetworkURLLoaderFactory cannot be
associated with a specific origin, but it can still be locked down to
the site URL used that the process might have been locked to.
This lessens the impact of https://crbug.com/891872 - before this CL
a compromised renderer could abuse the process-wide factory to start
requests with an arbitrary request_initiator.  After this CL,
request_initiator_site_lock will lock down |request_initiator| to a
particular site.

Bug: 914130
Change-Id: Ibca31d349e3c090755679a30c87ab85469ad30a4
Reviewed-on: https://chromium-review.googlesource.com/c/1374053
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#619426}

content/browser/renderer_host/render_process_host_impl.cc

@@ -2269,15 +2269,12 @@ void RenderProcessHostImpl::RegisterMojoInterfaces() {
   associated_registry->AddInterface(base::Bind(
       &RenderProcessHostImpl::CreateRendererHost, base::Unretained(this)));
 
-  // TODO(lukasza): https://crbug.com/891872: Stop vending out non-origin-bound
-  // URLLoaderFactories to the renderer process.
   if (base::FeatureList::IsEnabled(network::features::kNetworkService)) {
-    const base::Optional<url::Origin> kNoOrigin = base::nullopt;
     AddUIThreadInterface(
         registry.get(),
-        base::BindRepeating(&RenderProcessHostImpl::CreateURLLoaderFactory,
-                            base::Unretained(this), kNoOrigin,
-                            nullptr /* header_client */));
+        base::BindRepeating(
+            &RenderProcessHostImpl::CreateURLLoaderFactoryForRendererProcess,
+            base::Unretained(this)));
   }
 
   registry->AddInterface(
@@ -2536,10 +2533,28 @@ RenderProcessHostImpl::GetProcessResourceCoordinator() {
   return &process_resource_coordinator_;
 }
 
+void RenderProcessHostImpl::CreateURLLoaderFactoryForRendererProcess(
+    network::mojom::URLLoaderFactoryRequest request) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  base::Optional<url::Origin> request_initiator_site_lock;
+  GURL process_lock =
+      ChildProcessSecurityPolicyImpl::GetInstance()->GetOriginLock(GetID());
+  if (process_lock.is_valid()) {
+    request_initiator_site_lock = SiteInstanceImpl::GetRequestInitiatorSiteLock(
+        GetBrowserContext(), process_lock);
+  }
+
+  CreateURLLoaderFactory(request_initiator_site_lock,
+                         nullptr /* header_client */, std::move(request));
+}
+
 void RenderProcessHostImpl::CreateURLLoaderFactory(
     const base::Optional<url::Origin>& origin,
     network::mojom::TrustedURLLoaderHeaderClientPtrInfo header_client,
     network::mojom::URLLoaderFactoryRequest request) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
   // "chrome-guest://..." is never used as a |request_initiator|.  Therefore
   // it doesn't make sense to associate a URLLoaderFactory with a
   // chrome-guest-based |origin|.

content/browser/renderer_host/render_process_host_impl.h

@@ -661,6 +661,15 @@ class CONTENT_EXPORT RenderProcessHostImpl
   // execute.
   void CancelProcessShutdownDelayForUnload();
 
+  // Creates a URLLoaderFactory that can be used by the renderer process,
+  // without binding it to a specific frame or an origin.
+  //
+  // TODO(kinuko, lukasza): https://crbug.com/891872: Remove, once all
+  // URLLoaderFactories are associated with a specific origin and an execution
+  // context (e.g. a frame, a service worker or any other kind of worker).
+  void CreateURLLoaderFactoryForRendererProcess(
+      network::mojom::URLLoaderFactoryRequest request);
+
   mojo::OutgoingInvitation mojo_invitation_;
 
   std::unique_ptr<ChildConnection> child_connection_;