Block top-level navigations to nested URLs with extension origins from non-extension processes.

Before this CL, it was possible for a web iframe with an unblessed
extension frame to exploit the renderer, create a blob: or filesystem:
URL in the extension frame context, then create a new top-level window
and navigate it to that URL, which could end up putting the new window
into a privileged extension process running attacker's code.

BUG=645028

Review-Url: https://codereview.chromium.org/2345473003
Cr-Commit-Position: refs/heads/master@{#419019}

chrome/browser/net/chrome_extensions_network_delegate.cc

@@ -20,6 +20,7 @@
 #include "extensions/browser/api/web_request/web_request_api.h"
 #include "extensions/browser/info_map.h"
 #include "extensions/browser/process_manager.h"
+#include "extensions/common/constants.h"
 #include "net/url_request/url_request.h"
 
 using content::BrowserThread;
@@ -159,6 +160,21 @@ int ChromeExtensionsNetworkDelegateImpl::OnBeforeURLRequest(
     net::URLRequest* request,
     const net::CompletionCallback& callback,
     GURL* new_url) {
+  const content::ResourceRequestInfo* info =
+      content::ResourceRequestInfo::ForRequest(request);
+  GURL url(request->url());
+
+  // Block top-level navigations to blob: or filesystem: URLs with extension
+  // origin from non-extension processes.  See https://crbug.com/645028.
+  bool is_nested_url = url.SchemeIsFileSystem() || url.SchemeIsBlob();
+  bool is_navigation =
+      info && content::IsResourceTypeFrame(info->GetResourceType());
+  if (is_nested_url && is_navigation && info->IsMainFrame() &&
+      url::Origin(url).scheme() == extensions::kExtensionScheme &&
+      !extension_info_map_->process_map().Contains(info->GetChildID())) {
+    return net::ERR_ABORTED;
+  }
+
   return ExtensionWebRequestEventRouter::GetInstance()->OnBeforeRequest(
       profile_, extension_info_map_.get(), request, callback, new_url);
 }