Check for empty hosts in GetMatchingIsolatedOrigin trailing dot logic.

Bug: 882686
Change-Id: I2298e9d4a750a50334ae8047bc9f2ee95a750434
Reviewed-on: https://chromium-review.googlesource.com/1218523
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590407}

content/browser/child_process_security_policy_impl.cc

@@ -1278,10 +1278,11 @@ bool ChildProcessSecurityPolicyImpl::GetMatchingIsolatedOrigin(
   // without it.  A trailing dot shouldn't be able to bypass isolated origins:
   // if "https://foo.com" is an isolated origin, "https://foo.com." should
   // match it.
-  if (it == isolated_origins_.end() && site_url.host().back() == '.') {
+  if (it == isolated_origins_.end() && site_url.has_host() &&
+      site_url.host_piece().back() == '.') {
     GURL::Replacements replacements;
-    std::string host = site_url.host();
-    host.pop_back();
+    base::StringPiece host(site_url.host_piece());
+    host.remove_suffix(1);
     replacements.SetHostStr(host);
     it = isolated_origins_.find(site_url.ReplaceComponents(replacements));
   }

content/browser/child_process_security_policy_unittest.cc

@@ -1175,4 +1175,13 @@ TEST_F(ChildProcessSecurityPolicyTest, AddIsolatedOrigins) {
   }
 }
 
+// Check that an unsuccessful isolated origin lookup for a URL with an empty
+// host doesn't crash. See https://crbug.com/882686.
+TEST_F(ChildProcessSecurityPolicyTest, IsIsolatedOriginWithEmptyHost) {
+  ChildProcessSecurityPolicyImpl* p =
+      ChildProcessSecurityPolicyImpl::GetInstance();
+  EXPECT_FALSE(p->IsIsolatedOrigin(url::Origin::Create(GURL())));
+  EXPECT_FALSE(p->IsIsolatedOrigin(url::Origin::Create(GURL("file:///foo"))));
+}
+
 }  // namespace content