DNR: Handle opaque origin correctly while checking access to initiator.

Declarative Net Request API requires extensions to have access to both the
request url and initiator to block/redirect a request. Currently any requests
with an opaque origin as the initiator can't be intercepted by extensions.
Correct this.

BUG=889713

Change-Id: Ie86bf745da652d6f076e9d3076e06ec0c202f4d1
Reviewed-on: https://chromium-review.googlesource.com/1248541
Commit-Queue: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Istiaque Ahmed <lazyboy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#594933}

chrome/browser/extensions/api/declarative_net_request/ruleset_manager_unittest.cc

@@ -519,6 +519,68 @@ TEST_P(RulesetManagerTest, PageAllowingAPI) {
   }
 }
 
+TEST_P(RulesetManagerTest, HostPermissionForInitiator) {
+  RulesetManager* manager = info_map()->GetRulesetManager();
+  ASSERT_TRUE(manager);
+
+  // Add an extension which blocks all sub-resource and sub-frame requests to
+  // example.com. By default, the "main_frame" type is excluded if no
+  // "resource_types" are specified.
+  {
+    std::unique_ptr<RulesetMatcher> matcher;
+
+    TestRule rule = CreateGenericRule();
+    rule.id = kMinValidID;
+    rule.condition->url_filter = std::string("example.com");
+
+    std::vector<std::string> host_permissions = {"*://yahoo.com/*",
+                                                 "*://example.com/*"};
+
+    ASSERT_NO_FATAL_FAILURE(CreateMatcherForRules(
+        {rule}, "test extension", &matcher, host_permissions,
+        false /* has_background_script */));
+
+    manager->AddRuleset(last_loaded_extension()->id(), std::move(matcher),
+                        URLPatternSet());
+  }
+
+  struct {
+    std::string url;
+    base::Optional<url::Origin> initiator;
+    bool expect_blocked;
+  } cases[] = {
+      // empty initiator. Has access.
+      {"https://example.com", base::nullopt, true},
+      // Opaque origin as initiator. Has access.
+      {"https://example.com", url::Origin(), true},
+      // yahoo.com as initiator. Has access.
+      {"https://example.com", url::Origin::Create(GURL("http://yahoo.com")),
+       true},
+      // No matching rule.
+      {"https://yahoo.com", url::Origin::Create(GURL("http://example.com")),
+       false},
+      // Doesn't have access to initiator.
+      {"https://example.com", url::Origin::Create(GURL("http://google.com")),
+       false},
+  };
+
+  for (const auto& test : cases) {
+    SCOPED_TRACE(base::StringPrintf(
+        "Url-%s initiator-%s", test.url.c_str(),
+        test.initiator ? test.initiator->Serialize().c_str() : "empty"));
+
+    WebRequestInfo request = GetRequestForURL(test.url);
+    request.initiator = test.initiator;
+    GURL redirect_url;
+
+    RulesetManager::Action action = manager->EvaluateRequest(
+        request, false /* is_incognito_context */, &redirect_url);
+    EXPECT_EQ(test.expect_blocked ? RulesetManager::Action::BLOCK
+                                  : RulesetManager::Action::NONE,
+              action);
+  }
+}
+
 INSTANTIATE_TEST_CASE_P(,
                         RulesetManagerTest,
                         ::testing::Values(ExtensionLoadType::PACKED,

extensions/browser/api/web_request/web_request_permissions.cc

@@ -156,7 +156,7 @@ PermissionsData::PageAccess CanExtensionAccessURLInternal(
       PermissionsData::PageAccess request_access =
           GetHostAccessForURL(*extension, url, tab_id);
       PermissionsData::PageAccess initiator_access =
-          initiator
+          initiator && !initiator->unique()
               ? GetHostAccessForURL(*extension, initiator->GetURL(), tab_id)
               : PermissionsData::PageAccess::kAllowed;
       access = GetMinimumAccessType(request_access, initiator_access);