Remove LinkDoctorBaseURL special case for cross origin read blocking.

This special case would have been hard to port to the network service.
It's easier to just force the net_error_helper to issue a CORS-enabled
request, which https://www.googleapis.com/rpc readily understands.

A browsertest is added to explicitly test that CORB is applied to
subresources loaded by error pages. Currently this test fails; we'll
fix that in a separate CL.

Manual testing: in an official/branded Chrome build, navigate to
"http://blog.thestranger.com" and on the resulting DNS error page,
observe a suggested correction link (of "http://thestranger.com/blog").
Repeat these steps with a chrome://net-internals trace running, and
observe a request to "https://www.googleapis.com/rpc" that has the
"Origin: null" request header, and which includes an
"Access-Control-Allow-Origin: *" header in the response.

BUG=814913,792546

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: Ib7434bd52a27909dd67c5e9a867db1dab7090d59
Reviewed-on: https://chromium-review.googlesource.com/927561Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Nick Carter <nick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#539309}

chrome/browser/chrome_content_browser_client.cc

@@ -1256,14 +1256,6 @@ bool ChromeContentBrowserClient::ShouldBypassDocumentBlocking(
   }
 #endif
 
-  // LinkDoctor requests are made with no initiator.  Allow them through for
-  // SUB_RESOURCE requests when the initiator is unique (which matches the use
-  // of LinkDoctor in error pages), since the site is not critical to protect.
-  if (resource_type == content::RESOURCE_TYPE_SUB_RESOURCE &&
-      initiator.unique() && url == google_util::LinkDoctorBaseURL()) {
-    return true;
-  }
-
   return false;
 }
 

chrome/renderer/net/net_error_helper.cc

@@ -376,6 +376,9 @@ void NetErrorHelper::FetchNavigationCorrections(
   correction_fetcher_->SetBody(navigation_correction_request_body);
   correction_fetcher_->SetHeader("Content-Type", "application/json");
 
+  // Prevent CORB from triggering on this request by setting an Origin header.
+  correction_fetcher_->SetHeader("Origin", "null");
+
   correction_fetcher_->Start(
       render_frame()->GetWebFrame(),
       blink::WebURLRequest::kRequestContextInternal,

chrome/test/data/mock-link-doctor.json.mock-http-headers

 HTTP/1.0 200 OK
 Content-type: text/html
+Access-Control-Allow-Origin: *

content/browser/loader/cross_site_document_blocking_browsertest.cc

@@ -12,6 +12,7 @@
 #include "base/test/histogram_tester.h"
 #include "base/test/scoped_feature_list.h"
 #include "build/build_config.h"
+#include "content/public/browser/navigation_entry.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/content_features.h"
 #include "content/public/common/content_switches.h"
@@ -19,6 +20,7 @@
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
 #include "content/public/test/content_browser_test_utils.h"
+#include "content/public/test/test_navigation_observer.h"
 #include "content/public/test/test_utils.h"
 #include "content/shell/browser/shell.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
@@ -355,6 +357,39 @@ IN_PROC_BROWSER_TEST_F(CrossSiteDocumentBlockingTest, BlockForVariousTargets) {
   // process is still alive.
 }
 
+// Checks to see that CORB blocking applies to processes hosting error pages.
+// Regression test for https://crbug.com/814913.
+IN_PROC_BROWSER_TEST_F(CrossSiteDocumentBlockingTest,
+                       BlockRequestFromErrorPage) {
+  GURL error_url = embedded_test_server()->GetURL("bar.com", "/close-socket");
+  GURL subresource_url =
+      embedded_test_server()->GetURL("foo.com", "/site_isolation/json.js");
+
+  // Load |error_url| and expect a network error page.
+  TestNavigationObserver observer(shell()->web_contents());
+  EXPECT_FALSE(NavigateToURL(shell(), error_url));
+  EXPECT_EQ(error_url, observer.last_navigation_url());
+  NavigationEntry* entry =
+      shell()->web_contents()->GetController().GetLastCommittedEntry();
+  EXPECT_EQ(PAGE_TYPE_ERROR, entry->GetPageType());
+
+  // Add a <script> tag whose src is a CORB-protected resource. Expect no
+  // window.onerror to result, because no syntax error is generated by the empty
+  // response.
+  std::string script = R"((subresource_url => {
+    window.onerror = () => domAutomationController.send("CORB BYPASSED");
+    var script = document.createElement('script');
+    script.src = subresource_url;
+    script.onload = () => domAutomationController.send("CORB WORKED");
+    document.body.appendChild(script);
+    }))";
+  std::string result;
+  ASSERT_TRUE(ExecuteScriptAndExtractString(
+      shell(), script + "('" + subresource_url.spec() + "')", &result));
+
+  EXPECT_EQ("CORB WORKED", result);
+}
+
 // This test class sets up a service worker that can be used to try to respond
 // to same-origin requests with cross-origin responses.
 class CrossSiteDocumentBlockingServiceWorkerTest : public ContentBrowserTest {

testing/buildbot/filters/mojo.fyi.network_content_browsertests.filter

@@ -112,11 +112,13 @@
 -ResourceDispatcherHostBrowserTest.SniffHTMLWithNoContentType
 -ResourceDispatcherHostBrowserTest.SniffNoContentTypeNoData
 
-# Cross-site document blocking needs to be implemented in the network service.
+# Cross-origin read blocking (CORB) needs to be implemented in the network
+# service.
 # https://crbug.com/786505 (cross site document blocking)
 # https://crbug.com/792546 (cross site document blocking in network service)
 -SiteIsolationStatsGathererBrowserTest.CrossSiteDocumentBlockingForMimeType
 -CrossSiteDocumentBlockingTest.BlockDocuments
+-CrossSiteDocumentBlockingTest.BlockRequestFromErrorPage
 -CrossSiteDocumentBlockingIsolatedOriginTest.BlockDocumentsFromIsolatedOrigin
 -CrossSiteDocumentBlockingTest.RangeRequest
 -CrossSiteDocumentBlockingServiceWorkerTest.NoNetwork