CanAccessDataForOrigin: allow blob/data locks for precursor origins.

This CL explicitly allows blob:null/... and data:... lock URLs when
using CanAccessDataForOrigin to validate precursor of an opaque origin.
This CL has been extracted from a slightly bigger refactoring at
https://crrev.com/c/2007983/11.  This CL helps avoid renderer kills
reported in https://crbug.com/1041880

Bug: 1041880, 1029092
Change-Id: I923512c8fc03491b4f95547240b3b7f8a88f7104
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2020327
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#735103}

content/browser/child_process_security_policy_impl.cc

@@ -1425,7 +1425,8 @@ bool ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin(
   } else {
     url_to_check = origin.GetURL();
   }
-  bool success = CanAccessDataForOrigin(child_id, url_to_check);
+  bool success =
+      CanAccessDataForOrigin(child_id, url_to_check, origin.opaque());
   if (success)
     return true;
 
@@ -1440,6 +1441,14 @@ bool ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin(
 
 bool ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin(int child_id,
                                                             const GURL& url) {
+  constexpr bool kUrlIsPrecursorOfOpaqueOrigin = false;
+  return CanAccessDataForOrigin(child_id, url, kUrlIsPrecursorOfOpaqueOrigin);
+}
+
+bool ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin(
+    int child_id,
+    const GURL& url,
+    bool url_is_precursor_of_opaque_origin) {
   DCHECK(IsRunningOnExpectedThread());
   base::AutoLock lock(lock_);
 
@@ -1468,6 +1477,21 @@ bool ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin(int child_id,
       // from origins that require exactly the same lock.
       if (actual_process_lock == expected_process_lock)
         return true;
+
+      // TODO(acolwell, nasko): https://crbug.com/1029092: Ensure the precursor
+      // of opaque origins matches the renderer's origin lock.
+      if (url_is_precursor_of_opaque_origin) {
+        // SitePerProcessBrowserTest.TwoBlobURLsWithNullOriginDontShareProcess.
+        if (actual_process_lock.SchemeIsBlob() &&
+            actual_process_lock.path_piece().starts_with("null/")) {
+          return true;
+        }
+
+        // DeclarativeApiTest.PersistRules.
+        if (actual_process_lock.SchemeIs(url::kDataScheme))
+          return true;
+      }
+
       failure_reason = "lock_mismatch";
     } else {
       // Citadel-style enforcement - an unlocked process should not be able to

content/browser/child_process_security_policy_impl.h

@@ -178,6 +178,11 @@ class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
   // Identical to the above method, but takes url::Origin as input.
   bool CanAccessDataForOrigin(int child_id, const url::Origin& origin);
 
+  // Shared helper for GURL and url::Origin processing.
+  bool CanAccessDataForOrigin(int child_id,
+                              const GURL& url,
+                              bool url_is_precursor_of_opaque_origin);
+
   // Determines if the combination of |origin| & |url| is safe to commit to
   // the process associated with |child_id|.
   //