OOR-CORS: Use CorsOriginAccessMatchMode in CorsOriginPattern

This patch makes mojom::CorsOriginPattern use CorsORiginAccessMatchMode and allows network::cors::OriginAccessList to create equivalent mojom::CorsOriginAccessPatterns array. Also this patch enforces not to rely on cors_origin_patterns.mojom.h indirectly from Blink platform. Bug: 908324, 908756 Change-Id: If059a460b424025376b2e4d4433ba6ec17523357 Reviewed-on: https://chromium-review.googlesource.com/c/1350689 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#611603}

OOR-CORS: Use CorsOriginAccessMatchMode in CorsOriginPattern
This patch makes mojom::CorsOriginPattern use CorsORiginAccessMatchMode and allows network::cors::OriginAccessList to create equivalent mojom::CorsOriginAccessPatterns array. Also this patch enforces not to rely on cors_origin_patterns.mojom.h indirectly from Blink platform. Bug: 908324, 908756 Change-Id: If059a460b424025376b2e4d4433ba6ec17523357 Reviewed-on: https://chromium-review.googlesource.com/c/1350689 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#611603}
7f105984 · Takashi Toyoshima · Commit Bot · 964cc812 · 7f105984 · 7f105984
Commit 7f105984 authored Nov 28, 2018 by Takashi Toyoshima Committed by Commit Bot Nov 28, 2018
13 changed files
--- a/chrome/common/extensions/chrome_extensions_client.cc
+++ b/chrome/common/extensions/chrome_extensions_client.cc
@@ -285,7 +285,7 @@ void ChromeExtensionsClient::AddOriginAccessPermissions(
      is_extension_active) {
    origin_patterns->push_back(network::mojom::CorsOriginPattern::New(
        content::kChromeUIScheme, chrome::kChromeUIThemeHost,
-        false /*allow_destination_subdomains*/,
+        network::mojom::CorsOriginAccessMatchMode::kDisallowSubdomains,
        network::mojom::CorsOriginAccessMatchPriority::kMaxPriority));
  }

@@ -296,7 +296,7 @@ void ChromeExtensionsClient::AddOriginAccessPermissions(
                                 extensions::APIPermission::kManagement)) {
    origin_patterns->push_back(network::mojom::CorsOriginPattern::New(
        content::kChromeUIScheme, chrome::kChromeUIExtensionIconHost,
-        false /*allow_destination_subdomains*/,
+        network::mojom::CorsOriginAccessMatchMode::kDisallowSubdomains,
        network::mojom::CorsOriginAccessMatchPriority::kDefaultPriority));
  }
 }

--- a/content/browser/loader/cors_origin_access_list_browsertest.cc
+++ b/content/browser/loader/cors_origin_access_list_browsertest.cc
@@ -32,6 +32,11 @@ namespace content {

 namespace {

+const auto kAllowSubdomains =
+    network::mojom::CorsOriginAccessMatchMode::kAllowSubdomains;
+const auto kDisallowSubdomains =
+    network::mojom::CorsOriginAccessMatchMode::kDisallowSubdomains;
+
 const char kTestPath[] = "/loader/cors_origin_access_list_test.html";

 const char kTestHost[] = "crossorigin.example.com";
@@ -101,10 +106,10 @@ class CorsOriginAccessListBrowserTest

  void SetAllowList(const std::string& scheme,
                    const std::string& host,
-                    bool allow_subdomains) {
+                    network::mojom::CorsOriginAccessMatchMode mode) {
    std::vector<network::mojom::CorsOriginPatternPtr> list1;
    list1.push_back(network::mojom::CorsOriginPattern::New(
-        scheme, host, allow_subdomains,
+        scheme, host, mode,
        network::mojom::CorsOriginAccessMatchPriority::kDefaultPriority));
    bool first_list_done = false;
    BrowserContext::SetCorsOriginAccessListsForOrigin(
@@ -116,7 +121,7 @@ class CorsOriginAccessListBrowserTest

    std::vector<network::mojom::CorsOriginPatternPtr> list2;
    list2.push_back(network::mojom::CorsOriginPattern::New(
-        scheme, host, allow_subdomains,
+        scheme, host, mode,
        network::mojom::CorsOriginAccessMatchPriority::kDefaultPriority));
    bool second_list_done = false;
    BrowserContext::SetCorsOriginAccessListsForOrigin(
@@ -162,7 +167,7 @@ class CorsOriginAccessListBrowserTest

 // Tests if specifying only protocol allows all hosts to pass.
 IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, AllowAll) {
-  SetAllowList("http", "", true);
+  SetAllowList("http", "", kAllowSubdomains);

  std::unique_ptr<TitleWatcher> watcher = CreateWatcher();
  EXPECT_TRUE(
@@ -173,7 +178,7 @@ IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, AllowAll) {

 // Tests if specifying only protocol allows all IP address based hosts to pass.
 IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, AllowAllForIp) {
-  SetAllowList("http", "", true);
+  SetAllowList("http", "", kAllowSubdomains);

  std::unique_ptr<TitleWatcher> watcher = CreateWatcher();
  EXPECT_TRUE(NavigateToURL(
@@ -185,7 +190,7 @@ IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, AllowAllForIp) {

 // Tests if complete allow list set allows only exactly matched host to pass.
 IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, AllowExactHost) {
-  SetAllowList("http", kTestHost, false);
+  SetAllowList("http", kTestHost, kDisallowSubdomains);

  std::unique_ptr<TitleWatcher> watcher = CreateWatcher();
  EXPECT_TRUE(
@@ -198,7 +203,7 @@ IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, AllowExactHost) {
 // case insensitive way to pass.
 IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest,
                       AllowExactHostInCaseInsensitive) {
-  SetAllowList("http", kTestHost, false);
+  SetAllowList("http", kTestHost, kDisallowSubdomains);

  std::unique_ptr<TitleWatcher> watcher = CreateWatcher();
  EXPECT_TRUE(NavigateToURL(
@@ -210,7 +215,7 @@ IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest,
 // Tests if complete allow list set does not allow a host with a different port
 // to pass.
 IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, BlockDifferentPort) {
-  SetAllowList("http", kTestHost, false);
+  SetAllowList("http", kTestHost, kDisallowSubdomains);

  std::unique_ptr<TitleWatcher> watcher = CreateWatcher();
  EXPECT_TRUE(NavigateToURL(
@@ -221,7 +226,7 @@ IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, BlockDifferentPort) {

 // Tests if complete allow list set allows a subdomain to pass if it is allowed.
 IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, AllowSubdomain) {
-  SetAllowList("http", kTestHost, true);
+  SetAllowList("http", kTestHost, kAllowSubdomains);

  std::unique_ptr<TitleWatcher> watcher = CreateWatcher();
  EXPECT_TRUE(NavigateToURL(
@@ -232,7 +237,7 @@ IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, AllowSubdomain) {

 // Tests if complete allow list set does not allow a subdomain to pass.
 IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, BlockSubdomain) {
-  SetAllowList("http", kTestHost, false);
+  SetAllowList("http", kTestHost, kDisallowSubdomains);

  std::unique_ptr<TitleWatcher> watcher = CreateWatcher();
  EXPECT_TRUE(NavigateToURL(
@@ -245,7 +250,7 @@ IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest, BlockSubdomain) {
 // protocol to pass.
 IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest,
                       BlockDifferentProtocol) {
-  SetAllowList("https", kTestHost, false);
+  SetAllowList("https", kTestHost, kDisallowSubdomains);

  std::unique_ptr<TitleWatcher> watcher = CreateWatcher();
  EXPECT_TRUE(
@@ -257,7 +262,7 @@ IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest,
 // Tests if IP address based hosts should not follow subdomain match rules.
 IN_PROC_BROWSER_TEST_P(CorsOriginAccessListBrowserTest,
                       SubdomainMatchShouldNotBeAppliedForIPAddress) {
-  SetAllowList("http", "*.0.0.1", true);
+  SetAllowList("http", "*.0.0.1", kAllowSubdomains);

  std::unique_ptr<TitleWatcher> watcher = CreateWatcher();
  EXPECT_TRUE(NavigateToURL(

--- a/extensions/common/cors_util.cc
+++ b/extensions/common/cors_util.cc
@@ -37,7 +37,11 @@ void AddURLPatternSetToList(
      if (!pattern.MatchesScheme(scheme))
        continue;
      list->push_back(network::mojom::CorsOriginPattern::New(
-          scheme, pattern.host(), pattern.match_subdomains(), priority));
+          scheme, pattern.host(),
+          pattern.match_subdomains()
+              ? network::mojom::CorsOriginAccessMatchMode::kAllowSubdomains
+              : network::mojom::CorsOriginAccessMatchMode::kDisallowSubdomains,
+          priority));
    }
  }
 }
@@ -80,7 +84,8 @@ CreateCorsOriginAccessBlockList(const Extension& extension) {

  GURL webstore_launch_url = extension_urls::GetWebstoreLaunchURL();
  block_list.push_back(network::mojom::CorsOriginPattern::New(
-      webstore_launch_url.scheme(), webstore_launch_url.host(), true,
+      webstore_launch_url.scheme(), webstore_launch_url.host(),
+      network::mojom::CorsOriginAccessMatchMode::kAllowSubdomains,
      network::mojom::CorsOriginAccessMatchPriority::kHighPriority));

  // TODO(devlin): Should we also block the webstore update URL here? See

--- a/extensions/renderer/dispatcher.cc
+++ b/extensions/renderer/dispatcher.cc
@@ -1238,14 +1238,18 @@ void Dispatcher::UpdateOriginPermissions(const Extension& extension) {
  for (const auto& entry : allow_list) {
    WebSecurityPolicy::AddOriginAccessAllowListEntry(
        extension.url(), WebString::FromUTF8(entry->protocol),
-        WebString::FromUTF8(entry->domain), entry->allow_subdomains,
+        WebString::FromUTF8(entry->domain),
+        entry->mode ==
+            network::mojom::CorsOriginAccessMatchMode::kAllowSubdomains,
        entry->priority);
  }

  for (const auto& entry : CreateCorsOriginAccessBlockList(extension)) {
    WebSecurityPolicy::AddOriginAccessBlockListEntry(
        extension.url(), WebString::FromUTF8(entry->protocol),
-        WebString::FromUTF8(entry->domain), entry->allow_subdomains,
+        WebString::FromUTF8(entry->domain),
+        entry->mode ==
+            network::mojom::CorsOriginAccessMatchMode::kAllowSubdomains,
        entry->priority);
  }
 }

--- a/services/network/cors/cors_url_loader_unittest.cc
+++ b/services/network/cors/cors_url_loader_unittest.cc
@@ -76,7 +76,7 @@ class TestURLLoaderFactory : public mojom::URLLoaderFactory {
    on_create_loader_and_start_ = closure;
  }

-  const network::ResourceRequest& request() const { return request_; }
+  const ResourceRequest& request() const { return request_; }
  const GURL& GetRequestedURL() const { return request_.url; }
  int num_created_loaders() const { return num_created_loaders_; }

@@ -228,12 +228,10 @@ class CorsURLLoaderTest : public testing::Test {
  void AddAllowListEntryForOrigin(const url::Origin& source_origin,
                                  const std::string& protocol,
                                  const std::string& domain,
-                                  bool allow_subdomains) {
+                                  const mojom::CorsOriginAccessMatchMode mode) {
    origin_access_list_.AddAllowListEntryForOrigin(
-        source_origin,
-        network::mojom::CorsOriginPattern::New(
-            protocol, domain, allow_subdomains,
-            network::mojom::CorsOriginAccessMatchPriority::kDefaultPriority));
+        source_origin, protocol, domain, mode,
+        mojom::CorsOriginAccessMatchPriority::kDefaultPriority);
  }

  static net::RedirectInfo CreateRedirectInfo(
@@ -1014,8 +1012,9 @@ TEST_F(CorsURLLoaderTest, OriginAccessList) {

  // Adds an entry to allow the cross origin request beyond the CORS
  // rules.
-  AddAllowListEntryForOrigin(url::Origin::Create(origin), url.scheme(),
-                             url.host(), false);
+  AddAllowListEntryForOrigin(
+      url::Origin::Create(origin), url.scheme(), url.host(),
+      mojom::CorsOriginAccessMatchMode::kDisallowSubdomains);

  CreateLoaderAndStart(origin, url, mojom::FetchRequestMode::kCors);


--- a/services/network/public/cpp/cors/origin_access_entry.cc
+++ b/services/network/public/cpp/cors/origin_access_entry.cc
@@ -6,6 +6,7 @@

 #include "base/strings/string_util.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
+#include "services/network/public/mojom/cors_origin_pattern.mojom.h"
 #include "url/origin.h"
 #include "url/url_util.h"

@@ -125,6 +126,11 @@ OriginAccessEntry::MatchResult OriginAccessEntry::MatchesDomain(
  return kMatchesOrigin;
 }

+mojo::InlinedStructPtr<mojom::CorsOriginPattern>
+OriginAccessEntry::CreateCorsOriginPattern() const {
+  return mojom::CorsOriginPattern::New(protocol_, host_, mode_, priority_);
+}
+
 }  // namespace cors

 }  // namespace network
--- a/services/network/public/cpp/cors/origin_access_entry.h
+++ b/services/network/public/cpp/cors/origin_access_entry.h
@@ -18,6 +18,10 @@ class Origin;

 namespace network {

+namespace mojom {
+class CorsOriginPattern;
+}  // namespace mojom
+
 namespace cors {

 // A class to hold a protocol and host pair and to provide methods to determine
@@ -37,12 +41,11 @@ class COMPONENT_EXPORT(NETWORK_CPP) OriginAccessEntry final {
  // IPv6 addresses must include brackets (e.g.
  // '[2001:db8:85a3::8a2e:370:7334]', not '2001:db8:85a3::8a2e:370:7334').
  // The priority argument is used to break ties when multiple entries match.
-  OriginAccessEntry(
-      const std::string& protocol,
-      const std::string& host,
-      const mojom::CorsOriginAccessMatchMode mode,
-      const mojom::CorsOriginAccessMatchPriority priority =
-          network::mojom::CorsOriginAccessMatchPriority::kDefaultPriority);
+  OriginAccessEntry(const std::string& protocol,
+                    const std::string& host,
+                    const mojom::CorsOriginAccessMatchMode mode,
+                    const mojom::CorsOriginAccessMatchPriority priority =
+                        mojom::CorsOriginAccessMatchPriority::kDefaultPriority);
  OriginAccessEntry(OriginAccessEntry&& from);

  // 'matchesOrigin' requires a protocol match (e.g. 'http' != 'https').
@@ -56,6 +59,11 @@ class COMPONENT_EXPORT(NETWORK_CPP) OriginAccessEntry final {
    return registerable_domain_;
  }

+  // Creates mojom::CorsOriginPattern instance that represents |this|
+  // OriginAccessEntry instance.
+  mojo::InlinedStructPtr<mojom::CorsOriginPattern> CreateCorsOriginPattern()
+      const;
+
 private:
  const std::string protocol_;
  const std::string host_;

--- a/services/network/public/cpp/cors/origin_access_entry_unittest.cc
+++ b/services/network/public/cpp/cors/origin_access_entry_unittest.cc
@@ -4,6 +4,7 @@

 #include "services/network/public/cpp/cors/origin_access_entry.h"

+#include "services/network/public/mojom/cors_origin_pattern.mojom.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
 #include "url/origin.h"
@@ -315,6 +316,20 @@ TEST(OriginAccessEntryTest, IPAddressMatchingTest) {
  }
 }

+TEST(OriginAccessEntryTest, CreateCorsOriginPattern) {
+  const std::string kProtocol = "https";
+  const std::string kDomain = "google.com";
+  const auto kMode = mojom::CorsOriginAccessMatchMode::kAllowSubdomains;
+  const auto kPriority = mojom::CorsOriginAccessMatchPriority::kDefaultPriority;
+
+  OriginAccessEntry entry(kProtocol, kDomain, kMode, kPriority);
+  mojom::CorsOriginPatternPtr pattern = entry.CreateCorsOriginPattern();
+  DCHECK_EQ(kProtocol, pattern->protocol);
+  DCHECK_EQ(kDomain, pattern->domain);
+  DCHECK_EQ(kMode, pattern->mode);
+  DCHECK_EQ(kPriority, pattern->priority);
+}
+
 }  // namespace

 }  // namespace cors

--- a/services/network/public/cpp/cors/origin_access_list.cc
+++ b/services/network/public/cpp/cors/origin_access_list.cc
@@ -4,6 +4,8 @@

 #include "services/network/public/cpp/cors/origin_access_list.h"

+#include "services/network/public/mojom/cors_origin_pattern.mojom.h"
+
 namespace network {

 namespace cors {
@@ -13,14 +15,25 @@ OriginAccessList::~OriginAccessList() = default;

 void OriginAccessList::SetAllowListForOrigin(
    const url::Origin& source_origin,
-    const std::vector<mojom::CorsOriginPatternPtr>& patterns) {
+    const std::vector<CorsOriginPatternPtr>& patterns) {
  SetForOrigin(source_origin, patterns, &allow_list_);
 }

 void OriginAccessList::AddAllowListEntryForOrigin(
    const url::Origin& source_origin,
-    const mojom::CorsOriginPatternPtr& pattern) {
-  AddForOrigin(source_origin, pattern, &allow_list_);
+    const std::string& protocol,
+    const std::string& domain,
+    const mojom::CorsOriginAccessMatchMode mode,
+    const mojom::CorsOriginAccessMatchPriority priority) {
+  AddForOrigin(source_origin,
+               mojom::CorsOriginPattern::New(protocol, domain, mode, priority),
+               &allow_list_);
+}
+
+void OriginAccessList::ClearAllowListForOrigin(
+    const url::Origin& source_origin) {
+  SetForOrigin(source_origin, std::vector<mojom::CorsOriginPatternPtr>(),
+               &allow_list_);
 }

 void OriginAccessList::ClearAllowList() {
@@ -29,14 +42,25 @@ void OriginAccessList::ClearAllowList() {

 void OriginAccessList::SetBlockListForOrigin(
    const url::Origin& source_origin,
-    const std::vector<mojom::CorsOriginPatternPtr>& patterns) {
+    const std::vector<CorsOriginPatternPtr>& patterns) {
  SetForOrigin(source_origin, patterns, &block_list_);
 }

 void OriginAccessList::AddBlockListEntryForOrigin(
    const url::Origin& source_origin,
-    const mojom::CorsOriginPatternPtr& pattern) {
-  AddForOrigin(source_origin, pattern, &block_list_);
+    const std::string& protocol,
+    const std::string& domain,
+    const mojom::CorsOriginAccessMatchMode mode,
+    const mojom::CorsOriginAccessMatchPriority priority) {
+  AddForOrigin(source_origin,
+               mojom::CorsOriginPattern::New(protocol, domain, mode, priority),
+               &block_list_);
+}
+
+void OriginAccessList::ClearBlockListForOrigin(
+    const url::Origin& source_origin) {
+  SetForOrigin(source_origin, std::vector<mojom::CorsOriginPatternPtr>(),
+               &block_list_);
 }

 void OriginAccessList::ClearBlockList() {
@@ -64,10 +88,38 @@ bool OriginAccessList::IsAllowed(const url::Origin& source_origin,
  return allow_list_priority > block_list_priority;
 }

+std::vector<mojo::StructPtr<mojom::CorsOriginAccessPatterns>>
+OriginAccessList::CreateCorsOriginAccessPatternsList() const {
+  std::set<std::string> origins;
+  for (const auto& allow_map : allow_list_)
+    origins.insert(allow_map.first);
+  for (const auto& block_map : block_list_)
+    origins.insert(block_map.first);
+
+  std::vector<mojom::CorsOriginAccessPatternsPtr> access_patterns;
+  for (const auto& origin : origins) {
+    std::vector<mojom::CorsOriginPatternPtr> allow_patterns;
+    const auto& allow_entries = allow_list_.find(origin);
+    if (allow_entries != allow_list_.end()) {
+      for (const auto& pattern : allow_entries->second)
+        allow_patterns.push_back(pattern.CreateCorsOriginPattern());
+    }
+    std::vector<mojom::CorsOriginPatternPtr> block_patterns;
+    const auto& block_entries = block_list_.find(origin);
+    if (block_entries != block_list_.end()) {
+      for (const auto& pattern : block_entries->second)
+        block_patterns.push_back(pattern.CreateCorsOriginPattern());
+    }
+    access_patterns.push_back(mojom::CorsOriginAccessPatterns::New(
+        origin, std::move(allow_patterns), std::move(block_patterns)));
+  }
+  return access_patterns;
+}
+
 // static
 void OriginAccessList::SetForOrigin(
    const url::Origin& source_origin,
-    const std::vector<mojom::CorsOriginPatternPtr>& patterns,
+    const std::vector<CorsOriginPatternPtr>& patterns,
    PatternMap* map) {
  DCHECK(map);
  DCHECK(!source_origin.opaque());
@@ -80,28 +132,20 @@ void OriginAccessList::SetForOrigin(
  Patterns& native_patterns = (*map)[source];
  for (const auto& pattern : patterns) {
    native_patterns.push_back(OriginAccessEntry(
-        pattern->protocol, pattern->domain,
-        pattern->allow_subdomains
-            ? mojom::CorsOriginAccessMatchMode::kAllowSubdomains
-            : mojom::CorsOriginAccessMatchMode::kDisallowSubdomains,
-        pattern->priority));
+        pattern->protocol, pattern->domain, pattern->mode, pattern->priority));
  }
 }

 // static
 void OriginAccessList::AddForOrigin(const url::Origin& source_origin,
-                                    const mojom::CorsOriginPatternPtr& pattern,
+                                    const CorsOriginPatternPtr& pattern,
                                    PatternMap* map) {
  DCHECK(map);
  DCHECK(!source_origin.opaque());

  std::string source = source_origin.Serialize();
-  (*map)[source].push_back(OriginAccessEntry(
-      pattern->protocol, pattern->domain,
-      pattern->allow_subdomains
-          ? mojom::CorsOriginAccessMatchMode::kAllowSubdomains
-          : mojom::CorsOriginAccessMatchMode::kDisallowSubdomains,
-      pattern->priority));
+  (*map)[source].push_back(OriginAccessEntry(pattern->protocol, pattern->domain,
+                                             pattern->mode, pattern->priority));
 }

 // static

--- a/services/network/public/cpp/cors/origin_access_list.h
+++ b/services/network/public/cpp/cors/origin_access_list.h
@@ -12,30 +12,44 @@
 #include "base/component_export.h"
 #include "base/macros.h"
 #include "services/network/public/cpp/cors/origin_access_entry.h"
-#include "services/network/public/mojom/cors_origin_pattern.mojom.h"
+#include "services/network/public/mojom/cors_origin_pattern.mojom-shared.h"
 #include "url/origin.h"

 namespace network {

+namespace mojom {
+class CorsOriginPattern;
+class CorsOriginAccessPatterns;
+}  // namespace mojom
+
 namespace cors {

 // A class to manage origin access allow / block lists. If these lists conflict,
 // blacklisting is respected. These lists are managed per source-origin basis.
 class COMPONENT_EXPORT(NETWORK_CPP) OriginAccessList {
 public:
+  using CorsOriginPatternPtr = mojo::InlinedStructPtr<mojom::CorsOriginPattern>;
+
  OriginAccessList();
  ~OriginAccessList();

  // Clears the old allow list for |source_origin|, and set |patterns| to the
  // allow list. When two or more patterns in a list match, the entry with the
  // higher |priority| takes precedence.
-  void SetAllowListForOrigin(
+  void SetAllowListForOrigin(const url::Origin& source_origin,
+                             const std::vector<CorsOriginPatternPtr>& patterns);
+
+  // Adds an access pattern by |protocol|, |domain|, |mode|, and |priority|,
+  // to the allow list for |source_origin|.
+  void AddAllowListEntryForOrigin(
      const url::Origin& source_origin,
-      const std::vector<mojom::CorsOriginPatternPtr>& patterns);
+      const std::string& protocol,
+      const std::string& domain,
+      const mojom::CorsOriginAccessMatchMode mode,
+      const mojom::CorsOriginAccessMatchPriority priority);

-  // Adds |pattern| to the allow list for |source_origin|.
-  void AddAllowListEntryForOrigin(const url::Origin& source_origin,
-                                  const mojom::CorsOriginPatternPtr& pattern);
+  // Clears the old allow list for |source_origin|.
+  void ClearAllowListForOrigin(const url::Origin& source_origin);

  // Clears the old allow list.
  void ClearAllowList();
@@ -43,13 +57,20 @@ class COMPONENT_EXPORT(NETWORK_CPP) OriginAccessList {
  // Clears the old block list for |source_origin| and set |patterns| to the
  // block list. When two or more patterns in a list match, the entry with the
  // higher |priority| takes precedence.
-  void SetBlockListForOrigin(
+  void SetBlockListForOrigin(const url::Origin& source_origin,
+                             const std::vector<CorsOriginPatternPtr>& patterns);
+
+  // Adds an access pattern by |protocol|, |domain|, |mode|, and |priority|,
+  // to the block list for |source_origin|.
+  void AddBlockListEntryForOrigin(
      const url::Origin& source_origin,
-      const std::vector<mojom::CorsOriginPatternPtr>& patterns);
+      const std::string& protocol,
+      const std::string& domain,
+      const mojom::CorsOriginAccessMatchMode mode,
+      const mojom::CorsOriginAccessMatchPriority priority);

-  // Adds |pattern| to the block list for |source_origin|.
-  void AddBlockListEntryForOrigin(const url::Origin& source_origin,
-                                  const mojom::CorsOriginPatternPtr& pattern);
+  // Clears the old block list for |source_origin|.
+  void ClearBlockListForOrigin(const url::Origin& source_origin);

  // Clears the old block list.
  void ClearBlockList();
@@ -59,22 +80,28 @@ class COMPONENT_EXPORT(NETWORK_CPP) OriginAccessList {
  bool IsAllowed(const url::Origin& source_origin,
                 const GURL& destination) const;

+  // Creates mojom::CorsPriginAccessPatterns instance vector that represents
+  // |this| OriginAccessList instance.
+  std::vector<mojo::StructPtr<mojom::CorsOriginAccessPatterns>>
+  CreateCorsOriginAccessPatternsList() const;
+
 private:
  using Patterns = std::vector<OriginAccessEntry>;
  using PatternMap = std::map<std::string, Patterns>;

-  static void SetForOrigin(
-      const url::Origin& source_origin,
-      const std::vector<mojom::CorsOriginPatternPtr>& patterns,
-      PatternMap* map);
+  static void SetForOrigin(const url::Origin& source_origin,
+                           const std::vector<CorsOriginPatternPtr>& patterns,
+                           PatternMap* map);
  static void AddForOrigin(const url::Origin& source_origin,
-                           const mojom::CorsOriginPatternPtr& pattern,
+                           const CorsOriginPatternPtr& pattern,
                           PatternMap* map);
-  static network::mojom::CorsOriginAccessMatchPriority
-  GetHighestPriorityOfRuleForOrigin(const std::string& source,
-                                    const url::Origin& destination_origin,
-                                    const PatternMap& map);
+  static mojom::CorsOriginAccessMatchPriority GetHighestPriorityOfRuleForOrigin(
+      const std::string& source,
+      const url::Origin& destination_origin,
+      const PatternMap& map);

+  // TODO(toyoshim): Redesign to have an unified map to be consistent with
+  // mojom::CorsOriginAccessPatterns. See https://crbug.com/908756.
  PatternMap allow_list_;
  PatternMap block_list_;


--- a/services/network/public/cpp/cors/origin_access_list_unittest.cc
+++ b/services/network/public/cpp/cors/origin_access_list_unittest.cc
--- a/services/network/public/mojom/cors_origin_pattern.mojom
+++ b/services/network/public/mojom/cors_origin_pattern.mojom
@@ -27,7 +27,7 @@ enum CorsOriginAccessMatchPriority {
  kMaxPriority
 };

-// Parameters for representing a access origin whitelist or blacklist for CORS.
+// Parameters for representing a access origin allowlist or blocklist for CORS.
 struct CorsOriginPattern {
  // The protocol part of the destination URL.
  string protocol;
@@ -35,8 +35,8 @@ struct CorsOriginPattern {
  // The domain part of the destination URL.
  string domain;

-  // Whether subdomains match this protocol and host pattern.
-  bool allow_subdomains;
+  // Specifies a mode for domain match.
+  CorsOriginAccessMatchMode mode;

  // Order of preference in which the pattern is applied.  Higher priority
  // patterns take precedence over lower ones.  In the case were both a
@@ -44,3 +44,12 @@ struct CorsOriginPattern {
  // the block list rule takes priority.
  CorsOriginAccessMatchPriority priority;
 };
+
+// Parameters for representing pairs of source origin and allow/block-lists
+// for CORS.
+struct CorsOriginAccessPatterns {
+  string source_origin;
+
+  array<CorsOriginPattern> allow_patterns;
+  array<CorsOriginPattern> block_patterns;
+};
--- a/third_party/blink/renderer/platform/weborigin/security_policy.cc
+++ b/third_party/blink/renderer/platform/weborigin/security_policy.cc
@@ -32,7 +32,6 @@

 #include "base/strings/pattern.h"
 #include "services/network/public/cpp/cors/origin_access_list.h"
-#include "services/network/public/mojom/cors_origin_pattern.mojom-shared.h"
 #include "services/network/public/mojom/referrer_policy.mojom-blink.h"
 #include "third_party/blink/public/platform/web_string.h"
 #include "third_party/blink/renderer/platform/runtime_enabled_features.h"
@@ -247,10 +246,12 @@ void SecurityPolicy::AddOriginAccessAllowListEntry(
    const network::mojom::CorsOriginAccessMatchPriority priority) {
  MutexLocker lock(GetMutex());
  GetOriginAccessList().AddAllowListEntryForOrigin(
-      source_origin.ToUrlOrigin(), network::mojom::CorsOriginPattern::New(
-                                       WebString(destination_protocol).Utf8(),
-                                       WebString(destination_domain).Utf8(),
-                                       allow_destination_subdomains, priority));
+      source_origin.ToUrlOrigin(), WebString(destination_protocol).Utf8(),
+      WebString(destination_domain).Utf8(),
+      allow_destination_subdomains
+          ? network::mojom::CorsOriginAccessMatchMode::kAllowSubdomains
+          : network::mojom::CorsOriginAccessMatchMode::kDisallowSubdomains,
+      priority);
 }

 void SecurityPolicy::AddOriginAccessBlockListEntry(
@@ -261,21 +262,20 @@ void SecurityPolicy::AddOriginAccessBlockListEntry(
    const network::mojom::CorsOriginAccessMatchPriority priority) {
  MutexLocker lock(GetMutex());
  GetOriginAccessList().AddBlockListEntryForOrigin(
-      source_origin.ToUrlOrigin(), network::mojom::CorsOriginPattern::New(
-                                       WebString(destination_protocol).Utf8(),
-                                       WebString(destination_domain).Utf8(),
-                                       allow_destination_subdomains, priority));
+      source_origin.ToUrlOrigin(), WebString(destination_protocol).Utf8(),
+      WebString(destination_domain).Utf8(),
+      allow_destination_subdomains
+          ? network::mojom::CorsOriginAccessMatchMode::kAllowSubdomains
+          : network::mojom::CorsOriginAccessMatchMode::kDisallowSubdomains,
+      priority);
 }

 void SecurityPolicy::ClearOriginAccessListForOrigin(
    const SecurityOrigin& source_origin) {
  MutexLocker lock(GetMutex());
-  GetOriginAccessList().SetAllowListForOrigin(
-      source_origin.ToUrlOrigin(),
-      std::vector<network::mojom::CorsOriginPatternPtr>());
-  GetOriginAccessList().SetBlockListForOrigin(
-      source_origin.ToUrlOrigin(),
-      std::vector<network::mojom::CorsOriginPatternPtr>());
+  const url::Origin origin = source_origin.ToUrlOrigin();
+  GetOriginAccessList().ClearAllowListForOrigin(origin);
+  GetOriginAccessList().ClearBlockListForOrigin(origin);
 }

 void SecurityPolicy::ClearOriginAccessList() {