Always use an opaque origin for about:blank, even on Android WebView.

Before this CL, in presence of AllowNonStandardSchemesForAndroidWebView,
there would be an inconsistency between origins calculated for
about:blank URL by Blink and //url:

- The assertions added by this CL to SecurityOriginTest,
  NonStandardSchemeWithAndroidWebViewHack would pass before
  and after this CL (always returning an opaque, unique origin
  for "about:blank" URL).

- The assertions added by this CL to OriginTest,
  NonStandardSchemeWithAndroidWebViewHack would fail before
  this CL (returning "about://" origin for "about:blank" URL)
  and pass after this CL.

Before and after this CL, Blink would use an opaque origin because
ShouldTreatAsOpaqueOrigin in Blink's security_origin.cc would
match "about" in SchemeRegistry::ShouldTreatURLSchemeAsNoAccess.
This CL makes sure that IsValidInput in //url's scheme_host_port.cc
also takes no-access schemes into account.

Making sure that Blink and //url origins are consistent is a step toward
being able to calculate the origin to commit on the browser-side.
Without this CL, Android WebView tests (e.g.
...android_webview.test.LoadDataWithBaseUrlTest#testNullBaseUrl)
would fail in the follow-up CL here: https://crrev.com/c/2581008/13

Change-Id: Ic302abb8f61b16bacdcd5dc15f33718f94c106c9
Bug: 888079
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2601844
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#839672}

third_party/blink/renderer/platform/weborigin/security_origin_test.cc

@@ -912,12 +912,19 @@ TEST_F(SecurityOriginTest, NonStandardScheme) {
 TEST_F(SecurityOriginTest, NonStandardSchemeWithAndroidWebViewHack) {
   url::ScopedSchemeRegistryForTests scoped_registry;
   url::EnableNonStandardSchemesForAndroidWebView();
+
+  // Regression test for https://crbug.com/896059.
   scoped_refptr<const SecurityOrigin> origin =
       SecurityOrigin::CreateFromString("cow://");
   EXPECT_FALSE(origin->IsOpaque());
   EXPECT_EQ("cow", origin->Protocol());
   EXPECT_EQ("", origin->Host());
   EXPECT_EQ(0, origin->Port());
+
+  // about:blank translates into an opaque origin, even in presence of
+  // EnableNonStandardSchemesForAndroidWebView.
+  origin = SecurityOrigin::CreateFromString("about:blank");
+  EXPECT_TRUE(origin->IsOpaque());
 }
 
 TEST_F(SecurityOriginTest, OpaqueIsolatedCopy) {

url/origin_unittest.cc

@@ -673,11 +673,18 @@ TEST_F(OriginTest, NonStandardScheme) {
 
 TEST_F(OriginTest, NonStandardSchemeWithAndroidWebViewHack) {
   EnableNonStandardSchemesForAndroidWebView();
+
+  // Regression test for https://crbug.com/896059.
   Origin origin = Origin::Create(GURL("cow://"));
   EXPECT_FALSE(origin.opaque());
   EXPECT_EQ("cow", origin.scheme());
   EXPECT_EQ("", origin.host());
   EXPECT_EQ(0, origin.port());
+
+  // about:blank translates into an opaque origin, even in presence of
+  // EnableNonStandardSchemesForAndroidWebView.
+  origin = Origin::Create(GURL("about:blank"));
+  EXPECT_TRUE(origin.opaque());
 }
 
 TEST_F(OriginTest, CanBeDerivedFrom) {

url/scheme_host_port.cc

@@ -72,6 +72,10 @@ bool IsValidInput(const base::StringPiece& scheme,
     if (base::Contains(GetLocalSchemes(), scheme) && host.empty() && port == 0)
       return true;
 
+    // about:blank and other no-access schemes translate into an opaque origin.
+    if (base::Contains(GetNoAccessSchemes(), scheme))
+      return false;
+
     // Otherwise, allow non-standard schemes only if the Android WebView
     // workaround is enabled.
     return AllowNonStandardSchemesForAndroidWebView();

url/scheme_host_port_unittest.cc

@@ -55,8 +55,15 @@ TEST_F(SchemeHostPortTest, Invalid) {
   EXPECT_EQ(invalid, invalid);
 
   const char* urls[] = {
-      "data:text/html,Hello!", "javascript:alert(1)",
-      "file://example.com:443/etc/passwd",
+      // about:, data:, javascript: and other no-access schemes translate into
+      // an invalid SchemeHostPort
+      "about:blank", "about:blank#ref", "about:blank?query=123", "about:srcdoc",
+      "about:srcdoc#ref", "about:srcdoc?query=123", "data:text/html,Hello!",
+      "javascript:alert(1)",
+
+      // GURLs where GURL::is_valid returns false translate into an invalid
+      // SchemeHostPort.
+      "file://example.com:443/etc/passwd", "#!^%!$!&*",
 
       // These schemes do not follow the generic URL syntax, so make sure we
       // treat them as invalid (scheme, host, port) tuples (even though such