XSDB should also protect filesystem:... and blob:... URIs.

Bug: 804957
Change-Id: I2d2cccf2e77ad44305af1601e52c6ae80e062d7d
Reviewed-on: https://chromium-review.googlesource.com/882450
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531936}

content/browser/loader/cross_site_document_resource_handler.cc

@@ -495,6 +495,7 @@ bool CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders(
   // quickly as possible.  Checks that are likely to lead to returning false or
   // that are inexpensive should be near the top.
   const GURL& url = request()->url();
+  url::Origin target_origin = url::Origin::Create(url);
 
   // Check if the response's site needs to have its documents protected.  By
   // default, this will usually return false.
@@ -507,7 +508,7 @@ bool CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders(
     case SiteIsolationPolicy::XSDB_ENABLED_IF_ISOLATED:
       if (!SiteIsolationPolicy::UseDedicatedProcessesForAllSites() &&
           !ChildProcessSecurityPolicyImpl::GetInstance()->IsIsolatedOrigin(
-              url::Origin::Create(url))) {
+              target_origin)) {
         return false;
       }
       break;
@@ -531,11 +532,13 @@ bool CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders(
     initiator = request()->initiator().value();
 
   // Don't block same-origin documents.
-  if (initiator.IsSameOriginWith(url::Origin::Create(url)))
+  if (initiator.IsSameOriginWith(target_origin))
     return false;
 
-  // Only block documents from HTTP(S) schemes.
-  if (!CrossSiteDocumentClassifier::IsBlockableScheme(url))
+  // Only block documents from HTTP(S) schemes.  Checking the scheme of
+  // |target_origin| ensures that we also protect content of blob: and
+  // filesystem: URLs if their nested origins have a HTTP(S) scheme.
+  if (!CrossSiteDocumentClassifier::IsBlockableScheme(target_origin.GetURL()))
     return false;
 
   // Allow requests from file:// URLs for now.

content/browser/loader/cross_site_document_resource_handler_unittest.cc

@@ -582,6 +582,36 @@ const TestScenario kScenarios[] = {
         Verdict::kAllow,                        // verdict
         0,                                      // verdict_packet
     },
+    {
+        "Allowed: Same-site XHR to a filesystem URI",
+        __LINE__,
+        "filesystem:http://www.a.com/file.html",    // target_url
+        RESOURCE_TYPE_XHR,                          // resource_type
+        "http://www.a.com/",                        // initiator_origin
+        OriginHeader::kOmit,                        // cors_request
+        "text/html",                                // response_mime_type
+        CROSS_SITE_DOCUMENT_MIME_TYPE_HTML,         // canonical_mime_type
+        false,                                      // include_no_sniff_header
+        AccessControlAllowOriginHeader::kOmit,      // cors_response
+        {"<html><head>this should sniff as HTML"},  // packets
+        Verdict::kAllow,                            // verdict
+        -1,                                         // verdict_packet
+    },
+    {
+        "Allowed: Same-site XHR to a blob URI",
+        __LINE__,
+        "blob:http://www.a.com/guid-goes-here",     // target_url
+        RESOURCE_TYPE_XHR,                          // resource_type
+        "http://www.a.com/",                        // initiator_origin
+        OriginHeader::kOmit,                        // cors_request
+        "text/html",                                // response_mime_type
+        CROSS_SITE_DOCUMENT_MIME_TYPE_HTML,         // canonical_mime_type
+        false,                                      // include_no_sniff_header
+        AccessControlAllowOriginHeader::kOmit,      // cors_response
+        {"<html><head>this should sniff as HTML"},  // packets
+        Verdict::kAllow,                            // verdict
+        -1,                                         // verdict_packet
+    },
 
     // Blocked responses (without sniffing):
     {
@@ -911,6 +941,36 @@ const TestScenario kScenarios[] = {
         Verdict::kBlock,                                      // verdict
         0,                                                    // verdict_packet
     },
+    {
+        "Blocked: Cross-site XHR to a filesystem URI",
+        __LINE__,
+        "filesystem:http://www.b.com/file.html",    // target_url
+        RESOURCE_TYPE_XHR,                          // resource_type
+        "http://www.a.com/",                        // initiator_origin
+        OriginHeader::kOmit,                        // cors_request
+        "text/html",                                // response_mime_type
+        CROSS_SITE_DOCUMENT_MIME_TYPE_HTML,         // canonical_mime_type
+        false,                                      // include_no_sniff_header
+        AccessControlAllowOriginHeader::kOmit,      // cors_response
+        {"<html><head>this should sniff as HTML"},  // packets
+        Verdict::kBlock,                            // verdict
+        0,                                          // verdict_packet
+    },
+    {
+        "Blocked: Cross-site XHR to a blob URI",
+        __LINE__,
+        "blob:http://www.b.com/guid-goes-here",     // target_url
+        RESOURCE_TYPE_XHR,                          // resource_type
+        "http://www.a.com/",                        // initiator_origin
+        OriginHeader::kOmit,                        // cors_request
+        "text/html",                                // response_mime_type
+        CROSS_SITE_DOCUMENT_MIME_TYPE_HTML,         // canonical_mime_type
+        false,                                      // include_no_sniff_header
+        AccessControlAllowOriginHeader::kOmit,      // cors_response
+        {"<html><head>this should sniff as HTML"},  // packets
+        Verdict::kBlock,                            // verdict
+        0,                                          // verdict_packet
+    },
 };
 
 }  // namespace