diff --git content/browser/child_process_security_policy_impl.cc content/browser/child_process_security_policy_impl.cc index 3a619b38da0c7..8bdf8ad9b1c18 100644 --- content/browser/child_process_security_policy_impl.cc +++ content/browser/child_process_security_policy_impl.cc @@ -1751,6 +1751,16 @@ bool ChildProcessSecurityPolicyImpl::CanAccessDataForMaybeOpaqueOrigin( // DeclarativeApiTest.PersistRules. if (actual_process_lock.matches_scheme(url::kDataScheme)) return true; + + // Allow other schemes that are non-standard, non-local and WebSafe. + if (lock_url.is_valid() && + !lock_url.IsStandard() && + !base::Contains(url::GetLocalSchemes(), + lock_url.scheme_piece()) && + base::Contains(schemes_okay_to_request_in_any_process_, + lock_url.scheme())) { + return true; + } } // TODO(wjmaclean): We should update the ProcessLock comparison API diff --git content/browser/renderer_host/navigation_request.cc content/browser/renderer_host/navigation_request.cc index e3e73a2353312..4f2d190c000b2 100644 --- content/browser/renderer_host/navigation_request.cc +++ content/browser/renderer_host/navigation_request.cc @@ -6312,6 +6312,12 @@ NavigationRequest::GetOriginForURLLoaderFactoryWithoutFinalFrameHost( network::mojom::WebSandboxFlags sandbox_flags) { // Calculate an approximation of the origin. The sandbox/csp are ignored. url::Origin origin = GetOriginForURLLoaderFactoryUnchecked(this); + if (!origin.GetURL().IsStandard()) { + // Always return an opaque origin for non-standard URLs. Otherwise, the + // below CanAccessDataForOrigin() check may fail for unregistered custom + // scheme requests in CEF. + return origin.DeriveNewOpaqueOrigin(); + } // Apply sandbox flags. // See https://html.spec.whatwg.org/#sandboxed-origin-browsing-context-flag @@ -6345,6 +6351,15 @@ NavigationRequest::GetOriginForURLLoaderFactoryWithFinalFrameHost() { if (IsSameDocument() || IsPageActivation()) return GetRenderFrameHost()->GetLastCommittedOrigin(); + // Calculate an approximation of the origin. The sandbox/csp are ignored. + url::Origin unchecked_origin = GetOriginForURLLoaderFactoryUnchecked(this); + if (!unchecked_origin.GetURL().IsStandard()) { + // Always return an opaque origin for non-standard URLs. Otherwise, the + // below CanAccessDataForOrigin() check may fail for unregistered custom + // scheme requests in CEF. + return unchecked_origin.DeriveNewOpaqueOrigin(); + } + url::Origin origin = GetOriginForURLLoaderFactoryWithoutFinalFrameHost(SandboxFlagsToCommit());