cef/patch/patches/browser_security_policy_1081397.patch

diff --git content/browser/child_process_security_policy_impl.cc content/browser/child_process_security_policy_impl.cc
index 53a73d6c75b7a..05290de4c03a0 100644
--- content/browser/child_process_security_policy_impl.cc
+++ content/browser/child_process_security_policy_impl.cc
@@ -2146,6 +2146,16 @@ bool ChildProcessSecurityPolicyImpl::PerformJailAndCitadelChecks(
         if (actual_process_lock.matches_scheme(url::kDataScheme)) {
           return true;
         }
+
+        // Allow other schemes that are non-standard, non-local and WebSafe.
+        if (lock_url.is_valid() && !lock_url.IsStandard() &&
+            !base::Contains(url::GetLocalSchemes(), lock_url.scheme_piece())) {
+          base::AutoLock schemes_lock(schemes_lock_);
+          if (base::Contains(schemes_okay_to_request_in_any_process_,
+                             lock_url.scheme())) {
+            return true;
+          }
+        }
       }
 
       // Make an exception to allow most visited tiles to commit in third-party
diff --git content/browser/renderer_host/navigation_request.cc content/browser/renderer_host/navigation_request.cc
index e51bcccd6f63f..a4250481a396e 100644
--- content/browser/renderer_host/navigation_request.cc
+++ content/browser/renderer_host/navigation_request.cc
@@ -8358,10 +8358,22 @@ NavigationRequest::GetOriginForURLLoaderFactoryBeforeResponseWithDebugInfo(
   bool use_opaque_origin =
       (sandbox_flags & network::mojom::WebSandboxFlags::kOrigin) ==
       network::mojom::WebSandboxFlags::kOrigin;
+  if (use_opaque_origin) {
+    origin_and_debug_info.second += ", sandbox_flags";
+  }
+
+  if (!origin_and_debug_info.first.GetURL().IsStandard()) {
+    // Always return an opaque origin for non-standard URLs. Otherwise, the
+    // CanAccessDataForOrigin() check may fail for unregistered custom scheme
+    // requests in CEF.
+    use_opaque_origin = true;
+    origin_and_debug_info.second += ", cef_nonstandard";
+  }
+
   if (use_opaque_origin) {
     origin_and_debug_info =
         std::pair(origin_and_debug_info.first.DeriveNewOpaqueOrigin(),
-                  origin_and_debug_info.second + ", sandbox_flags");
+                  origin_and_debug_info.second);
   }
 
   return origin_and_debug_info;
@@ -8469,11 +8481,20 @@ NavigationRequest::GetOriginForURLLoaderFactoryAfterResponseWithDebugInfo() {
       DetermineInitiatorRelationship(initiator_rfh,
                                      frame_tree_node_->current_frame_host()));
 
+  if (origin_with_debug_info.first.opaque() &&
+      origin_with_debug_info.second.find("cef_nonstandard") !=
+          std::string::npos) {
+    // Always return an opaque origin for non-standard URLs. Otherwise, the
+    // below CanAccessDataForOrigin() check may fail for unregistered custom
+    // scheme requests in CEF.
+    return origin_with_debug_info;
+  }
+
   // MHTML documents should commit as an opaque origin. They should not be able
   // to make network request on behalf of the real origin.
   // TODO(crbug.com/370979008): Migrate to CHECK.
-  DUMP_WILL_BE_CHECK(!IsMhtmlOrSubframe() ||
-                     origin_with_debug_info.first.opaque());
+  // DUMP_WILL_BE_CHECK(!IsMhtmlOrSubframe() ||
+  //                    origin_with_debug_info.first.opaque());
 
   // If the target of this navigation will be rendered in a RenderFrameHost,
   // then verify that the chosen origin is allowed to be accessed from that