cef/patch/patches/browser_security_policy_1081397.patch

diff --git content/browser/child_process_security_policy_impl.cc content/browser/child_process_security_policy_impl.cc
index 18c138c21a853..554e22458da45 100644
--- content/browser/child_process_security_policy_impl.cc
+++ content/browser/child_process_security_policy_impl.cc
@@ -1755,6 +1755,16 @@ bool ChildProcessSecurityPolicyImpl::CanAccessDataForMaybeOpaqueOrigin(
             // DeclarativeApiTest.PersistRules.
             if (actual_process_lock.matches_scheme(url::kDataScheme))
               return true;
+
+            // Allow other schemes that are non-standard, non-local and WebSafe.
+            if (lock_url.is_valid() &&
+                !lock_url.IsStandard() &&
+                !base::Contains(url::GetLocalSchemes(),
+                                lock_url.scheme_piece()) &&
+                base::Contains(schemes_okay_to_request_in_any_process_,
+                               lock_url.scheme())) {
+              return true;
+            }
           }
 
           // TODO(wjmaclean): We should update the ProcessLock comparison API
diff --git content/browser/renderer_host/navigation_request.cc content/browser/renderer_host/navigation_request.cc
index fe59047aca94b..a2b6583dba0b5 100644
--- content/browser/renderer_host/navigation_request.cc
+++ content/browser/renderer_host/navigation_request.cc
@@ -6542,6 +6542,14 @@ std::pair<url::Origin, std::string> NavigationRequest::
     origin_and_debug_info.second += ", error";
   }
 
+  if (!origin_and_debug_info.first.GetURL().IsStandard()) {
+    // Always return an opaque origin for non-standard URLs. Otherwise, the
+    // CanAccessDataForOrigin() check may fail for unregistered custom scheme
+    // requests in CEF.
+    use_opaque_origin = true;
+    origin_and_debug_info.second += ", cef_nonstandard";
+  }
+
   if (use_opaque_origin) {
     origin_and_debug_info =
         std::make_pair(origin_and_debug_info.first.DeriveNewOpaqueOrigin(),
@@ -6569,6 +6577,15 @@ std::pair<url::Origin, std::string> NavigationRequest::
       GetOriginForURLLoaderFactoryWithoutFinalFrameHostWithDebugInfo(
           SandboxFlagsToCommit());
 
+  if (origin_with_debug_info.first.opaque() &&
+      origin_with_debug_info.second.find("cef_nonstandard") !=
+          std::string::npos) {
+    // Always return an opaque origin for non-standard URLs. Otherwise, the
+    // below CanAccessDataForOrigin() check may fail for unregistered custom
+    // scheme requests in CEF.
+    return origin_with_debug_info;
+  }
+
   // MHTML documents should commit as an opaque origin. They should not be able
   // to make network request on behalf of the real origin.
   DCHECK(!IsMhtmlOrSubframe() || origin_with_debug_info.first.opaque());