cef/patch/patches/browser_security_policy_108...

57 lines
2.7 KiB
Diff

diff --git content/browser/child_process_security_policy_impl.cc content/browser/child_process_security_policy_impl.cc
index 16119afeb8d57..dcfde693b8327 100644
--- content/browser/child_process_security_policy_impl.cc
+++ content/browser/child_process_security_policy_impl.cc
@@ -1754,6 +1754,16 @@ bool ChildProcessSecurityPolicyImpl::CanAccessDataForMaybeOpaqueOrigin(
// DeclarativeApiTest.PersistRules.
if (actual_process_lock.matches_scheme(url::kDataScheme))
return true;
+
+ // Allow other schemes that are non-standard, non-local and WebSafe.
+ if (lock_url.is_valid() &&
+ !lock_url.IsStandard() &&
+ !base::Contains(url::GetLocalSchemes(),
+ lock_url.scheme_piece()) &&
+ base::Contains(schemes_okay_to_request_in_any_process_,
+ lock_url.scheme())) {
+ return true;
+ }
}
// TODO(wjmaclean): We should update the ProcessLock comparison API
diff --git content/browser/renderer_host/navigation_request.cc content/browser/renderer_host/navigation_request.cc
index 034915c79223e..1a6160b109583 100644
--- content/browser/renderer_host/navigation_request.cc
+++ content/browser/renderer_host/navigation_request.cc
@@ -6518,6 +6518,14 @@ std::pair<url::Origin, std::string> NavigationRequest::
origin_and_debug_info.second += ", error";
}
+ if (!origin_and_debug_info.first.GetURL().IsStandard()) {
+ // Always return an opaque origin for non-standard URLs. Otherwise, the
+ // CanAccessDataForOrigin() check may fail for unregistered custom scheme
+ // requests in CEF.
+ use_opaque_origin = true;
+ origin_and_debug_info.second += ", cef_nonstandard";
+ }
+
if (use_opaque_origin) {
origin_and_debug_info =
std::make_pair(origin_and_debug_info.first.DeriveNewOpaqueOrigin(),
@@ -6545,6 +6553,15 @@ std::pair<url::Origin, std::string> NavigationRequest::
GetOriginForURLLoaderFactoryWithoutFinalFrameHostWithDebugInfo(
SandboxFlagsToCommit());
+ if (origin_with_debug_info.first.opaque() &&
+ origin_with_debug_info.second.find("cef_nonstandard") !=
+ std::string::npos) {
+ // Always return an opaque origin for non-standard URLs. Otherwise, the
+ // below CanAccessDataForOrigin() check may fail for unregistered custom
+ // scheme requests in CEF.
+ return origin_with_debug_info;
+ }
+
// MHTML documents should commit as an opaque origin. They should not be able
// to make network request on behalf of the real origin.
DCHECK(!IsMhtmlOrSubframe() || origin_with_debug_info.first.opaque());