• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1diff --git content/browser/child_process_security_policy_impl.cc content/browser/child_process_security_policy_impl.cc
2index 620b3fdc4403a..f20399d453680 100644
3--- content/browser/child_process_security_policy_impl.cc
4+++ content/browser/child_process_security_policy_impl.cc
5@@ -1724,6 +1724,16 @@ bool ChildProcessSecurityPolicyImpl::CanAccessDataForMaybeOpaqueOrigin(
6             // DeclarativeApiTest.PersistRules.
7             if (actual_process_lock.matches_scheme(url::kDataScheme))
8               return true;
9+
10+            // Allow other schemes that are non-standard, non-local and WebSafe.
11+            if (lock_url.is_valid() &&
12+                !lock_url.IsStandard() &&
13+                !base::Contains(url::GetLocalSchemes(),
14+                                lock_url.scheme_piece()) &&
15+                base::Contains(schemes_okay_to_request_in_any_process_,
16+                               lock_url.scheme())) {
17+              return true;
18+            }
19           }
20
21           // TODO(wjmaclean): We should update the ProcessLock comparison API
22diff --git content/browser/renderer_host/navigation_request.cc content/browser/renderer_host/navigation_request.cc
23index 2f17127dc4ba6..32c7890a69379 100644
24--- content/browser/renderer_host/navigation_request.cc
25+++ content/browser/renderer_host/navigation_request.cc
26@@ -5896,6 +5896,12 @@ NavigationRequest::GetOriginForURLLoaderFactoryWithoutFinalFrameHost(
27     network::mojom::WebSandboxFlags sandbox_flags) {
28   // Calculate an approximation of the origin. The sandbox/csp are ignored.
29   url::Origin origin = GetOriginForURLLoaderFactoryUnchecked(this);
30+  if (!origin.GetURL().IsStandard()) {
31+    // Always return an opaque origin for non-standard URLs. Otherwise, the
32+    // below CanAccessDataForOrigin() check may fail for unregistered custom
33+    // scheme requests in CEF.
34+    return origin.DeriveNewOpaqueOrigin();
35+  }
36
37   // Apply sandbox flags.
38   // See https://html.spec.whatwg.org/#sandboxed-origin-browsing-context-flag
39@@ -5929,6 +5935,15 @@ NavigationRequest::GetOriginForURLLoaderFactoryWithFinalFrameHost() {
40   if (IsSameDocument() || IsPageActivation())
41     return GetRenderFrameHost()->GetLastCommittedOrigin();
42
43+  // Calculate an approximation of the origin. The sandbox/csp are ignored.
44+  url::Origin unchecked_origin = GetOriginForURLLoaderFactoryUnchecked(this);
45+  if (!unchecked_origin.GetURL().IsStandard()) {
46+    // Always return an opaque origin for non-standard URLs. Otherwise, the
47+    // below CanAccessDataForOrigin() check may fail for unregistered custom
48+    // scheme requests in CEF.
49+    return unchecked_origin.DeriveNewOpaqueOrigin();
50+  }
51+
52   url::Origin origin = GetOriginForURLLoaderFactoryWithoutFinalFrameHost(
53       sandbox_flags_to_commit_.value());
54
55