Create WebappsClient::IsOriginConsideredSecure

This allows //chrome to mark isolated-app: as a secure scheme for the
purpose of app installation. This will be tested in an upcoming
browser test.

Bug: 1333966
Change-Id: I523461e7c270561e66f7295a93c1a75e46b292e0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3950213
Commit-Queue: Robbie McElrath <rmcelrath@chromium.org>
Reviewed-by: Dmitrii Kuragin <kuragin@chromium.org>
Reviewed-by: Glenn Hartmann <hartmanng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1059365}

chrome/browser/webapps/chrome_webapps_client.cc

@@ -8,9 +8,11 @@
 #include "base/no_destructor.h"
 #include "build/build_config.h"
 #include "chrome/browser/ssl/security_state_tab_helper.h"
+#include "chrome/common/url_constants.h"
 #include "components/infobars/content/content_infobar_manager.h"
 #include "components/webapps/browser/installable/installable_metrics.h"
 #include "content/public/browser/web_contents.h"
+#include "url/origin.h"
 
 #if BUILDFLAG(IS_ANDROID)
 #include "chrome/browser/android/shortcut_helper.h"
@@ -34,6 +36,10 @@ ChromeWebappsClient* ChromeWebappsClient::GetInstance() {
   return instance.get();
 }
 
+bool ChromeWebappsClient::IsOriginConsideredSecure(const url::Origin& origin) {
+  return origin.scheme() == chrome::kIsolatedAppScheme;
+}
+
 security_state::SecurityLevel
 ChromeWebappsClient::GetSecurityLevelForWebContents(
     content::WebContents* web_contents) {

chrome/browser/webapps/chrome_webapps_client.h

@@ -9,6 +9,10 @@
 #include "build/build_config.h"
 #include "components/webapps/browser/webapps_client.h"
 
+namespace url {
+class Origin;
+}
+
 namespace webapps {
 
 class ChromeWebappsClient : public WebappsClient {
@@ -19,6 +23,7 @@ class ChromeWebappsClient : public WebappsClient {
   static ChromeWebappsClient* GetInstance();
 
   // WebappsClient:
+  bool IsOriginConsideredSecure(const url::Origin& origin) override;
   security_state::SecurityLevel GetSecurityLevelForWebContents(
       content::WebContents* web_contents) override;
   infobars::ContentInfoBarManager* GetInfoBarManagerForWebContents(

components/webapps/browser/installable/installable_manager.cc

@@ -290,9 +290,12 @@ bool InstallableManager::IsContentSecure(content::WebContents* web_contents) {
 
 // static
 bool InstallableManager::IsOriginConsideredSecure(const GURL& url) {
-  return net::IsLocalhost(url) ||
+  auto origin = url::Origin::Create(url);
+  auto* webapps_client = webapps::WebappsClient::Get();
+  return (webapps_client && webapps_client->IsOriginConsideredSecure(origin)) ||
+         net::IsLocalhost(url) ||
          network::SecureOriginAllowlist::GetInstance().IsOriginAllowlisted(
-             url::Origin::Create(url));
+             origin);
 }
 
 void InstallableManager::GetData(const InstallableParams& params,

components/webapps/browser/webapps_client.h

@@ -18,6 +18,10 @@ namespace infobars {
 class ContentInfoBarManager;
 }  // namespace infobars
 
+namespace url {
+class Origin;
+}  // namespace url
+
 namespace webapps {
 
 class AppBannerManager;
@@ -37,6 +41,11 @@ class WebappsClient {
   // Return the webapps client.
   static WebappsClient* Get();
 
+  // Returns true if the given Origin should be considered secure enough to
+  // host an app. Returning false signals that other checks should be
+  // performed, not that the app is insecure.
+  virtual bool IsOriginConsideredSecure(const url::Origin& url) = 0;
+
   virtual security_state::SecurityLevel GetSecurityLevelForWebContents(
       content::WebContents* web_contents) = 0;
 

weblayer/browser/webapps/weblayer_webapps_client.cc

@@ -23,6 +23,7 @@
 #include "ui/android/color_utils_android.h"
 #include "ui/gfx/android/java_bitmap.h"
 #include "url/gurl.h"
+#include "url/origin.h"
 #include "weblayer/browser/webapps/webapk_install_scheduler.h"
 #include "weblayer/browser/webapps/webapps_utils.h"
 #include "weblayer/browser/webapps/weblayer_app_banner_manager_android.h"
@@ -43,6 +44,11 @@ void WebLayerWebappsClient::Create() {
   instance.get();
 }
 
+bool WebLayerWebappsClient::IsOriginConsideredSecure(
+    const url::Origin& origin) {
+  return false;
+}
+
 security_state::SecurityLevel
 WebLayerWebappsClient::GetSecurityLevelForWebContents(
     content::WebContents* web_contents) {

weblayer/browser/webapps/weblayer_webapps_client.h

@@ -14,6 +14,10 @@
 
 class GURL;
 
+namespace url {
+class Origin;
+}
+
 namespace weblayer {
 
 class WebLayerWebappsClient : public webapps::WebappsClient {
@@ -28,6 +32,7 @@ class WebLayerWebappsClient : public webapps::WebappsClient {
   static void Create();
 
   // WebappsClient:
+  bool IsOriginConsideredSecure(const url::Origin& origin) override;
   security_state::SecurityLevel GetSecurityLevelForWebContents(
       content::WebContents* web_contents) override;
   infobars::ContentInfoBarManager* GetInfoBarManagerForWebContents(