The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/866d1237c72059624def2242e218a7dfe78b125e

commit 866d1237c72059624def2242e218a7dfe78b125e
Author: jochen <jochen@chromium.org>
Date: Tue May 03 11:08:14 2016

Dispatch events in isolated worlds, even if script execution is forbidden

BUG=608286, 607072 
R=mkwst@chromium.org

Review-Url: https://codereview.chromium.org/1939713003
Cr-Commit-Position: refs/heads/master@{#391197}

[modify] https://crrev.com/866d1237c72059624def2242e218a7dfe78b125e/components/test_runner/mock_content_settings_client.cc
[modify] https://crrev.com/866d1237c72059624def2242e218a7dfe78b125e/components/test_runner/mock_content_settings_client.h
[add] https://crrev.com/866d1237c72059624def2242e218a7dfe78b125e/third_party/WebKit/LayoutTests/fast/events/events-in-isolated-world-expected.txt
[add] https://crrev.com/866d1237c72059624def2242e218a7dfe78b125e/third_party/WebKit/LayoutTests/fast/events/events-in-isolated-world.html
[modify] https://crrev.com/866d1237c72059624def2242e218a7dfe78b125e/third_party/WebKit/LayoutTests/permissionclient/script-permissions-expected.txt
[modify] https://crrev.com/866d1237c72059624def2242e218a7dfe78b125e/third_party/WebKit/Source/bindings/core/v8/V8EventListener.cpp

(note that the other way round works, allow all script but block some URLs)

Is this just referring to the secondary pattern? In other words - I think I can block scripts and allow them on a per-top-level origin basis, but not on a per <script> basis (which someone may try to do via policy, etc). Is my understanding correct?

right, that's for the secondary pattern. I guess you can also set it via an extension API? not sure...

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/856fc5567263cadd3edcfd56c1d8e6e6b6873f07

commit 856fc5567263cadd3edcfd56c1d8e6e6b6873f07
Author: Yuki Yamada <yukiy@google.com>
Date: Thu Aug 23 11:31:06 2018

Check script execution is forbidden or not only in MainWorld

We should not forbid script execution in isolated worlds when
dispatching events (it should be operated by disabling Chrome
extension), so checking execution setting is necessary only in main
world.
V8EventListenerOrEventHandler::CallListenerFunction() already
implements this, so this CL make
GeneratedCodeHelper::IsCallbackRunnable() to do the same conditional
check for other callbacks generated by IDL files.

Test for this is already exists:
https://cs.chromium.org/chromium/src/third_party/WebKit/LayoutTests/fast/events/events-in-isolated-world.html

Bug:  872138 , 608286, 608641
Change-Id: Ibc38e6033d6d0462362012f1c49271548c26a8ec
Reviewed-on: https://chromium-review.googlesource.com/1186212
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Commit-Queue: Yuki Yamada <yukiy@google.com>
Cr-Commit-Position: refs/heads/master@{#585449}
[modify] https://crrev.com/856fc5567263cadd3edcfd56c1d8e6e6b6873f07/third_party/blink/renderer/bindings/core/v8/generated_code_helper.cc