As I've been thinking about solving this, I'm not sure if it is indeed a problem. It all depends on what is the original threat model for web_accessible_resources. With --isolate-extensions, the non-accessible resource is still loaded in the iframe, which runs in the same process as the extension, so there is no data leakage to a regular renderer process which can be under the control of an attacker.
I'll try to poke around and see if I can find what are the attack vectors we are looking to protect from, so a decision can be made whether this is indeed a bug or not.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b9164c43d2900c967f4fdb5ebfc4812f7e914116

commit b9164c43d2900c967f4fdb5ebfc4812f7e914116
Author: nasko <nasko@chromium.org>
Date: Tue Jun 07 01:21:35 2016

Fix web_accesible_resources enforcement for Site Isolation.

When --isolate-extensions or --site-per-process modes are enabled, all
extensions frames run in extension processes and are not mixed in regular
web renderers. This causes a problem with security checks for
web_accessible_resources, which allow all navigations to extension pages
when they are performed in extension process. This is no longer true and
this patch addresses this by using a NavigationThrottle to perform the
proper checks on the UI thread (also PlzNavigate compatible).

BUG= 616488 
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2042483002
Cr-Commit-Position: refs/heads/master@{#398189}

[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/chrome/browser/chrome_content_browser_client.cc
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/chrome/browser/extensions/extension_protocols_unittest.cc
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/chrome/test/data/extensions/platform_apps/web_view/shim/main.js
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/content/browser/frame_host/navigation_handle_impl.cc
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/content/browser/loader/navigation_resource_throttle.cc
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/content/public/browser/navigation_throttle.h
[add] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/extensions/browser/extension_navigation_throttle.cc
[add] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/extensions/browser/extension_navigation_throttle.h
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/extensions/browser/extension_protocols.cc
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/extensions/extensions.gypi
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/extensions/test/data/web_view/apitest/main.js
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/testing/buildbot/filters/isolate-extensions.browser_tests.filter
[modify] https://crrev.com/b9164c43d2900c967f4fdb5ebfc4812f7e914116/testing/buildbot/filters/site-per-process.browser_tests.filter

Removing the blocking label as the security bug is now fixed. I still need to add some unit tests, so not resolving as fixed yet.

Lets keep this closed, you can add more tests to the same bug or file another tracking functional bug, but we need to track security fix here.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot