oka@ - Could you take a look at this please?

Note: I also was unable to preview a video file as well, but preview for .pdf and .txt files are working.

Which device did you use?

Reproduced on ToT 7602f48856384abd726f94c0da089b517acc9017 on Linux.

OK (Not reproduced) on Mar 20  # git rev-list -n 1 --before="2017-03-20" master

 Issue 707141  has been merged into this issue.

NG on Mar 25.

OK on Mar 22.

OK on Mar 23.

NG on Mar 24.

OK on Mar 23 12:00.

The culprit is https://codereview.chromium.org/2768863003

Hi, alexmos@. 
Your CL https://codereview.chromium.org/2768863003 looks broke Files app Quick View. Could you revert the patch?

In Quick View, resources like images are rendered inside webview to provide better security. After the CL, the resources are not rendered anymore, which is bad.
If it's WAI that the resource load is blocked, could you tell me how can properly fix this? Thank you.

For reference, src of the webview element is assigned here https://cs.chromium.org/chromium/src/ui/file_manager/file_manager/foreground/elements/files_safe_media.js?l=63

I don't have a ChromeOS device to try out the repro right now, but will do that asap.  Which URLs are blocked inside the webview exactly?  If they are app resources, can you add them to "accessible_resources" for the webview in the manifest? Presumably here: https://cs.chromium.org/chromium/src/ui/file_manager/file_manager/manifest.json?type=cs&l=54

Oh, fun.  Charlie helped me inspect the image preview dialog in the Files app, and it turns out the previewed image is a blob URL with the Files app's origin: 

  <img id="content" src="blob:chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/faa9a25e-ccb3-4e7c-a72f-36ac53074ca6">

The location of the webview itself is an app resource listed in accessible_resources, so the webview itself fine.  But the image's blob URL obviously fails the accessible_resources check in WebviewInfo::IsResourceWebviewAccessible, which simply tries to match the path to those in accessible_resources.

For regular extensions, we don't treat blob URLs as web-accessible for security reasons, see ChromeContentBrowserClientExtensionsPart::ShouldAllowOpenURL, https://cs.chromium.org/chromium/src/chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc?q=shouldallowopenurl+package:%5Echromium$&l=588.  

lfg@: what's your take on what the behavior should be for webview for blob URLs with the app's origin?

It seems that if the <webview> is already at a webview-accessible resource URL, it should be allowed to create and use blob URLs for its own subresources.  Those blob URLs will have the embedder app's origin, just like the webview itself.  I also don't see a way to distinguish those blob URLs from those created in the embedder and passed into the webview (e.g., via postMessage) which is actually what the Files app appears to be doing.

I'll aim to put up a fix for this in the next couple of days.

Attached a video of how to reproduce it on Linux. Hope it helps.

Deleted: reproduce_706537.webm 345 KB

	reproduce_706537.webm 345 KB View Download

OK, I think my theory about image blob URLs in #15 was wrong.  Blob URLs with the app's origin load just fine inside of webview, because a blob request is created via BlobProtocolHandler, which doesn't ever call the webview-accessible resource checks in AllowCrossRendererResourceLoad.  (That is only done by ExtensionProtocolHandler::MaybeCreateJob.)

Instead, after inspecting the problem on a ChromeOS dev device with creis@, I see that this is due to this script not loading inside the webview:
  chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/foreground/elements/files_safe_media_webview_content.js

This script is embedded by all three webview-accessible HTML pages used in the preview, and it's blocked because it isn't in the accessible_resources list.  The right fix here should be just to add "foreground/elements/files_safe_media_webview_content.js" into "accessible_resources" in the manifest for the "trusted" partition.  (If there are any other app resources used inside the <webview>, they should be added as well.)

Thank you so much for your investigation!
I sent a CL to add files_safe_media_webview_content.js to accessible_resources.
https://codereview.chromium.org/2797893003/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c433f3648b6a43e43318b0ba72717fd42304b76e

commit c433f3648b6a43e43318b0ba72717fd42304b76e
Author: oka <oka@chromium.org>
Date: Wed Apr 05 01:56:51 2017

Fix the issue that Quick View doesn't load images.

The files_safe_media_webview_content.js, which is loaded inside webview,
should be whitelisted in accessible_resources.

Quick view had happened to be working before 2768863003 was checked in.
After the bug fix on webview is submitted, this proper fix is needed for
Quick view to work.

BUG= 706537 
TEST=manually tested Quick View opens an image file.
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2797893003
Cr-Commit-Position: refs/heads/master@{#461935}

[modify] https://crrev.com/c433f3648b6a43e43318b0ba72717fd42304b76e/ui/file_manager/file_manager/manifest.json

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/968dd8975ab73d3abecd20c171bd4e3a6af7bf71

commit 968dd8975ab73d3abecd20c171bd4e3a6af7bf71
Author: alexmos <alexmos@chromium.org>
Date: Wed Apr 05 22:27:05 2017

Add a test for webview using a blob URL while at a webview-accessible resource.

This was written to try out a theory on  issue 706537 .  Nothing turned
out not to be broken, but I thought this test might be useful anyway.
There doesn't appear to be an existing test for this, and it
gets us some coverage for behavior on which the ChromeOS Files app
relies.

BUG= 640072 , 706537 

Review-Url: https://codereview.chromium.org/2799803002
Cr-Commit-Position: refs/heads/master@{#462246}

[modify] https://crrev.com/968dd8975ab73d3abecd20c171bd4e3a6af7bf71/chrome/browser/apps/guest_view/web_view_browsertest.cc
[modify] https://crrev.com/968dd8975ab73d3abecd20c171bd4e3a6af7bf71/chrome/test/data/extensions/platform_apps/web_view/load_webview_accessible_resource/embedder.js

Should be fixed by r461935

Verified on ChromeOS  9449.0.0 / 59.0.3065.0