Similar to issue 286074 for NPAPI requests, we should switch PPAPI network requests to go straight to the browser process instead of going through the renderer process.
The motivation is that plugins can request documents from any origin, but we want to restrict which documents can be given to renderer processes as part of Site Isolation (see issue 268640). If we implement this cross-site document blocking for the renderer, it could block legitimate plugin requests as well.
From jam@:
"The implementation of pepper APIs, in this case PPB_URLLoader_API, are in ppapi/proxy/url_loader_resource.cc. They proxy all the calls to the renderer (see the Post(RENDERER calls in ppapi/proxy/url_loader_resource.cc). These can be switched to be Post(BROWSER, and then dispatch the IPCs in the browser (see these examples: https://cs.chromium.org/search/?q=%22Post(BROWSER%22+case:yes&sq=package:chromium&type=cs)."
Comment 1 by creis@chromium.org
, Nov 21 2017