Assigning Critical severity since this is out of the sandbox, jkarlin: feel free to readjust to high if that seems better (since this only happens with the network service enabled). 

Moving this one over to Maks as I don't have the cycles at the moment.

This is a critical security issue. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Not sure that something requiring a non-standard flag that's not set by any experiment (but which is in chrome://flags) should be ReleaseBlock.

Having said that, IIRC NetworkContext methods are only supposed to be callable from the browser process, but I am not certain of the mechanism for that.

You can indeed have an in-memory cache for a URLRequestContext --- that's what happens in incognito mode.

(Patch does look good, on my queue for today)

Josh, are you too busy to review as well?

Nope, can review.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9ab771022535b499e4d7a7f12fa6c60a294f7de4

commit 9ab771022535b499e4d7a7f12fa6c60a294f7de4
Author: Maks Orlovich <morlovich@chromium.org>
Date: Tue Apr 17 01:10:32 2018

[MemCache] Fix bug while iterating LRU list in range doom

This is exact same thing as https://chromium-review.googlesource.com/c/chromium/src/+/987919
but on explicit mass-erase rather than eviction.

Thanks to nedwilliamson@ (on gmail) for the report and testcase.

Bug:  831963 
Change-Id: I96a46700c1f058f7feebe038bcf983dc40eb7102
Reviewed-on: https://chromium-review.googlesource.com/1014023
Commit-Queue: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Josh Karlin <jkarlin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551205}
[modify] https://crrev.com/9ab771022535b499e4d7a7f12fa6c60a294f7de4/net/disk_cache/backend_unittest.cc
[modify] https://crrev.com/9ab771022535b499e4d7a7f12fa6c60a294f7de4/net/disk_cache/memory/mem_backend_impl.cc

We're not planning any further M65 releases and M66 is going to stable this week. 

Applying M-66, M-67 & M-68 labels. awhalley@, pls eveulate if for appropriate milestone merges. Thank you. 

govind@ - good for 67

Once it's been out in Dev or Beta for a bit we can merge to 66 to pick it up in any re-spin.

Approving merge to M67 branch 3396 based on comment #16. Please merge ASAP so we can pick it up for this week Dev release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/76b3dbf91e4f5ebd348d53c03ef74c7fdf0b9037

commit 76b3dbf91e4f5ebd348d53c03ef74c7fdf0b9037
Author: Maks Orlovich <morlovich@chromium.org>
Date: Tue Apr 17 17:37:08 2018

[MemCache] Fix bug while iterating LRU list in range doom

This is exact same thing as https://chromium-review.googlesource.com/c/chromium/src/+/987919
but on explicit mass-erase rather than eviction.

Thanks to nedwilliamson@ (on gmail) for the report and testcase.

Bug:  831963 
Change-Id: I96a46700c1f058f7feebe038bcf983dc40eb7102
Reviewed-on: https://chromium-review.googlesource.com/1014023
Commit-Queue: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Josh Karlin <jkarlin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#551205}(cherry picked from commit 9ab771022535b499e4d7a7f12fa6c60a294f7de4)
Reviewed-on: https://chromium-review.googlesource.com/1015321
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#49}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[modify] https://crrev.com/76b3dbf91e4f5ebd348d53c03ef74c7fdf0b9037/net/disk_cache/backend_unittest.cc
[modify] https://crrev.com/76b3dbf91e4f5ebd348d53c03ef74c7fdf0b9037/net/disk_cache/memory/mem_backend_impl.cc

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Now that this has been out in Dev, requesting merge to M66 in case there's a respin.

This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge for M66 branch:3359

Are any special steps required for the actual merge? I've only ever done early beta ones...

(Also I am not sure of impact --- the only non-user-interaction-requiring path I can see of involves the pnacl cache, and I don't know much about that).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c352625fe9db8660710e9cce16a6d92c5e09a5b5

commit c352625fe9db8660710e9cce16a6d92c5e09a5b5
Author: Maks Orlovich <morlovich@chromium.org>
Date: Wed Apr 25 16:45:03 2018

[MemCache] Fix bug while iterating LRU list in range doom

This is exact same thing as https://chromium-review.googlesource.com/c/chromium/src/+/987919
but on explicit mass-erase rather than eviction.

Thanks to nedwilliamson@ (on gmail) for the report and testcase.

Bug:  831963 
Change-Id: I96a46700c1f058f7feebe038bcf983dc40eb7102
Reviewed-on: https://chromium-review.googlesource.com/1014023
Commit-Queue: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Josh Karlin <jkarlin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#551205}(cherry picked from commit 9ab771022535b499e4d7a7f12fa6c60a294f7de4)
Reviewed-on: https://chromium-review.googlesource.com/1028430
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#765}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/c352625fe9db8660710e9cce16a6d92c5e09a5b5/net/disk_cache/backend_unittest.cc
[modify] https://crrev.com/c352625fe9db8660710e9cce16a6d92c5e09a5b5/net/disk_cache/memory/mem_backend_impl.cc

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Very nicely done, nedwilliamson@! The Chrome VRP panel decided to award $10,500 for this report and patch :-) 

Wow! Thanks so much again for the generous reward!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot