Attaching PoC.
Just confirmed that this works with chrome://flags/#pdf-isolation enabled.

Deleted: PoC.html 522 bytes

PoC.html 522 bytes View Download

Passing over to Site isolation folks to further decide who should own this/whether it should be a separate security bug or is already tracked by site isolation. Assigning it security medium tentatively.

+tsepez@ who AFAIR worked on PDF isolation

I have trouble identifying where "checks if message source's origin is same as PDF's" are happening.  I don't see such checks in OutOfProcessInstance::HandleMessage (where getSelectedTextReply is sent in response to kJSGetSelectedTextType).  I also don't see an explicit origin field in the PpapiHostMsg_PPBInstance_PostMessage IPC (which AFAIU is sent directly from the rendererer which embeds the plugin into the plugin host process).

FWIW, I believe a similar bug might be present in window.postMessage (I've opened  issue 915721  to track this).

Given that it is known that Site Isolation doesn't yet protect against compromised renderers, I think this should be tracked as a regular, non-security bug and/or feature work.  What do you all think?

>I have trouble identifying where "checks if message source's origin is same as PDF's" are happening.

Following is the check.
https://cs.chromium.org/chromium/src/chrome/browser/resources/pdf/pdf_viewer.js?q=getSelectedTextReply&sq=package:chromium&g=0&l=856

Give lack of responses to #c5 above, let me open this bug up.

Even though this is not a security *bug* (but rather part of feature work for Site Isolation enforcements), I think that we should still consider this bug for VRP, given that we were not aware of these particular gaps.

I think the attack should be prevented now (after r621839 and r622165).