Make downloads.download() respect host permissions

chrome/browser/download/download_extension_api.cc

Index: chrome/browser/download/download_extension_api.cc
diff --git a/chrome/browser/download/download_extension_api.cc b/chrome/browser/download/download_extension_api.cc
index 48006b83ce1ae96bdbcd98f17722a4bffec249a1..72d9506fabe7e65c3a37402af235a4ec3605b2c9 100644
--- a/chrome/browser/download/download_extension_api.cc
+++ b/chrome/browser/download/download_extension_api.cc
@@ -381,6 +381,14 @@ bool DownloadsDownloadFunction::ParseArgs() {
     return false;
   }
 
+  if (!iodata_->url.SchemeIs("data") &&
+      !iodata_->url.SchemeIs("filesystem") &&

[Aaron Boodman, 2012/05/02 22:52:07]

Isn't this a way to circumvent host permissions? The extension will be able to
download filesystem:http://www.google.com, even if it doesn't have host
permissions to google.com. That doesn't seem right?

I'm not sure about blobs. Are blobs tied to an origin? Or are they globally
unique ids? If the latter, I suppose the extension would have had already had to
have access to an origin in order to get the blob URL in the first place, so it
is fine.

[ericu, 2012/05/02 23:26:32]

Yeah, this isn't right.  Just take !iodata_->url.SchemeIs("filesystem") off the
restriction list.  Once https://chromiumcodereview.appspot.com/10224011/ lands,
HasHostPermission will do the right thing with filesystem URLs.  And before it's
landed, this check as written would be a security hole, as Aaron points out.
Blobs are tied to an origin, but I don't know if you can view them cross-origin
or not.  MichaelN says you can.  I'd suggest checking with abarth if you want a
security expert opinion.

+      !iodata_->url.SchemeIs("blob") &&
+      !GetExtension()->HasHostPermission(iodata_->url)) {
+    error_ = download_extension_errors::kInvalidURLError;
+    return false;
+  }
+
   if (options->HasKey(kFilenameKey)) {
     EXTENSION_FUNCTION_VALIDATE(options->GetString(
         kFilenameKey, &iodata_->filename));