Make ActiveTabPermissionManager also grant the tabs permission.

chrome/renderer/extensions/extension_dispatcher.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/renderer/extensions/extension_dispatcher.h"
 
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/string_piece.h"
@@ skipping 59 matching lines @@
 using WebKit::WebDocument;
 using WebKit::WebFrame;
 using WebKit::WebScopedUserGesture;
 using WebKit::WebSecurityPolicy;
 using WebKit::WebString;
 using WebKit::WebVector;
 using WebKit::WebView;
 using content::RenderThread;
 using content::RenderView;
 using extensions::APIPermission;
+using extensions::APIPermissionSet;
 using extensions::ApiDefinitionsNatives;
 using extensions::AppWindowCustomBindings;
 using extensions::ContextMenusCustomBindings;
 using extensions::Extension;
 using extensions::ExperimentalAppCustomBindings;
 using extensions::ExperimentalUsbCustomBindings;
 using extensions::ExtensionAPI;
 using extensions::ExtensionCustomBindings;
 using extensions::Feature;
 using extensions::FileBrowserHandlerCustomBindings;
@@ skipping 839 matching lines @@
   // the target tab. This may change. Either way, if this is the target tab it
   // gives us the chance to check against the page ID to avoid races.
   DCHECK(view);
   if (view && view->GetPageId() != page_id)
     return;
 
   const Extension* extension = extensions_.GetByID(extension_id);
   if (!extension)
     return;
 
-  extension->SetTabSpecificHostPermissions(tab_id, origin_set);
+  extension->UpdateTabSpecificPermissions(
+      tab_id,
+      new PermissionSet(APIPermissionSet(), origin_set, URLPatternSet()));
 }
 
 void ExtensionDispatcher::OnClearTabSpecificPermissions(
     int tab_id,
     const std::vector<std::string>& extension_ids) {
   for (std::vector<std::string>::const_iterator it = extension_ids.begin();
        it != extension_ids.end(); ++it) {
     const Extension* extension = extensions_.GetByID(*it);
     if (extension)
-      extension->ClearTabSpecificHostPermissions(tab_id);
+      extension->ClearTabSpecificPermissions(tab_id);
   }
 }
 
 void ExtensionDispatcher::OnUpdateUserScripts(
     base::SharedMemoryHandle scripts) {
   DCHECK(base::SharedMemory::IsHandleValid(scripts)) << "Bad scripts handle";
   user_script_slave_->UpdateScripts(scripts);
   UpdateActiveExtensions();
 }
 
@@ skipping 88 matching lines @@
 }
 
 bool ExtensionDispatcher::CheckCurrentContextAccessToExtensionAPI(
     const std::string& function_name) const {
   ChromeV8Context* context = v8_context_set().GetCurrent();
   if (!context) {
     DLOG(ERROR) << "Not in a v8::Context";
     return false;
   }
 
-  if (!context->extension() ||
+  if (!context->extension()) {
+    v8::ThrowException(
+        v8::Exception::Error(v8::String::New("Not in an extension.")));
+    return false;
+  }
+
+  // Whitelist tabs.executeScript and tabs.insertCSS since they might be
+  // controlled by activeTab. The browser will do the relevant access checks.
+  // We either do this or propagate all tab IDs to renderers with extensions
+  // that have activeTab.
+  bool skip_permission_check = (function_name == "tabs.executeScript") ||

[Aaron Boodman, 2012/07/31 14:53:43]

Wait, then why are we sending the active tab permissions into the renderers in
the first place?

[not at google - send to devlin, 2012/07/31 15:09:05]

The renderer does a check in UserScriptScheduler against the host permissions,
as the last thing that checks permissions before injecting the script (the
browser also does, but acknowledges race conditions with the page changing in
the 

That involves sending the active tab permissions to the renderer that has the
permissions (nothing is sent to the background page).

But for this to work (avoiding whitelisting these functions), we'd need to send
the active tab stuff for every renderer to the background page. Come to think of
it, that's not so unreasonable. More IPC code but whatever.

[not at google - send to devlin, 2012/08/01 13:57:04]

I remember again why I did this. Oops. Comment updated.

+                               (function_name == "tabs.insertCSS");
+
+  if (!skip_permission_check &&
       !context->extension()->HasAPIPermission(function_name)) {
     static const char kMessage[] =
         "You do not have permission to use '%s'. Be sure to declare"
         " in your manifest what permissions you need.";
     std::string error_msg = base::StringPrintf(kMessage, function_name.c_str());
     v8::ThrowException(
         v8::Exception::Error(v8::String::New(error_msg.c_str())));
     return false;
   }
 
@@ skipping 11 matching lines @@
   // APIs, they don't get extension bindings injected. If we end up here it
   // means that a sandboxed page somehow managed to invoke an API anyway, so
   // we should abort.
   WebKit::WebFrame* frame = context->web_frame();
   ExtensionURLInfo url_info(frame->document().securityOrigin(),
       extensions::UserScriptSlave::GetDataSourceURLForFrame(frame));
   CHECK(!extensions_.IsSandboxedPage(url_info));
 
   return true;
 }