chrome/browser/extensions/api/web_request/web_request_permissions.cc - Issue 10825102: Protect Chrome WebStore based on process IDs

Unified Diff: chrome/browser/extensions/api/web_request/web_request_permissions.cc

Issue 10825102: Protect Chrome WebStore based on process IDs (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Fix unit tests Created 8 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « chrome/browser/extensions/api/web_request/web_request_permissions.h ('k') | chrome/browser/extensions/api/web_request/web_request_permissions_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: chrome/browser/extensions/api/web_request/web_request_permissions.cc

diff --git a/chrome/browser/extensions/api/web_request/web_request_permissions.cc b/chrome/browser/extensions/api/web_request/web_request_permissions.cc

index ca84616cef269801c45ad9761d46ccdcb5c36387..fabea0007ecdaed4196c110c01f64c1a15c4fce6 100644

--- a/chrome/browser/extensions/api/web_request/web_request_permissions.cc

+++ b/chrome/browser/extensions/api/web_request/web_request_permissions.cc

@@ -8,37 +8,43 @@

#include "base/stringprintf.h"

#include "chrome/browser/extensions/extension_info_map.h"

#include "chrome/common/extensions/extension.h"

+#include "chrome/common/extensions/extension_constants.h"

#include "chrome/common/url_constants.h"

+#include "content/public/browser/resource_request_info.h"

#include "googleurl/src/gurl.h"

#include "net/url_request/url_request.h"

+using content::ResourceRequestInfo;

namespace {

// Returns true if the URL is sensitive and requests to this URL must not be

// modified/canceled by extensions, e.g. because it is targeted to the webstore

// to check for updates, extension blacklisting, etc.

bool IsSensitiveURL(const GURL& url) {

- // TODO(battre) Merge this, CanExtensionAccessURL of web_request_api.cc and

+ // TODO(battre) Merge this, CanExtensionAccessURL and

// Extension::CanExecuteScriptOnPage into one function.

- bool is_webstore_gallery_url =

- StartsWithASCII(url.spec(), extension_urls::kGalleryBrowsePrefix, true);

bool sensitive_chrome_url = false;

if (EndsWith(url.host(), "google.com", true)) {

- sensitive_chrome_url |= (url.host() == "www.google.com") &&

- StartsWithASCII(url.path(), "/chrome", true);

- sensitive_chrome_url |= (url.host() == "chrome.google.com");

+ // This protects requests to several internal services such as sync,

+ // extension update pings, captive portal detection, fraudulent certificate

+ // reporting, autofill and others.

if (StartsWithASCII(url.host(), "client", true)) {

for (int i = 0; i < 10; ++i) {

- sensitive_chrome_url |=

+ sensitive_chrome_url = sensitive_chrome_url ||

(StringPrintf("client%d.google.com", i) == url.host());

}

+ // This protects requests to safe browsing, link doctor, and possibly

+ // others.

+ sensitive_chrome_url = sensitive_chrome_url ||

+ EndsWith(url.host(), "client.google.com", true);

abarth-chromium 2012/08/02 14:48:04 Should this be ".client.google.com"

}

GURL::Replacements replacements;

replacements.ClearQuery();

replacements.ClearRef();

GURL url_without_query = url.ReplaceComponents(replacements);

- return is_webstore_gallery_url || sensitive_chrome_url ||

+ return sensitive_chrome_url ||

extension_urls::IsWebstoreUpdateUrl(url_without_query) ||

extension_urls::IsBlacklistUpdateUrl(url);

}

@@ -59,17 +65,21 @@ bool HasWebRequestScheme(const GURL& url) {

} // namespace

// static

-bool WebRequestPermissions::HideRequest(const net::URLRequest* request) {

- const GURL& url = request->url();

- const GURL& first_party_url = request->first_party_for_cookies();

- bool hide = false;

- if (first_party_url.is_valid()) {

- hide = IsSensitiveURL(first_party_url) ||

- !HasWebRequestScheme(first_party_url);

+bool WebRequestPermissions::HideRequest(

+ const ExtensionInfoMap* extension_info_map,

+ const net::URLRequest* request) {

+ // Hide requests from the Chrome WebStore App.

+ const ResourceRequestInfo* info = ResourceRequestInfo::ForRequest(request);

+ if (info && extension_info_map) {

+ int process_id = info->GetChildID();

+ const extensions::ProcessMap& process_map =

+ extension_info_map->process_map();

+ if (process_map.Contains(extension_misc::kWebStoreAppId, process_id))

+ return true;

}

- if (!hide)

- hide = IsSensitiveURL(url) || !HasWebRequestScheme(url);

- return hide;

+ const GURL& url = request->url();

+ return IsSensitiveURL(url) || !HasWebRequestScheme(url);

}

// static