Chromium Code Reviews Chromium Code Reviews
Issue 10828067:
Extension resources should only load in contexts the extension has permission to access. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/renderer/extensions/extension_resource_request_policy.h" | 5 #include "chrome/renderer/extensions/extension_resource_request_policy.h" |
| 6 | 6 |
| 7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
| 8 #include "base/logging.h" | 8 #include "base/logging.h" |
| 9 #include "base/stringprintf.h" | 9 #include "base/stringprintf.h" |
| 10 #include "base/string_util.h" | |
| 10 #include "chrome/common/chrome_switches.h" | 11 #include "chrome/common/chrome_switches.h" |
| 11 #include "chrome/common/url_constants.h" | 12 #include "chrome/common/url_constants.h" |
| 12 #include "chrome/common/extensions/extension.h" | 13 #include "chrome/common/extensions/extension.h" |
| 13 #include "chrome/common/extensions/extension_set.h" | 14 #include "chrome/common/extensions/extension_set.h" |
| 14 #include "googleurl/src/gurl.h" | 15 #include "googleurl/src/gurl.h" |
| 15 #include "third_party/WebKit/Source/WebKit/chromium/public/WebConsoleMessage.h" | 16 #include "third_party/WebKit/Source/WebKit/chromium/public/WebConsoleMessage.h" |
| 16 #include "third_party/WebKit/Source/WebKit/chromium/public/WebDocument.h" | 17 #include "third_party/WebKit/Source/WebKit/chromium/public/WebDocument.h" |
| 17 #include "third_party/WebKit/Source/WebKit/chromium/public/WebFrame.h" | 18 #include "third_party/WebKit/Source/WebKit/chromium/public/WebFrame.h" |
| 18 #include "third_party/WebKit/Source/WebKit/chromium/public/platform/WebString.h" | 19 #include "third_party/WebKit/Source/WebKit/chromium/public/platform/WebString.h" |
| 19 | 20 |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 40 // launchers. | 41 // launchers. |
| 41 std::string resource_root_relative_path = | 42 std::string resource_root_relative_path = |
| 42 resource_url.path().empty() ? "" : resource_url.path().substr(1); | 43 resource_url.path().empty() ? "" : resource_url.path().substr(1); |
| 43 if (extension->is_hosted_app() && | 44 if (extension->is_hosted_app() && |
| 44 !extension->icons().ContainsPath(resource_root_relative_path)) { | 45 !extension->icons().ContainsPath(resource_root_relative_path)) { |
| 45 LOG(ERROR) << "Denying load of " << resource_url.spec() << " from " | 46 LOG(ERROR) << "Denying load of " << resource_url.spec() << " from " |
| 46 << "hosted app."; | 47 << "hosted app."; |
| 47 return false; | 48 return false; |
| 48 } | 49 } |
| 49 | 50 |
| 50 // Disallow loading of extension resources which are not explicitely listed | 51 GURL frame_url = frame->document().url(); |
| 51 // as web accessible if the manifest version is 2 or greater. | |
| 52 if (!extension->IsResourceWebAccessible(resource_url.path()) && | |
| 53 !CommandLine::ForCurrentProcess()->HasSwitch( | |
| 54 switches::kDisableExtensionsResourceWhitelist)) { | |
| 55 GURL frame_url = frame->document().url(); | |
| 56 GURL page_url = frame->top()->document().url(); | |
| 57 | 52 |
| 58 // Exceptions are: | 53 // In the case of loading a frame, frame* points to the frame |
|
Aaron Boodman
2012/08/01 21:56:54
Can you rewrap this comment to take advantage of 8
| |
| 59 // - empty origin (needed for some edge cases when we have empty origins) | 54 // being loaded, not the containing frame. This means that |
| 60 bool is_empty_origin = frame_url.is_empty(); | 55 // frame->document().url() ends up not being useful to us. |
| 61 // - extensions requesting their own resources (frame_url check is for | 56 // |
| 62 // images, page_url check is for iframes) | 57 // WebKit doesn't currently pass us enough information to |
| 63 bool is_own_resource = frame_url.GetOrigin() == extension->url() || | 58 // know when we're a frame, so we hack it by checking for |
| 64 page_url.GetOrigin() == extension->url(); | 59 // 'about:blank', which should only happen in this |
| 65 // - devtools (chrome-extension:// URLs are loaded into frames of devtools | 60 // situation. |
| 66 // to support the devtools extension APIs) | 61 // |
| 67 bool is_dev_tools = page_url.SchemeIs(chrome::kChromeDevToolsScheme) && | 62 // TODO(aa): Fix WebKit to pass the context of the load. |
| 68 !extension->devtools_url().is_empty(); | 63 // crbug.com/139788 |
| 64 if (frame_url == GURL(chrome::kAboutBlankURL) && frame->parent()) | |
| 65 frame_url = frame->parent()->document().url(); | |
| 69 | 66 |
| 70 if (!is_empty_origin && !is_own_resource && !is_dev_tools) { | 67 bool extension_has_access_to_frame = |
| 68 extension->GetEffectiveHostPermissions().MatchesURL(frame_url); | |
| 69 bool frame_has_empty_origin = frame_url.is_empty(); | |
| 70 bool frame_is_data_url = frame_url.SchemeIs(chrome::kDataScheme); | |
| 71 bool frame_is_devtools = frame_url.SchemeIs(chrome::kChromeDevToolsScheme) && | |
| 72 !extension->devtools_url().is_empty(); | |
| 73 bool frame_is_extension = frame_url.SchemeIs(chrome::kExtensionScheme); | |
| 74 bool is_own_resource = frame_url.GetOrigin() == extension->url(); | |
| 75 bool is_resource_nacl_module = | |
| 76 extension->IsResourceNaClModule(resource_url.path()); | |
| 77 bool is_resource_web_accessible = | |
| 78 extension->IsResourceWebAccessible(resource_url.path()) || | |
| 79 CommandLine::ForCurrentProcess()->HasSwitch( | |
| 80 switches::kDisableExtensionsResourceWhitelist); | |
| 81 | |
| 82 // Given that the goal here is to prevent malicious injection of a benign | |
| 83 // extension's content into a context where it might be damaging, allowing | |
| 84 // unvalidated "nexe" resources is low-risk. If a mechanism for synchronously | |
| 85 // validating that the "nexe" is a NaCl executable appears, we should use it. | |
| 86 bool is_resource_nexe = extension->HasNaClModules() && | |
| 87 EndsWith(resource_url.path(), ".nexe", true); | |
| 88 | |
| 89 if (!frame_has_empty_origin && !frame_is_devtools && !is_own_resource) { | |
| 90 if (!is_resource_web_accessible) { | |
| 71 std::string message = base::StringPrintf( | 91 std::string message = base::StringPrintf( |
| 72 "Denying load of %s. Resources must be listed in the " | 92 "Denying load of %s. Resources must be listed in the " |
| 73 "web_accessible_resources manifest key in order to be loaded by " | 93 "web_accessible_resources manifest key in order to be loaded by " |
| 74 "pages outside the extension.", | 94 "pages outside the extension.", |
| 75 resource_url.spec().c_str()); | 95 resource_url.spec().c_str()); |
| 76 frame->addMessageToConsole( | 96 frame->addMessageToConsole( |
| 77 WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError, | 97 WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError, |
| 78 WebKit::WebString::fromUTF8(message))); | 98 WebKit::WebString::fromUTF8(message))); |
| 79 return false; | 99 return false; |
| 80 } | 100 } |
| 101 | |
| 102 if (!extension_has_access_to_frame && !frame_is_extension && | |
| 103 !frame_is_data_url && !is_resource_nacl_module && !is_resource_nexe) { | |
| 104 std::string message = base::StringPrintf( | |
| 105 "Denying load of %s. An extension's resources can only be loaded " | |
| 106 "into a page for which the extension has explicit host permissions.", | |
| 107 resource_url.spec().c_str()); | |
| 108 frame->addMessageToConsole( | |
| 109 WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError, | |
| 110 WebKit::WebString::fromUTF8(message))); | |
| 111 return false; | |
| 112 } | |
| 81 } | 113 } |
| 82 | 114 |
| 83 return true; | 115 return true; |
| 84 } | 116 } |
| 85 | 117 |
| 86 // static | 118 // static |
| 87 bool ExtensionResourceRequestPolicy::CanRequestExtensionResourceScheme( | 119 bool ExtensionResourceRequestPolicy::CanRequestExtensionResourceScheme( |
| 88 const GURL& resource_url, | 120 const GURL& resource_url, |
| 89 WebKit::WebFrame* frame) { | 121 WebKit::WebFrame* frame) { |
| 90 CHECK(resource_url.SchemeIs(chrome::kExtensionResourceScheme)); | 122 CHECK(resource_url.SchemeIs(chrome::kExtensionResourceScheme)); |
| 91 | 123 |
| 92 GURL frame_url = frame->document().url(); | 124 GURL frame_url = frame->document().url(); |
| 93 if (!frame_url.is_empty() && | 125 if (!frame_url.is_empty() && |
| 94 !frame_url.SchemeIs(chrome::kExtensionScheme)) { | 126 !frame_url.SchemeIs(chrome::kExtensionScheme)) { |
| 95 std::string message = base::StringPrintf( | 127 std::string message = base::StringPrintf( |
| 96 "Denying load of %s. chrome-extension-resources:// can only be " | 128 "Denying load of %s. chrome-extension-resources:// can only be " |
| 97 "loaded from extensions.", | 129 "loaded from extensions.", |
| 98 resource_url.spec().c_str()); | 130 resource_url.spec().c_str()); |
| 99 frame->addMessageToConsole( | 131 frame->addMessageToConsole( |
| 100 WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError, | 132 WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError, |
| 101 WebKit::WebString::fromUTF8(message))); | 133 WebKit::WebString::fromUTF8(message))); |
| 102 return false; | 134 return false; |
| 103 } | 135 } |
| 104 | 136 |
| 105 return true; | 137 return true; |
| 106 } | 138 } |
| 107 | 139 |
| 108 ExtensionResourceRequestPolicy::ExtensionResourceRequestPolicy() { | 140 ExtensionResourceRequestPolicy::ExtensionResourceRequestPolicy() { |
| 109 } | 141 } |
| OLD | NEW |
