Extension resources should only load in contexts the extension has permission to access.

chrome/renderer/extensions/extension_resource_request_policy.cc

Index: chrome/renderer/extensions/extension_resource_request_policy.cc
diff --git a/chrome/renderer/extensions/extension_resource_request_policy.cc b/chrome/renderer/extensions/extension_resource_request_policy.cc
index 9f1e8428b3fdd523a22297231fcbad0c2d721a9a..6c83a5df775c896e6ec08e0d8f95b7396d8e77ce 100644
--- a/chrome/renderer/extensions/extension_resource_request_policy.cc
+++ b/chrome/renderer/extensions/extension_resource_request_policy.cc
@@ -47,27 +47,55 @@ bool ExtensionResourceRequestPolicy::CanRequestResource(
     return false;
   }
 
-  // Disallow loading of extension resources which are not explicitely listed
-  // as web accessible if the manifest version is 2 or greater.
-  if (!extension->IsResourceWebAccessible(resource_url.path()) &&
-      !CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kDisableExtensionsResourceWhitelist)) {
-    GURL frame_url = frame->document().url();
-    GURL page_url = frame->top()->document().url();
-
-    // Exceptions are:
-    // - empty origin (needed for some edge cases when we have empty origins)
-    bool is_empty_origin = frame_url.is_empty();
-    // - extensions requesting their own resources (frame_url check is for
-    //     images, page_url check is for iframes)
-    bool is_own_resource = frame_url.GetOrigin() == extension->url() ||
-        page_url.GetOrigin() == extension->url();
-    // - devtools (chrome-extension:// URLs are loaded into frames of devtools
-    //     to support the devtools extension APIs)
-    bool is_dev_tools = page_url.SchemeIs(chrome::kChromeDevToolsScheme) &&
-        !extension->devtools_url().is_empty();
-
-    if (!is_empty_origin && !is_own_resource && !is_dev_tools) {
+  GURL frame_url = frame->document().url();
+  GURL page_url = frame->top()->document().url();
+
+  // Disallow loading of extension resources when one of the following
+  // conditions holds:
+  //
+  // 1.  The resource is not explicitly listed as a web accessible resource (and
+  //     the extension is manifest version 2+, and this check isn't disabled via
+  //     a command-line flag).
+  bool is_resource_web_accessible =
+      extension->IsResourceWebAccessible(resource_url.path()) ||

[Aaron Boodman, 2012/07/30 14:28:26]

The parenthetical comment about manifest v2+ is handled internally by
IsResourceWebAccessible, so you could simplify this:

The resource is not web accessible (and this check isn't disabled...)

[Mike West, 2012/07/31 09:25:06]

Done.

+      CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableExtensionsResourceWhitelist);
+
+  // 2.  The resource is loaded into a context for which the extension has no
+  //     permission (e.g. resources from an extension with host permissions for
+  //     `evil.com` shouldn't be loaded into `example.com`).
+  bool is_access_permitted =
+      extension->GetEffectiveHostPermissions().MatchesURL(frame_url) ||
+      extension->GetEffectiveHostPermissions().MatchesURL(page_url);

[Aaron Boodman, 2012/07/30 14:28:26]

I don't think you should check page_url here.

[Aaron Boodman, 2012/07/30 14:28:26]

Can you test whether this seems to work with declared content scripts? That was
why it looks like we reverted the original CL.

[Mike West, 2012/07/31 09:25:06]

I think this is covered by the existing content_script API tests. It's probably
a good idea to have an explicit test here as well, though.

+
+  // Exceptions are made for the following cases for both of the above:
+  //
+  // 1.  Empty origins (needed for some edge cases when we have empty origins).
+  bool is_empty_origin = frame_url.is_empty();
+
+  // 2.  Extensions requesting their own resources (frame_url check is for
+  //     images, page_url check is for iframes).
+  bool is_own_resource = frame_url.GetOrigin() == extension->url() ||

[Aaron Boodman, 2012/07/30 14:28:26]

This looks wrong, but you didn't add it. Imagine the following:

root: a.com
frame: b.com
img: a.com

This code will decide that the request for a.com is_own_resource (because of of
the page_url check), but that doesn't seem right.

[Mike West, 2012/07/31 09:25:06]

As discussed, I've changed this logic to the following:

If `frame_url` is `about:blank`, and `frame` has a `parent()`, then we use the
parent instead of the frame for all the checks. This covers the case in which an
`iframe` (which starts it's life as `about:blank`) loads an extension resource.
In that case, we want to check that it's containing frame could load the
extension resource.

+      page_url.GetOrigin() == extension->url();
+
+  // 3.  Devtools (chrome-extension:// URLs are loaded into frames of devtools
+  //     to support the devtools extension APIs).
+  bool is_dev_tools = page_url.SchemeIs(chrome::kChromeDevToolsScheme) &&
+      !extension->devtools_url().is_empty();
+
+  // Exceptions are made to the host permission restriction for the following
+  // cases.
+  //
+  // 4.  `data:` origins.
+  bool is_data_origin = frame_url.SchemeIs(chrome::kDataScheme) ||
+      page_url.SchemeIs(chrome::kDataScheme);

[Aaron Boodman, 2012/07/30 14:28:26]

Again, don't think we should be checking page_url. Elsewhere in this file too.

[Mike West, 2012/07/31 09:25:06]

Done.

+
+  // 5.  `chrome-extension:` origins.
+  bool is_extension_origin = frame_url.SchemeIs(chrome::kExtensionScheme) ||
+      page_url.SchemeIs(chrome::kExtensionScheme);
+
+  if (!is_empty_origin && !is_own_resource && !is_dev_tools) {
+    if (!is_resource_web_accessible) {
       std::string message = base::StringPrintf(
           "Denying load of %s. Resources must be listed in the "
           "web_accessible_resources manifest key in order to be loaded by "
@@ -78,6 +106,19 @@ bool ExtensionResourceRequestPolicy::CanRequestResource(
                                     WebKit::WebString::fromUTF8(message)));
       return false;
     }
+
+    if (!is_access_permitted && !is_extension_origin && !is_data_origin) {
+      std::string message = base::StringPrintf(
+          "Denying load of %s. An extension's resources can only be loaded "
+          "into a page for which the extension has explicit host permissions.",
+          resource_url.spec().c_str(),
+          frame_url.spec().c_str(),
+          page_url.spec().c_str());
+      frame->addMessageToConsole(
+          WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError,
+                                    WebKit::WebString::fromUTF8(message)));
+      return false;
+    }
   }
 
   return true;