Disallow apps with the wrong content type header.

chrome/browser/extensions/crx_installer.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/crx_installer.h"
 
 #include "app/l10n_util.h"
 #include "app/resource_bundle.h"
 #include "base/file_util.h"
 #include "base/path_service.h"
@@ skipping 28 matching lines @@
 CrxInstaller::CrxInstaller(const FilePath& install_directory,
                            ExtensionsService* frontend,
                            ExtensionInstallUI* client)
     : install_directory_(install_directory),
       install_source_(Extension::INTERNAL),
       delete_source_(false),
       allow_privilege_increase_(false),
       limit_web_extent_to_download_host_(false),
       create_app_shortcut_(false),
       frontend_(frontend),
-      client_(client) {
+      client_(client),
+      apps_require_extension_mime_type_(false) {
   extensions_enabled_ = frontend_->extensions_enabled();
 }
 
 CrxInstaller::~CrxInstaller() {
   // Delete the temp directory and crx file as necessary. Note that the
   // destructor might be called on any thread, so we post a task to the file
   // thread to make sure the delete happens there.
   if (!temp_dir_.value().empty()) {
     ChromeThread::PostTask(
         ChromeThread::FILE, FROM_HERE,
@@ skipping 61 matching lines @@
 
 void CrxInstaller::OnUnpackSuccess(const FilePath& temp_dir,
                                    const FilePath& extension_dir,
                                    Extension* extension) {
   DCHECK(ChromeThread::CurrentlyOn(ChromeThread::FILE));
 
   // Note: We take ownership of |extension| and |temp_dir|.
   extension_.reset(extension);
   temp_dir_ = temp_dir;
 
+  // If the extension was downloaded, apps_require_extension_mime_type_
+  // will be set.  In this case, check that if the extension is an app,
+  // it was served with the right mime type.  Make an exception for file
+  // URLs, which come from the users computer and have no headers.
+  if (extension->is_app() &&
+      !original_url_.SchemeIsFile() &&
+      apps_require_extension_mime_type_ &&
+      original_mime_type_ != Extension::kMimeType) {
+    ReportFailureFromFileThread(StringPrintf(
+        "Applications must be served with content type %s.",
+        Extension::kMimeType));
+    return;
+  }
+
   // The unpack dir we don't have to delete explicity since it is a child of
   // the temp dir.
   unpacked_extension_root_ = extension_dir;
 
   // Only allow extensions with a gallery update url to be installed after
   // having been directly downloaded from the gallery.
   if (extension->update_url() == GURL(extension_urls::kGalleryUpdateURL) &&
       !ExtensionsService::IsGalleryDownloadURL(original_url_)) {
     ReportFailureFromFileThread(l10n_util::GetStringFUTF8(
         IDS_EXTENSION_DISALLOW_NON_DOWNLOADED_GALLERY_INSTALLS,
@@ skipping 201 matching lines @@
     client_->OnInstallSuccess(extension_.get());
 
   // Tell the frontend about the installation and hand off ownership of
   // extension_ to it.
   frontend_->OnExtensionInstalled(extension_.release(),
                                   allow_privilege_increase_);
 
   // We're done. We don't post any more tasks to ourselves so we are deleted
   // soon.
 }