chrome/renderer/extensions/extension_resource_request_policy.cc - Issue 6478019: Temporarily disable restrictions on who can request chrome-extension://

Side by Side Diff: chrome/renderer/extensions/extension_resource_request_policy.cc

Issue 6478019: Temporarily disable restrictions on who can request chrome-extension:// (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: whitespace Created 9 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« no previous file with comments | « chrome/browser/extensions/extension_resource_request_policy_apitest.cc ('k') | chrome/test/data/extensions/api_test/extension_resource_request_policy/non_existent_extension.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/renderer/extensions/extension_resource_request_policy.h"	5 #include "chrome/renderer/extensions/extension_resource_request_policy.h"

6	6

7 #include "base/logging.h"	7 #include "base/logging.h"

8 #include "chrome/common/url_constants.h"	8 #include "chrome/common/url_constants.h"

9 #include "chrome/common/extensions/extension.h"	9 #include "chrome/common/extensions/extension.h"

10 #include "chrome/common/extensions/extension_set.h"	10 #include "chrome/common/extensions/extension_set.h"

11 #include "googleurl/src/gurl.h"	11 #include "googleurl/src/gurl.h"

12	12

13 // static	13 // static

14 bool ExtensionResourceRequestPolicy::CanRequestResource(	14 bool ExtensionResourceRequestPolicy::CanRequestResource(

15 const GURL& resource_url,	15 const GURL& resource_url,

16 const GURL& frame_url,	16 const GURL& frame_url,

17 const ExtensionSet* loaded_extensions) {	17 const ExtensionSet* loaded_extensions) {

18 CHECK(resource_url.SchemeIs(chrome::kExtensionScheme));	18 CHECK(resource_url.SchemeIs(chrome::kExtensionScheme));

19	19

20 // chrome:// URLs are always allowed to load chrome-extension:// resources.	20 const Extension* extension = loaded_extensions->GetByURL(resource_url);

21 // The app launcher in the NTP uses this feature, as does dev tools.	21 if (!extension) {

22 if (frame_url.SchemeIs(chrome::kChromeDevToolsScheme) \|\|	22 // Allow the load in the case of a non-existent extension. We'll just get a

23 frame_url.SchemeIs(chrome::kChromeUIScheme))	23 // 404 from the browser process.

24 return true;	24 return true;

	25 }

25	26

26 // Disallow loading of packaged resources for hosted apps. We don't allow	27 // Disallow loading of packaged resources for hosted apps. We don't allow

27 // hybrid hosted/packaged apps. The one exception is access to icons, since	28 // hybrid hosted/packaged apps. The one exception is access to icons, since

28 // some extensions want to be able to do things like create their own	29 // some extensions want to be able to do things like create their own

29 // launchers.	30 // launchers.

30 const Extension* extension = loaded_extensions->GetByURL(resource_url);

31 std::string resource_root_relative_path =	31 std::string resource_root_relative_path =

32 resource_url.path().empty() ? "" : resource_url.path().substr(1);	32 resource_url.path().empty() ? "" : resource_url.path().substr(1);

33 if (extension && extension->is_hosted_app() &&	33 if (extension && extension->is_hosted_app() &&

34 !extension->icons().ContainsPath(resource_root_relative_path)) {	34 !extension->icons().ContainsPath(resource_root_relative_path)) {

35 LOG(ERROR) << "Denying load of " << resource_url.spec() << " from "	35 LOG(ERROR) << "Denying load of " << resource_url.spec() << " from "

36 << "hosted app.";	36 << "hosted app.";

37 return false;	37 return false;

38 }	38 }

39	39

40 // Otherwise, pages are allowed to load resources from extensions if the	40 return true;
Matt Perry 2011/02/10 19:50:57 Shouldn't this check be added back to extension_re Shouldn't this check be added back to extension_resources.cc?
41 // extension has host permissions to (and therefore could be running script

42 // in, which might need access to the extension resources).

43 //

44 // Exceptions are:

45 // - empty origin (needed for some edge cases when we have empty origins)

46 // - chrome-extension:// (for legacy reasons -- some extensions interop)

47 // - data: (basic HTML notifications use data URLs internally)

48 if (frame_url.is_empty() \|\|

49 frame_url.SchemeIs(chrome::kExtensionScheme) \|

50 frame_url.SchemeIs(chrome::kDataScheme)) {

51 return true;

52 } else {

53 if (extension->GetEffectiveHostPermissions().ContainsURL(frame_url)) {

54 return true;

55 } else {

56 LOG(ERROR) << "Denying load of " << resource_url.spec() << " from "

57 << frame_url.spec() << " because the extension does not have "

58 << "access to the requesting page.";

59 return false;

60 }

61 }

62 }	41 }

63	42

64 ExtensionResourceRequestPolicy::ExtensionResourceRequestPolicy() {	43 ExtensionResourceRequestPolicy::ExtensionResourceRequestPolicy() {

65 }	44 }

OLD	NEW