| Index: chrome/renderer/extensions/extension_resource_request_policy.cc
|
| diff --git a/chrome/renderer/extensions/extension_resource_request_policy.cc b/chrome/renderer/extensions/extension_resource_request_policy.cc
|
| index 188701ae8b774987fa358ac582683ea6447c7513..f88f1b5b76bc05dd1315aa02d8d7a2f652224f2e 100644
|
| --- a/chrome/renderer/extensions/extension_resource_request_policy.cc
|
| +++ b/chrome/renderer/extensions/extension_resource_request_policy.cc
|
| @@ -13,24 +13,30 @@
|
| // static
|
| bool ExtensionResourceRequestPolicy::CanRequestResource(
|
| const GURL& resource_url,
|
| - const GURL& frame_url,
|
| + const GURL& requesting_origin,
|
| const ExtensionSet* loaded_extensions) {
|
| CHECK(resource_url.SchemeIs(chrome::kExtensionScheme));
|
|
|
| + const Extension* extension = loaded_extensions->GetByURL(resource_url);
|
| + if (!extension) {
|
| + LOG(ERROR) << "Denying load of " << resource_url.spec() << " for unloaded "
|
| + << "extension.";
|
| + return false;
|
| + }
|
| +
|
| // chrome:// URLs are always allowed to load chrome-extension:// resources.
|
| // The app launcher in the NTP uses this feature, as does dev tools.
|
| - if (frame_url.SchemeIs(chrome::kChromeDevToolsScheme) ||
|
| - frame_url.SchemeIs(chrome::kChromeUIScheme))
|
| + if (requesting_origin.SchemeIs(chrome::kChromeDevToolsScheme) ||
|
| + requesting_origin.SchemeIs(chrome::kChromeUIScheme))
|
| return true;
|
|
|
| // Disallow loading of packaged resources for hosted apps. We don't allow
|
| // hybrid hosted/packaged apps. The one exception is access to icons, since
|
| // some extensions want to be able to do things like create their own
|
| // launchers.
|
| - const Extension* extension = loaded_extensions->GetByURL(resource_url);
|
| std::string resource_root_relative_path =
|
| resource_url.path().empty() ? "" : resource_url.path().substr(1);
|
| - if (extension && extension->is_hosted_app() &&
|
| + if (extension->is_hosted_app() &&
|
| !extension->icons().ContainsPath(resource_root_relative_path)) {
|
| LOG(ERROR) << "Denying load of " << resource_url.spec() << " from "
|
| << "hosted app.";
|
| @@ -45,17 +51,19 @@ bool ExtensionResourceRequestPolicy::CanRequestResource(
|
| // - empty origin (needed for some edge cases when we have empty origins)
|
| // - chrome-extension:// (for legacy reasons -- some extensions interop)
|
| // - data: (basic HTML notifications use data URLs internally)
|
| - if (frame_url.is_empty() ||
|
| - frame_url.SchemeIs(chrome::kExtensionScheme) |
|
| - frame_url.SchemeIs(chrome::kDataScheme)) {
|
| + if (requesting_origin.is_empty() ||
|
| + requesting_origin.SchemeIs(chrome::kExtensionScheme) |
|
| + requesting_origin.SchemeIs(chrome::kDataScheme)) {
|
| return true;
|
| } else {
|
| - if (extension->GetEffectiveHostPermissions().ContainsURL(frame_url)) {
|
| + if (extension->GetEffectiveHostPermissions().ContainsURL(
|
| + requesting_origin)) {
|
| return true;
|
| } else {
|
| LOG(ERROR) << "Denying load of " << resource_url.spec() << " from "
|
| - << frame_url.spec() << " because the extension does not have "
|
| - << "access to the requesting page.";
|
| + << requesting_origin.spec()
|
| + << " because the extension does not have access to the"
|
| + << " requesting page.";
|
| return false;
|
| }
|
| }
|
|
|
Chromium Code Reviews
Issue 6478019:
Temporarily disable restrictions on who can request chrome-extension:// (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src