Chromium Code Reviews Chromium Code Reviews
Issue 6478019:
Temporarily disable restrictions on who can request chrome-extension:// (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chrome/renderer/extensions/extension_resource_request_policy.cc |
| diff --git a/chrome/renderer/extensions/extension_resource_request_policy.cc b/chrome/renderer/extensions/extension_resource_request_policy.cc |
| index 188701ae8b774987fa358ac582683ea6447c7513..20ce5d4e7fbee3fa05602e068b0aa49e6fd6b8bf 100644 |
| --- a/chrome/renderer/extensions/extension_resource_request_policy.cc |
| +++ b/chrome/renderer/extensions/extension_resource_request_policy.cc |
| @@ -17,17 +17,17 @@ bool ExtensionResourceRequestPolicy::CanRequestResource( |
| const ExtensionSet* loaded_extensions) { |
| CHECK(resource_url.SchemeIs(chrome::kExtensionScheme)); |
| - // chrome:// URLs are always allowed to load chrome-extension:// resources. |
| - // The app launcher in the NTP uses this feature, as does dev tools. |
| - if (frame_url.SchemeIs(chrome::kChromeDevToolsScheme) || |
| - frame_url.SchemeIs(chrome::kChromeUIScheme)) |
| + const Extension* extension = loaded_extensions->GetByURL(resource_url); |
| + if (!extension) { |
| + // Allow the load in the case of a non-existent extension. We'll just get a |
| + // 404 from the browser process. |
| return true; |
| + } |
| // Disallow loading of packaged resources for hosted apps. We don't allow |
| // hybrid hosted/packaged apps. The one exception is access to icons, since |
| // some extensions want to be able to do things like create their own |
| // launchers. |
| - const Extension* extension = loaded_extensions->GetByURL(resource_url); |
| std::string resource_root_relative_path = |
| resource_url.path().empty() ? "" : resource_url.path().substr(1); |
| if (extension && extension->is_hosted_app() && |
| @@ -37,28 +37,7 @@ bool ExtensionResourceRequestPolicy::CanRequestResource( |
| return false; |
| } |
| - // Otherwise, pages are allowed to load resources from extensions if the |
|
Matt Perry
2011/02/10 19:50:57
Shouldn't this check be added back to extension_re
|
| - // extension has host permissions to (and therefore could be running script |
| - // in, which might need access to the extension resources). |
| - // |
| - // Exceptions are: |
| - // - empty origin (needed for some edge cases when we have empty origins) |
| - // - chrome-extension:// (for legacy reasons -- some extensions interop) |
| - // - data: (basic HTML notifications use data URLs internally) |
| - if (frame_url.is_empty() || |
| - frame_url.SchemeIs(chrome::kExtensionScheme) | |
| - frame_url.SchemeIs(chrome::kDataScheme)) { |
| - return true; |
| - } else { |
| - if (extension->GetEffectiveHostPermissions().ContainsURL(frame_url)) { |
| - return true; |
| - } else { |
| - LOG(ERROR) << "Denying load of " << resource_url.spec() << " from " |
| - << frame_url.spec() << " because the extension does not have " |
| - << "access to the requesting page."; |
| - return false; |
| - } |
| - } |
| + return true; |
| } |
| ExtensionResourceRequestPolicy::ExtensionResourceRequestPolicy() { |
