Make sure that extensions can launch web urls, create bookmark url with web safe schemes only.

chrome/common/extensions/extension.cc

Index: chrome/common/extensions/extension.cc
===================================================================
--- chrome/common/extensions/extension.cc	(revision 81909)
+++ chrome/common/extensions/extension.cc	(working copy)
@@ -20,8 +20,6 @@
 #include "base/utf_string_conversions.h"
 #include "base/values.h"
 #include "base/version.h"
-#include "crypto/sha2.h"
-#include "crypto/third_party/nss/blapi.h"
 #include "chrome/common/chrome_constants.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/chrome_version_info.h"
@@ -35,6 +33,9 @@
 #include "chrome/common/extensions/file_browser_handler.h"
 #include "chrome/common/extensions/user_script.h"
 #include "chrome/common/url_constants.h"
+#include "content/browser/child_process_security_policy.h"
+#include "crypto/sha2.h"
+#include "crypto/third_party/nss/blapi.h"
 #include "googleurl/src/url_util.h"
 #include "grit/chromium_strings.h"
 #include "grit/generated_resources.h"
@@ -1209,8 +1210,11 @@
       return false;
     }
 
-    // Ensure the launch URL is a valid absolute URL.
-    if (!GURL(launch_url).is_valid()) {
+    // Ensure the launch URL is a valid absolute URL and has a web safe scheme.
+    GURL url(launch_url);
+    ChildProcessSecurityPolicy *policy =
+      ChildProcessSecurityPolicy::GetInstance();
+    if (!url.is_valid() || !policy->IsWebSafeScheme(url.scheme())) {

[Aaron Boodman, 2011/04/19 18:29:33]

I think it would be better to use Extension::kValidWebExtentSchemes so that
things are consistent. You might have to parse the launch URL with URLPattern in
order to verify this.

       *error = errors::kInvalidLaunchWebURL;
       return false;
     }