Use WebFrame::setIsolatedWorldSecurityOrigin to allow cross-origin XHRs in content scripts.

chrome/renderer/extensions/user_script_slave.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/renderer/extensions/user_script_slave.h"
 
 #include <map>
 
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/perftimer.h"
 #include "base/pickle.h"
 #include "base/shared_memory.h"
 #include "base/metrics/histogram.h"
 #include "base/stringprintf.h"
 #include "chrome/common/extensions/extension.h"
 #include "chrome/common/extensions/extension_set.h"
 #include "chrome/common/url_constants.h"
 #include "chrome/renderer/chrome_render_process_observer.h"
+#include "chrome/renderer/extensions/extension_dispatcher.h"
 #include "chrome/renderer/extensions/extension_groups.h"
 #include "googleurl/src/gurl.h"
 #include "grit/renderer_resources.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebFrame.h"
+#include "third_party/WebKit/Source/WebKit/chromium/public/WebSecurityOrigin.h"
+#include "third_party/WebKit/Source/WebKit/chromium/public/WebSecurityPolicy.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebVector.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebView.h"
 #include "ui/base/resource/resource_bundle.h"
 
 using WebKit::WebFrame;
+using WebKit::WebSecurityOrigin;
+using WebKit::WebSecurityPolicy;
 using WebKit::WebString;
 using WebKit::WebVector;
 using WebKit::WebView;
 
 // These two strings are injected before and after the Greasemonkey API and
 // user script to wrap it in an anonymous scope.
 static const char kUserScriptHead[] = "(function (unsafeWindow) {\n";
 static const char kUserScriptTail[] = "\n})(window);";
 
 // Sets up the chrome.extension module. This may be run multiple times per
 // context, but the init method deletes itself after the first time.
 static const char kInitExtension[] =
   "if (chrome.initExtension) chrome.initExtension('%s', true, %s);";
 
-
 int UserScriptSlave::GetIsolatedWorldId(const std::string& extension_id) {
   typedef std::map<std::string, int> IsolatedWorldMap;
 
   static IsolatedWorldMap g_isolated_world_ids;
   static int g_next_isolated_world_id = 1;
 
   IsolatedWorldMap::iterator iter = g_isolated_world_ids.find(extension_id);
   if (iter != g_isolated_world_ids.end())
     return iter->second;
 
   int new_id = g_next_isolated_world_id;
   ++g_next_isolated_world_id;
 
   // This map will tend to pile up over time, but realistically, you're never
   // going to have enough extensions for it to matter.
   g_isolated_world_ids[extension_id] = new_id;
   return new_id;
 }
 
+// Associates the extension's isolated world with the extension's URL as the
+// origin, and whitelists that origin to have access to 1) the current frame's
+// origin 2) origins whitelisted in host permission.
+// Unlike the whitelisting done in the extension process by
+// ExtensionDispatcher::InitHostPermissions, this is more complex because the
+// 1) the current frame's origin changes as the page is navigated 2) the set of
+// extensions may change as they are loaded, unloaded and reloaded.
+// To solve 1), we keep track of the last origin that we whitelisted for a
+// frame, and un-whitelist it when getting a new one. To solve 2), we keep track
+// of what host permission origins we've already whitelisted, and don't
+// whitelist them again. This means that if an extension is reloaded with fewer
+// host permissions we will not remove now-obsolete permissions.
+void UserScriptSlave::InitializeIsolatedWorld(

[Matt Perry, 2011/05/27 19:10:54]

This seems like a lot of effort to work around deficiencies in the WebKit API.
None of this would be necessary with the following changes to WebKit:
- change the origin access whitelist to hold a set instead of a vector, so that
we don't have to keep the extension_origins_ map.
- add WebSecurityPolicy::removeOriginAccessWhitelistEntriesForOrigin(url).

Are these feasible?

I'm still of the opinion that we should just whitelist the union of
host_permissions and content_script.urls. This would make the logic even
simpler, because we would only need to initialize the isolated world when we
create it, rather than with each page navigation.

+    WebFrame* frame,
+    int isolated_world_id,
+    const Extension* extension) {
+  frame->setIsolatedWorldSecurityOrigin(
+      isolated_world_id,
+      WebSecurityOrigin::create(extension->url()));
+
+  // We always have access to the origin of the frame that we're injecting in.
+  FrameOriginMap::iterator iter = frame_origins_.find(frame->identifier());
+  if (iter != frame_origins_.end()) {
+    std::pair<std::string, std::string> frame_origin = iter->second;
+    WebSecurityPolicy::removeOriginAccessWhitelistEntry(
+        extension->url(),
+        WebString::fromUTF8(frame_origin.first),
+        WebString::fromUTF8(frame_origin.second),
+        false); // do not match subdomains
+  }
+
+  GURL frame_url = GURL(frame->url());
+  WebSecurityPolicy::addOriginAccessWhitelistEntry(
+      extension->url(),
+      WebString::fromUTF8(frame_url.scheme()),
+      WebString::fromUTF8(frame_url.host()),
+      false); // do not match subdomains
+  frame_origins_[frame->identifier()] =
+      std::pair<std::string, std::string>(frame_url.scheme(), frame_url.host());
+
+  const URLPatternList& permissions = extension->host_permissions();
+  for (size_t i = 0; i < permissions.size(); ++i) {
+    const URLPattern& permission = permissions[i];
+
+    bool already_whitelisted = false;
+    ExtensionOriginMap::iterator iter =
+        extension_origins_.find(extension->id());
+    ExtensionOriginMap::iterator end =
+        extension_origins_.upper_bound(extension->id());
+    for (; iter != end; ++iter) {
+      if (iter->second.scheme() == permission.scheme() &&
+          iter->second.host() == permission.host() &&
+          iter->second.match_subdomains() == permission.match_subdomains()) {
+        already_whitelisted = true;
+        break;
+      }
+    }
+    if (already_whitelisted) continue;
+
+    extension_origins_.insert(
+        std::pair<std::string, URLPattern>(extension->id(), permission));
+
+    const char* schemes[] = {
+      chrome::kHttpScheme,
+      chrome::kHttpsScheme,
+      chrome::kFileScheme,
+      chrome::kChromeUIScheme,
+    };
+    for (size_t j = 0; j < arraysize(schemes); ++j) {
+      if (permission.MatchesScheme(schemes[j])) {
+        WebSecurityPolicy::addOriginAccessWhitelistEntry(
+            extension->url(),
+            WebString::fromUTF8(schemes[j]),
+            WebString::fromUTF8(permission.host()),
+            permission.match_subdomains());
+      }
+    }
+  }
+}
+
 UserScriptSlave::UserScriptSlave(const ExtensionSet* extensions)
     : shared_memory_(NULL),
       script_deleter_(&scripts_),
       extensions_(extensions) {
   api_js_ = ResourceBundle::GetSharedInstance().GetRawDataResource(
                 IDR_GREASEMONKEY_API_JS);
 }
 
 UserScriptSlave::~UserScriptSlave() {}
 
@@ skipping 169 matching lines @@
       if (script->is_standalone() || script->emulate_greasemonkey()) {
         sources.insert(sources.begin(),
             WebScriptSource(WebString::fromUTF8(api_js_.as_string())));
       }
 
       // Setup chrome.self to contain an Extension object with the correct
       // ID.
       if (!script->extension_id().empty()) {
         InsertInitExtensionCode(&sources, script->extension_id());
         isolated_world_id = GetIsolatedWorldId(script->extension_id());
+        InitializeIsolatedWorld(frame, isolated_world_id, extension);
       }
 
       PerfTimer exec_timer;
       frame->executeScriptInIsolatedWorld(
           isolated_world_id, &sources.front(), sources.size(),
           EXTENSION_GROUP_CONTENT_SCRIPTS);
       UMA_HISTOGRAM_TIMES("Extensions.InjectScriptTime", exec_timer.Elapsed());
     }
   }
 
   // Log debug info.
   if (location == UserScript::DOCUMENT_START) {
     UMA_HISTOGRAM_COUNTS_100("Extensions.InjectStart_CssCount", num_css);
     UMA_HISTOGRAM_COUNTS_100("Extensions.InjectStart_ScriptCount", num_scripts);
     if (num_css || num_scripts)
       UMA_HISTOGRAM_TIMES("Extensions.InjectStart_Time", timer.Elapsed());
   } else if (location == UserScript::DOCUMENT_END) {
     UMA_HISTOGRAM_COUNTS_100("Extensions.InjectEnd_ScriptCount", num_scripts);
     if (num_scripts)
       UMA_HISTOGRAM_TIMES("Extensions.InjectEnd_Time", timer.Elapsed());
   } else if (location == UserScript::DOCUMENT_IDLE) {
     UMA_HISTOGRAM_COUNTS_100("Extensions.InjectIdle_ScriptCount", num_scripts);
     if (num_scripts)
       UMA_HISTOGRAM_TIMES("Extensions.InjectIdle_Time", timer.Elapsed());
   } else {
     NOTREACHED();
   }
 }