Restrict access to permissions based on extension types.

chrome/common/extensions/extension.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/common/extensions/extension.h"
 
 #include <algorithm>
 
 #include "base/base64.h"
 #include "base/basictypes.h"
@@ skipping 346 matching lines @@
   if (!GenerateId(path_bytes, &id))
     return "";
   return id;
 }
 
 Extension::Type Extension::GetType() const {
   if (is_theme())
     return TYPE_THEME;
   if (converted_from_user_script())
     return TYPE_USER_SCRIPT;
+  if (is_platform_app())
+    return TYPE_PLATFORM_APP;
   if (is_hosted_app())
     return TYPE_HOSTED_APP;
   if (is_packaged_app())
     return TYPE_PACKAGED_APP;
   return TYPE_EXTENSION;
 }
 
 // static
 GURL Extension::GetResourceURL(const GURL& extension_url,
                                const std::string& relative_path) {
@@ skipping 2470 matching lines @@
     }
   }
 
   if (permission->id() == ExtensionAPIPermission::kExperimental) {
     if (!CanSpecifyExperimentalPermission()) {
       *error = errors::kExperimentalFlagRequired;
       return false;
     }
   }
 
-  if (is_hosted_app()) {
-    if (!CanSpecifyPermissionForHostedApp(permission)) {
-      // Some old versions of Chrome did not return errors here and we ended up
-      // with extensions in the store containing bad data: crbug.com/101993.
-      //
-      // TODO(aa): Consider just being a lot looser when loading and installing
-      // extensions. We can be strict when packing and in development mode. Then
-      // we won't have to maintain all these tricky backward compat issues:
-      // crbug.com/102328.
-      if (creation_flags_ & STRICT_ERROR_CHECKS) {
-        *error = ExtensionErrorUtils::FormatErrorMessage(
-            errors::kPermissionNotAllowed, permission->name());
-      }
-      return false;
-    }
+  if (location_ == Extension::COMPONENT)
+    return true;
+
+  bool supports_type = false;
+  switch (GetType()) {
+    case TYPE_USER_SCRIPT: // Pass through.
+    case TYPE_EXTENSION:
+      supports_type = permission->supports_extensions();
+      break;
+    case TYPE_HOSTED_APP:
+      supports_type = permission->supports_hosted_apps();
+      break;
+    case TYPE_PACKAGED_APP:
+      supports_type = permission->supports_packaged_apps();
+      break;
+    case TYPE_PLATFORM_APP:
+      supports_type = permission->supports_platform_apps();
+      break;
+    default:
+      supports_type = false;
+      break;
   }
 
-  if (permission->is_platform_app_only()) {
-    if (!is_platform_app()) {
+  if (!supports_type) {
+    // We special case hosted apps because some old versions of Chrome did not
+    // return errors here and we ended up with extensions in the store
+    // containing bad data: crbug.com/101993.
+    //
+    // TODO(aa): Consider just being a lot looser when loading and installing
+    // extensions. We can be strict when packing and in development mode. Then
+    // we won't have to maintain all these tricky backward compat issues:
+    // crbug.com/102328.
+    if (!is_hosted_app() || creation_flags_ & STRICT_ERROR_CHECKS) {
       *error = ExtensionErrorUtils::FormatErrorMessage(
           errors::kPermissionNotAllowed, permission->name());
-      return false;
     }
+    return false;
   }
 
   return true;
 }
 
 bool Extension::CanSpecifyComponentOnlyPermission() const {
   // Only COMPONENT extensions can use private APIs.
   // TODO(asargent) - We want a more general purpose mechanism for this,
   // and better error messages. (http://crbug.com/54013)
   if (location_ == Extension::COMPONENT)
@@ skipping 20 matching lines @@
 
   // We rely on the webstore to check access to experimental. This way we can
   // whitelist extensions to have access to experimental in just the store, and
   // not have to push a new version of the client.
   if (from_webstore())
     return true;
 
   return false;
 }
 
-bool Extension::CanSpecifyPermissionForHostedApp(
-    const ExtensionAPIPermission* permission) const {
-  if (location_ == Extension::COMPONENT)
-    return true;
-
-  if (permission->is_hosted_app())
-    return true;
-
-  return false;
-}
-
 bool Extension::CanExecuteScriptEverywhere() const {
   if (location() == Extension::COMPONENT
 #ifndef NDEBUG
       || CommandLine::ForCurrentProcess()->HasSwitch(
           switches::kExposePrivateExtensionApi)
 #endif
       )
     return true;
 
   ScriptingWhitelist* whitelist =
@@ skipping 127 matching lines @@
     already_disabled(false),
     extension(extension) {}
 
 UpdatedExtensionPermissionsInfo::UpdatedExtensionPermissionsInfo(
     const Extension* extension,
     const ExtensionPermissionSet* permissions,
     Reason reason)
     : reason(reason),
       extension(extension),
       permissions(permissions) {}