Consider the origin when computing extension permissions

chrome/browser/extensions/extension_info_map_unittest.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/json/json_value_serializer.h"
 #include "base/message_loop.h"
 #include "base/path_service.h"
 #include "chrome/browser/extensions/extension_info_map.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/extensions/extension.h"
 #include "content/test/test_browser_thread.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/WebKit/Source/WebKit/chromium/public/WebString.h"
+#include "third_party/WebKit/Source/WebKit/chromium/public/WebURL.h"
 
 using content::BrowserThread;
+using WebKit::WebSecurityOrigin;
+using WebKit::WebString;
 
 namespace keys = extension_manifest_keys;
 
 namespace {
 
 class ExtensionInfoMapTest : public testing::Test {
  public:
   ExtensionInfoMapTest()
       : ui_thread_(BrowserThread::UI, &message_loop_),
         io_thread_(BrowserThread::IO, &message_loop_) {
@@ skipping 98 matching lines @@
 // Tests CheckURLAccessToExtensionPermission given both extension and app URLs.
 TEST_F(ExtensionInfoMapTest, CheckPermissions) {
   scoped_refptr<ExtensionInfoMap> info_map(new ExtensionInfoMap());
 
   scoped_refptr<Extension> app(LoadManifest("manifest_tests",
                                             "valid_app.json"));
   scoped_refptr<Extension> extension(LoadManifest("manifest_tests",
                                                   "tabs_extension.json"));
 
   GURL app_url("http://www.google.com/mail/foo.html");
+  WebSecurityOrigin app_origin = WebSecurityOrigin::create(
+      GURL("http://www.google.com/mail/foo.html"));
   ASSERT_TRUE(app->is_app());
   ASSERT_TRUE(app->web_extent().MatchesURL(app_url));
 
   info_map->AddExtension(app, base::Time(), false);
   info_map->AddExtension(extension, base::Time(), false);
 
   // The app should have the notifications permission, either from a
   // chrome-extension URL or from its web extent.
   const Extension* match = info_map->extensions().GetByURL(
-      app->GetResourceURL("a.html"));
+      ExtensionURLInfo(app_origin, app->GetResourceURL("a.html")));
   EXPECT_TRUE(match &&
       match->HasAPIPermission(ExtensionAPIPermission::kNotification));
-  match = info_map->extensions().GetByURL(app_url);
+  match = info_map->extensions().GetByURL(
+      ExtensionURLInfo(app_origin, app_url));
   EXPECT_TRUE(match &&
       match->HasAPIPermission(ExtensionAPIPermission::kNotification));
   EXPECT_FALSE(match &&
       match->HasAPIPermission(ExtensionAPIPermission::kTab));
 
   // The extension should have the tabs permission.
-  match = info_map->extensions().GetByURL(extension->GetResourceURL("a.html"));
+  match = info_map->extensions().GetByURL(
+      ExtensionURLInfo(app_origin, extension->GetResourceURL("a.html")));
   EXPECT_TRUE(match &&
       match->HasAPIPermission(ExtensionAPIPermission::kTab));
   EXPECT_FALSE(match &&
       match->HasAPIPermission(ExtensionAPIPermission::kNotification));
 
   // Random URL should not have any permissions.
-  match = info_map->extensions().GetByURL(GURL("http://evil.com/a.html"));
+  GURL evil_url("http://evil.com/a.html");
+  match = info_map->extensions().GetByURL(
+      ExtensionURLInfo(WebSecurityOrigin::create(evil_url), evil_url));
+  EXPECT_FALSE(match);
+
+  // Sandboxed origins should not have any permissions.
+  match = info_map->extensions().GetByURL(ExtensionURLInfo(
+      WebSecurityOrigin::createFromString(WebString::fromUTF8("null")),
+      app_url));
   EXPECT_FALSE(match);
 }
 
 }  // namespace