Consider the origin when computing extension permissions

chrome/common/extensions/extension_set.cc

Index: chrome/common/extensions/extension_set.cc
===================================================================
--- chrome/common/extensions/extension_set.cc	(revision 111763)
+++ chrome/common/extensions/extension_set.cc	(working copy)
@@ -7,6 +7,8 @@
 #include "base/logging.h"
 #include "chrome/common/url_constants.h"
 
+using WebKit::WebSecurityOrigin;
+
 ExtensionSet::ExtensionSet() {
 }
 
@@ -29,18 +31,37 @@
   extensions_.erase(id);
 }
 
-std::string ExtensionSet::GetIdByURL(const GURL& url) const {
+std::string ExtensionSet::GetIdByURL(WebSecurityOrigin origin,
+                                     const GURL& url) const {
   if (url.SchemeIs(chrome::kExtensionScheme))
-    return url.host();
+    return origin.isUnique() ? "" : url.host();

[Aaron Boodman, 2011/11/30 02:01:31]

What will the host() be in the case of a unique origin. Seems like it would
already be the empty string.

[abarth-chromium, 2011/11/30 02:04:49]

In the case of iframe sandbox, it can actually be anything.  You can take
whatever URL you like and render it in a sandboxed iframe.  The iframe will then
have a unique origin, but it will remember its normal URL.

 
-  const Extension* extension = GetByURL(url);
+  const Extension* extension = GetByURL(origin, url);
   if (!extension)
     return "";
 
   return extension->id();
 }
 
-const Extension* ExtensionSet::GetByURL(const GURL& url) const {
+const Extension* ExtensionSet::GetByURL(WebSecurityOrigin origin,
+                                        const GURL& url) const {
+  // The extension system uses both a document's origin and its URL to
+  // grant permissions. Ideally, we would use only the origin, but because
+  // the web extent of a hosted app can be less than an entire origin, we
+  // take the URL into account as well
+  //
+  // In the common case, the document's origin will coorespond to its URL,

[Aaron Boodman, 2011/11/30 02:01:31]

typo: coorespond

+  // but in some rare cases involving sandboxing, the two will be different.
+  // We catch those cases by checking whether the document's origin is unique.
+  // If that's not the case, then we conclude that the document's security
+  // context is well-described by its URL and proceed to use only the URL.
+  if (origin.isUnique())
+    return NULL;
+  return GetByURLWithoutSecurityCheck(url);
+}
+
+const Extension* ExtensionSet::GetByURLWithoutSecurityCheck(
+    const GURL& url) const {
   if (url.SchemeIs(chrome::kExtensionScheme))
     return GetByID(url.host());
 
@@ -55,7 +76,8 @@
 
 bool ExtensionSet::InSameExtent(const GURL& old_url,
                                 const GURL& new_url) const {
-  return GetByURL(old_url) == GetByURL(new_url);
+  return GetByURLWithoutSecurityCheck(old_url) ==
+      GetByURLWithoutSecurityCheck(new_url);
 }
 
 const Extension* ExtensionSet::GetByID(const std::string& id) const {
@@ -66,7 +88,11 @@
     return NULL;
 }
 
-bool ExtensionSet::ExtensionBindingsAllowed(const GURL& url) const {
+bool ExtensionSet::ExtensionBindingsAllowed(WebSecurityOrigin origin,
+                                            const GURL& url) const {
+  if (origin.isUnique())
+    return false;
+
   if (url.SchemeIs(chrome::kExtensionScheme))
     return true;