Chromium Code Reviews Chromium Code Reviews
Issue 8849010:
Add 'web_accessible_resource" keyword for version 2 extension manifests. This makes extension res... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/renderer/extensions/extension_resource_request_policy.h" | 5 #include "chrome/renderer/extensions/extension_resource_request_policy.h" |
| 6 | 6 |
| 7 #include "base/logging.h" | 7 #include "base/logging.h" |
| 8 #include "chrome/common/url_constants.h" | 8 #include "chrome/common/url_constants.h" |
| 9 #include "chrome/common/extensions/extension.h" | 9 #include "chrome/common/extensions/extension.h" |
| 10 #include "chrome/common/extensions/extension_set.h" | 10 #include "chrome/common/extensions/extension_set.h" |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 31 // launchers. | 31 // launchers. |
| 32 std::string resource_root_relative_path = | 32 std::string resource_root_relative_path = |
| 33 resource_url.path().empty() ? "" : resource_url.path().substr(1); | 33 resource_url.path().empty() ? "" : resource_url.path().substr(1); |
| 34 if (extension->is_hosted_app() && | 34 if (extension->is_hosted_app() && |
| 35 !extension->icons().ContainsPath(resource_root_relative_path)) { | 35 !extension->icons().ContainsPath(resource_root_relative_path)) { |
| 36 LOG(ERROR) << "Denying load of " << resource_url.spec() << " from " | 36 LOG(ERROR) << "Denying load of " << resource_url.spec() << " from " |
| 37 << "hosted app."; | 37 << "hosted app."; |
| 38 return false; | 38 return false; |
| 39 } | 39 } |
| 40 | 40 |
| 41 // Disallow loading of extension resources which are not explicitely listed | |
| 42 // as web accessible if the manifest version is 2 or greater. | |
| 43 | |
| 44 // Exceptions are: | |
| 45 // - empty origin (needed for some edge cases when we have empty origins) | |
|
abarth-chromium
2011/12/08 23:52:45
Empty origins no longer exist.
Cris Neckar
2011/12/09 00:06:22
Extension background pages still do. This is what
| |
| 46 // - chrome-extension:// (for legacy reasons -- some extensions interop) | |
| 47 // - data: (basic HTML notifications use data URLs internally) | |
|
abarth-chromium
2011/12/08 23:52:45
Doesn't this cause a big security hole? Any web s
Cris Neckar
2011/12/09 00:06:22
Yeah good point. I included this because Aaron had
| |
| 48 if (!frame_url.is_empty() && | |
| 49 !frame_url.SchemeIs(chrome::kExtensionScheme) && | |
| 50 !frame_url.SchemeIs(chrome::kDataScheme) && | |
| 51 (extension->manifest_version() >= 2 || | |
| 52 extension->HasWebAccessibleResources()) && | |
| 53 !extension->IsResourceWebAccessible(resource_url.path())) { | |
| 54 LOG(ERROR) << "Denying load of " << resource_url.spec() << " which " | |
| 55 << "is not a web accessible resource."; | |
| 56 return false; | |
| 57 } | |
| 58 | |
| 41 return true; | 59 return true; |
| 42 } | 60 } |
| 43 | 61 |
| 44 ExtensionResourceRequestPolicy::ExtensionResourceRequestPolicy() { | 62 ExtensionResourceRequestPolicy::ExtensionResourceRequestPolicy() { |
| 45 } | 63 } |
| OLD | NEW |
