Chromium Code Reviews Chromium Code Reviews
Issue 8849010:
Add 'web_accessible_resource" keyword for version 2 extension manifests. This makes extension res... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| Index: chrome/renderer/extensions/extension_resource_request_policy.cc |
| =================================================================== |
| --- chrome/renderer/extensions/extension_resource_request_policy.cc (revision 113054) |
| +++ chrome/renderer/extensions/extension_resource_request_policy.cc (working copy) |
| @@ -38,6 +38,24 @@ |
| return false; |
| } |
| + // Disallow loading of extension resources which are not explicitely listed |
| + // as web accessible if the manifest version is 2 or greater. |
| + |
| + // Exceptions are: |
| + // - empty origin (needed for some edge cases when we have empty origins) |
|
abarth-chromium
2011/12/08 23:52:45
Empty origins no longer exist.
Cris Neckar
2011/12/09 00:06:22
Extension background pages still do. This is what
|
| + // - chrome-extension:// (for legacy reasons -- some extensions interop) |
| + // - data: (basic HTML notifications use data URLs internally) |
|
abarth-chromium
2011/12/08 23:52:45
Doesn't this cause a big security hole? Any web s
Cris Neckar
2011/12/09 00:06:22
Yeah good point. I included this because Aaron had
|
| + if (!frame_url.is_empty() && |
| + !frame_url.SchemeIs(chrome::kExtensionScheme) && |
| + !frame_url.SchemeIs(chrome::kDataScheme) && |
| + (extension->manifest_version() >= 2 || |
| + extension->HasWebAccessibleResources()) && |
| + !extension->IsResourceWebAccessible(resource_url.path())) { |
| + LOG(ERROR) << "Denying load of " << resource_url.spec() << " which " |
| + << "is not a web accessible resource."; |
| + return false; |
| + } |
| + |
| return true; |
| } |
