Index: chrome/renderer/chrome_content_renderer_client.cc |
diff --git a/chrome/renderer/chrome_content_renderer_client.cc b/chrome/renderer/chrome_content_renderer_client.cc |
index 5f902a2065b2d5cdf99e1b3b61b50ee9b0a920a8..c741c57d769ac8d1f1b47df507836c4bd9e80c28 100644 |
--- a/chrome/renderer/chrome_content_renderer_client.cc |
+++ b/chrome/renderer/chrome_content_renderer_client.cc |
@@ -214,6 +214,14 @@ void ChromeContentRendererClient::RenderThreadStarted() { |
// chrome-extension: resources should be allowed to receive CORS requests. |
WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_scheme); |
+ |
+ WebString extension_resource_scheme( |
+ ASCIIToUTF16(chrome::kExtensionResourceScheme)); |
+ WebSecurityPolicy::registerURLSchemeAsSecure(extension_resource_scheme); |
+ |
+ // chrome-extension-resource: resources should be allowed to receive CORS |
+ // requests. |
+ WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_resource_scheme); |
} |
void ChromeContentRendererClient::RenderViewCreated( |
@@ -703,14 +711,18 @@ bool ChromeContentRendererClient::ShouldFork(WebFrame* frame, |
bool ChromeContentRendererClient::WillSendRequest(WebKit::WebFrame* frame, |
const GURL& url, |
GURL* new_url) { |
- // If the request is for an extension resource, check whether it should be |
- // allowed. If not allowed, we reset the URL to something invalid to prevent |
- // the request and cause an error. |
- if (url.SchemeIs(chrome::kExtensionScheme) && |
+ // Check whether the request should be allowed. If not allowed, we reset the |
+ // URL to something invalid to prevent the request and cause an error. |
+ if ((url.SchemeIs(chrome::kExtensionScheme) && |
!ExtensionResourceRequestPolicy::CanRequestResource( |
url, |
frame, |
- extension_dispatcher_->extensions())) { |
+ extension_dispatcher_->extensions())) || |
+ (url.SchemeIs(chrome::kExtensionResourceScheme) && |
Tom Sepez
2012/04/18 18:03:01
Worry about promoting a c-e-r:// scheme to a c-e:/
Aaron Boodman
2012/04/18 18:06:21
Theoretically, this URL should have no privileges,
Tom Sepez
2012/04/18 18:24:38
Maybe you invent c-e-r://null and check for that i
Peng
2012/04/18 18:29:16
Tom, Aaron, Any suggestion? I don't know any other
Peng
2012/04/18 18:35:12
Only requesting from web page will be redirected t
Peng
2012/04/18 18:47:32
Done.
Aaron Boodman
2012/04/18 18:51:01
How is that different from what we do now?
Can we
Aaron Boodman
2012/04/18 19:13:49
I discussed with peng offline. We are going to use
|
+ !ExtensionResourceRequestPolicy::CanRequestExtensionResourceScheme( |
+ url, |
+ frame, |
+ extension_dispatcher_->extensions()))) { |
*new_url = GURL("chrome-extension://invalid/"); |
return true; |
} |