Allow whitelisted content scripts to be injected in WebViews.

extensions/browser/user_script_loader.cc

Index: extensions/browser/user_script_loader.cc
diff --git a/extensions/browser/user_script_loader.cc b/extensions/browser/user_script_loader.cc
index 7daf95d22fe367431d9002748da60ff7b3245439..be4fa0d8e04031c5a385313eebc69743cafc9021 100644
--- a/extensions/browser/user_script_loader.cc
+++ b/extensions/browser/user_script_loader.cc
@@ -378,9 +378,9 @@ void UserScriptLoader::OnScriptsLoaded(
 void UserScriptLoader::SendUpdate(content::RenderProcessHost* process,
                                   base::SharedMemory* shared_memory,
                                   const std::set<HostID>& changed_hosts) {
-  // Don't allow injection of extensions' content scripts into <webview>.
-  if (process->IsIsolatedGuest() && host_id().id().empty())
-    return;
+  // Don't allow injection of non-whitelisted extensions' content scripts
+  // into <webview>.
+  bool whitelisted_only = process->IsIsolatedGuest() && host_id().id().empty();

[not at google - send to devlin, 2015/05/14 23:11:18]

I need to look into this more, but my reaction is, why this permission checking
is done in as part of ExtensionMsg_UpdateUserScripts. That's just notifying the
renderer that new user scripts are available, but they actually already are.
Seems a little fragile.

A more robust way would be to make sure we only share component extensions
content script memory regions with isolated guests, like,

if (process->IsIsolatedGuest() && !extension->is_component_or_whatever()) {
  // don't share the shared memory handle with isolated guests
  // unless this is a component extension.
  return;
}

if there were an extension available to SendUpdate. Which obviously there isn't
- actually this gets the *set* of things to update, so you'd need to filter out
any of the |changed_hosts| which aren't component extensions (nor guest view
scripts) if it's a guest view.

Hopefully that makes sense.

[dmazzoni, 2015/05/14 23:28:36]

Sure.
Filtering out extensions that aren't allowed to run in that renderer from
changed_hosts makes perfect sense, I can do that.

Is it really possible to filter out just some of the content scripts from the
shared memory now? I thought it was just one big shared memory region now,
so it'd require a lot of refactoring to split it into a separate region per
extension - and it'd probably waste a lot of resources too.

Currently each content script is shared with every process (other than webview
guest
processes), even though many / most content scripts have origin restrictions
so they'll never be used in some renderers.

 
   // Make sure we only send user scripts to processes in our browser_context.
   if (!ExtensionsBrowserClient::Get()->IsSameContext(
@@ -399,7 +399,9 @@ void UserScriptLoader::SendUpdate(content::RenderProcessHost* process,
 
   if (base::SharedMemory::IsHandleValid(handle_for_process)) {
     process->Send(new ExtensionMsg_UpdateUserScripts(handle_for_process,
-                                                     host_id(), changed_hosts));
+                                                     host_id(),
+                                                     changed_hosts,
+                                                     whitelisted_only));
   }
 }