Chromium Code Reviews Chromium Code Reviews
Issue 1312653003:
Fix for WebView accessible resources. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/renderer/extensions/resource_request_policy.h" | 5 #include "chrome/renderer/extensions/resource_request_policy.h" |
| 6 | 6 |
| 7 #include "base/logging.h" | 7 #include "base/logging.h" |
| 8 #include "base/strings/stringprintf.h" | 8 #include "base/strings/stringprintf.h" |
| 9 #include "chrome/common/extensions/chrome_manifest_url_handlers.h" | 9 #include "chrome/common/extensions/chrome_manifest_url_handlers.h" |
| 10 #include "chrome/common/url_constants.h" | 10 #include "chrome/common/url_constants.h" |
| 11 #include "extensions/common/constants.h" | 11 #include "extensions/common/constants.h" |
| 12 #include "extensions/common/extension.h" | 12 #include "extensions/common/extension.h" |
| 13 #include "extensions/common/manifest_constants.h" | |
| 13 #include "extensions/common/manifest_handlers/icons_handler.h" | 14 #include "extensions/common/manifest_handlers/icons_handler.h" |
| 14 #include "extensions/common/manifest_handlers/web_accessible_resources_info.h" | 15 #include "extensions/common/manifest_handlers/web_accessible_resources_info.h" |
| 16 #include "extensions/common/manifest_handlers/webview_info.h" | |
| 17 #include "extensions/renderer/dispatcher.h" | |
| 15 #include "extensions/renderer/renderer_extension_registry.h" | 18 #include "extensions/renderer/renderer_extension_registry.h" |
| 16 #include "third_party/WebKit/public/platform/WebString.h" | 19 #include "third_party/WebKit/public/platform/WebString.h" |
| 17 #include "third_party/WebKit/public/web/WebConsoleMessage.h" | 20 #include "third_party/WebKit/public/web/WebConsoleMessage.h" |
| 18 #include "third_party/WebKit/public/web/WebDocument.h" | 21 #include "third_party/WebKit/public/web/WebDocument.h" |
| 19 #include "third_party/WebKit/public/web/WebFrame.h" | 22 #include "third_party/WebKit/public/web/WebFrame.h" |
| 20 #include "ui/base/page_transition_types.h" | 23 #include "ui/base/page_transition_types.h" |
| 21 #include "url/gurl.h" | 24 #include "url/gurl.h" |
| 22 | 25 |
| 23 namespace extensions { | 26 namespace extensions { |
| 24 | 27 |
| 28 ResourceRequestPolicy::ResourceRequestPolicy() {} | |
|
not at google - send to devlin
2015/08/31 21:52:51
Just chuck DISALLOW_COPY_AND_ASSIGN on the Resourc
paulmeyer
2015/09/02 13:43:57
Added the macro, but I still need this constructor
| |
| 29 | |
| 25 // This method does a security check whether chrome-extension:// URLs can be | 30 // This method does a security check whether chrome-extension:// URLs can be |
| 26 // requested by the renderer. Since this is in an untrusted process, the browser | 31 // requested by the renderer. Since this is in an untrusted process, the browser |
| 27 // has a similar check to enforce the policy, in case this process is exploited. | 32 // has a similar check to enforce the policy, in case this process is exploited. |
| 28 // If you are changing this function, ensure equivalent checks are added to | 33 // If you are changing this function, ensure equivalent checks are added to |
| 29 // extension_protocols.cc's AllowExtensionResourceLoad. | 34 // extension_protocols.cc's AllowExtensionResourceLoad. |
| 30 | 35 |
| 31 // static | 36 // static |
| 32 bool ResourceRequestPolicy::CanRequestResource( | 37 bool ResourceRequestPolicy::CanRequestResource( |
| 33 const GURL& resource_url, | 38 const GURL& resource_url, |
| 34 blink::WebFrame* frame, | 39 blink::WebFrame* frame, |
| (...skipping 17 matching lines...) Expand all Loading... | |
| 52 : resource_url.path().substr(1); | 57 : resource_url.path().substr(1); |
| 53 if (extension->is_hosted_app() && | 58 if (extension->is_hosted_app() && |
| 54 !IconsInfo::GetIcons(extension) | 59 !IconsInfo::GetIcons(extension) |
| 55 .ContainsPath(resource_root_relative_path)) { | 60 .ContainsPath(resource_root_relative_path)) { |
| 56 LOG(ERROR) << "Denying load of " << resource_url.spec() << " from " | 61 LOG(ERROR) << "Denying load of " << resource_url.spec() << " from " |
| 57 << "hosted app."; | 62 << "hosted app."; |
| 58 return false; | 63 return false; |
| 59 } | 64 } |
| 60 | 65 |
| 61 // Disallow loading of extension resources which are not explicitly listed | 66 // Disallow loading of extension resources which are not explicitly listed |
| 62 // as web accessible if the manifest version is 2 or greater. | 67 // as web or WebView accessible if the manifest version is 2 or greater. |
| 68 const WebviewInfo* webview_info = WebviewInfo::Get(extension); | |
| 63 if (!WebAccessibleResourcesInfo::IsResourceWebAccessible( | 69 if (!WebAccessibleResourcesInfo::IsResourceWebAccessible( |
| 64 extension, resource_url.path())) { | 70 extension, resource_url.path()) && |
| 71 !(webview_info && | |
| 72 webview_info->IsResourceWebviewAccessible( | |
| 73 extension, extensions::Dispatcher::GetWebViewPartitionID(), | |
|
not at google - send to devlin
2015/08/31 21:52:51
This file is already in the extensions namespace.
paulmeyer
2015/09/02 13:43:57
You're right. The other uses of "extensions::" thr
| |
| 74 resource_url.path()))) { | |
| 65 GURL frame_url = frame->document().url(); | 75 GURL frame_url = frame->document().url(); |
| 66 | 76 |
| 67 // The page_origin may be GURL("null") for unique origins like data URLs, | 77 // The page_origin may be GURL("null") for unique origins like data URLs, |
| 68 // but this is ok for the checks below. We only care if it matches the | 78 // but this is ok for the checks below. We only care if it matches the |
| 69 // current extension or has a devtools scheme. | 79 // current extension or has a devtools scheme. |
| 70 GURL page_origin = GURL(frame->top()->securityOrigin().toString()); | 80 GURL page_origin = GURL(frame->top()->securityOrigin().toString()); |
| 71 | 81 |
| 72 // Exceptions are: | 82 // Exceptions are: |
| 73 // - empty origin (needed for some edge cases when we have empty origins) | 83 // - empty origin (needed for some edge cases when we have empty origins) |
| 74 bool is_empty_origin = frame_url.is_empty(); | 84 bool is_empty_origin = frame_url.is_empty(); |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 119 resource_url.spec().c_str()); | 129 resource_url.spec().c_str()); |
| 120 frame->addMessageToConsole( | 130 frame->addMessageToConsole( |
| 121 blink::WebConsoleMessage(blink::WebConsoleMessage::LevelError, | 131 blink::WebConsoleMessage(blink::WebConsoleMessage::LevelError, |
| 122 blink::WebString::fromUTF8(message))); | 132 blink::WebString::fromUTF8(message))); |
| 123 return false; | 133 return false; |
| 124 } | 134 } |
| 125 | 135 |
| 126 return true; | 136 return true; |
| 127 } | 137 } |
| 128 | 138 |
| 129 ResourceRequestPolicy::ResourceRequestPolicy() { | |
| 130 } | |
| 131 | |
| 132 } // namespace extensions | 139 } // namespace extensions |
| OLD | NEW |
