Fix for WebView accessible resources.

chrome/renderer/extensions/resource_request_policy.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/renderer/extensions/resource_request_policy.h"
 
 #include "base/logging.h"
 #include "base/strings/stringprintf.h"
 #include "chrome/common/extensions/chrome_manifest_url_handlers.h"
 #include "chrome/common/url_constants.h"
 #include "extensions/common/constants.h"
 #include "extensions/common/extension.h"
+#include "extensions/common/manifest_constants.h"
 #include "extensions/common/manifest_handlers/icons_handler.h"
 #include "extensions/common/manifest_handlers/web_accessible_resources_info.h"
+#include "extensions/common/manifest_handlers/webview_info.h"
 #include "extensions/renderer/renderer_extension_registry.h"
 #include "third_party/WebKit/public/platform/WebString.h"
 #include "third_party/WebKit/public/web/WebConsoleMessage.h"
 #include "third_party/WebKit/public/web/WebDocument.h"
 #include "third_party/WebKit/public/web/WebFrame.h"
 #include "ui/base/page_transition_types.h"
 #include "url/gurl.h"
 
 namespace extensions {
 
@@ skipping 26 matching lines @@
       resource_url.path().empty() ? std::string()
                                   : resource_url.path().substr(1);
   if (extension->is_hosted_app() &&
       !IconsInfo::GetIcons(extension)
           .ContainsPath(resource_root_relative_path)) {
     LOG(ERROR) << "Denying load of " << resource_url.spec() << " from "
                << "hosted app.";
     return false;
   }
 
-  // Disallow loading of extension resources which are not explicitly listed
-  // as web accessible if the manifest version is 2 or greater.
-  if (!WebAccessibleResourcesInfo::IsResourceWebAccessible(
-          extension, resource_url.path())) {
-    GURL frame_url = frame->document().url();
+  // Allow loading of extension resources which are explicitly listed as web or
+  // webview accessible if the manifest version is 2 or greater.
+  const WebviewInfo* webview_info = static_cast<const extensions::WebviewInfo*>(
+      extension->GetManifestData(manifest_keys::kWebviewAccessibleResources));

[not at google - send to devlin, 2015/08/27 20:01:25]

Usually there would be a WebviewInfo::Get(extension) method. Could you add that?

[paulmeyer, 2015/08/31 15:32:55]

Done.

+  if (WebAccessibleResourcesInfo::IsResourceWebAccessible(

[not at google - send to devlin, 2015/08/27 20:01:25]

Is there a way to improve this diff? Like, go back to the old code which didn't
have the early-return. Yes it's a bit less neat (?) but it's hard to see what
you've changed.

[paulmeyer, 2015/08/31 15:32:55]

You're right, it's hard to tell. Done.

+          extension, resource_url.path()) ||
+      (webview_info &&
+       webview_info->IsResourceWebviewAccessible(
+           extension, RendererExtensionRegistry::Get()->webview_partition_id(),
+           resource_url.path()))) {
+    return true;
+  }
 
-    // The page_origin may be GURL("null") for unique origins like data URLs,
-    // but this is ok for the checks below.  We only care if it matches the
-    // current extension or has a devtools scheme.
-    GURL page_origin = GURL(frame->top()->securityOrigin().toString());
+  GURL frame_url = frame->document().url();
 
-    // Exceptions are:
-    // - empty origin (needed for some edge cases when we have empty origins)
-    bool is_empty_origin = frame_url.is_empty();
-    // - extensions requesting their own resources (frame_url check is for
-    //     images, page_url check is for iframes)
-    bool is_own_resource = frame_url.GetOrigin() == extension->url() ||
-                           page_origin == extension->url();
-    // - devtools (chrome-extension:// URLs are loaded into frames of devtools
-    //     to support the devtools extension APIs)
-    bool is_dev_tools =
-        page_origin.SchemeIs(content::kChromeDevToolsScheme) &&
-        !chrome_manifest_urls::GetDevToolsPage(extension).is_empty();
-    bool transition_allowed =
-        !ui::PageTransitionIsWebTriggerable(transition_type);
-    // - unreachable web page error page (to allow showing the icon of the
-    //   unreachable app on this page)
-    bool is_error_page = frame_url == GURL(content::kUnreachableWebDataURL);
+  // The page_origin may be GURL("null") for unique origins like data URLs,
+  // but this is ok for the checks below.  We only care if it matches the
+  // current extension or has a devtools scheme.
+  GURL page_origin = GURL(frame->top()->securityOrigin().toString());
 
-    if (!is_empty_origin && !is_own_resource &&
-        !is_dev_tools && !transition_allowed && !is_error_page) {
-      std::string message = base::StringPrintf(
-          "Denying load of %s. Resources must be listed in the "
-          "web_accessible_resources manifest key in order to be loaded by "
-          "pages outside the extension.",
-          resource_url.spec().c_str());
-      frame->addMessageToConsole(
-          blink::WebConsoleMessage(blink::WebConsoleMessage::LevelError,
-                                    blink::WebString::fromUTF8(message)));
-      return false;
-    }
+  // Exceptions are:
+  // - empty origin (needed for some edge cases when we have empty origins)
+  bool is_empty_origin = frame_url.is_empty();
+  // - extensions requesting their own resources (frame_url check is for
+  //     images, page_url check is for iframes)
+  bool is_own_resource = frame_url.GetOrigin() == extension->url() ||
+                         page_origin == extension->url();
+  // - devtools (chrome-extension:// URLs are loaded into frames of devtools
+  //     to support the devtools extension APIs)
+  bool is_dev_tools =
+      page_origin.SchemeIs(content::kChromeDevToolsScheme) &&
+      !chrome_manifest_urls::GetDevToolsPage(extension).is_empty();
+  bool transition_allowed =
+      !ui::PageTransitionIsWebTriggerable(transition_type);
+  // - unreachable web page error page (to allow showing the icon of the
+  //   unreachable app on this page)
+  bool is_error_page = frame_url == GURL(content::kUnreachableWebDataURL);
+
+  if (!is_empty_origin && !is_own_resource && !is_dev_tools &&
+      !transition_allowed && !is_error_page) {
+    std::string message = base::StringPrintf(
+        "Denying load of %s. Resources must be listed in the "
+        "web_accessible_resources manifest key in order to be loaded by "
+        "pages outside the extension.",
+        resource_url.spec().c_str());
+    frame->addMessageToConsole(
+        blink::WebConsoleMessage(blink::WebConsoleMessage::LevelError,
+                                 blink::WebString::fromUTF8(message)));
+    return false;
   }
 
   return true;
 }
 
 // static
 bool ResourceRequestPolicy::CanRequestExtensionResourceScheme(
     const GURL& resource_url,
     blink::WebFrame* frame) {
   CHECK(resource_url.SchemeIs(extensions::kExtensionResourceScheme));
@@ skipping 11 matching lines @@
     return false;
   }
 
   return true;
 }
 
 ResourceRequestPolicy::ResourceRequestPolicy() {
 }
 
 }  // namespace extensions