Allow 'chrome-extension:' URLs to bypass content settings (2/2)

extensions/renderer/dispatcher.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/renderer/dispatcher.h"
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/containers/scoped_ptr_map.h"
@@ skipping 236 matching lines @@
   script_injection_manager_.reset(
       new ScriptInjectionManager(user_script_set_manager_.get()));
   user_script_set_manager_observer_.Add(user_script_set_manager_.get());
   request_sender_.reset(new RequestSender(this));
   PopulateSourceMap();
   WakeEventPage::Get()->Init(content::RenderThread::Get());
 
   // WebSecurityPolicy whitelists. They should be registered for both
   // chrome-extension: and chrome-extension-resource.
   using RegisterFunction = void (*)(const WebString&);
   RegisterFunction register_functions[] = {

[not at google - send to devlin, 2015/09/09 18:06:52]

This has moved into WebkitInitialized.

       // Treat as secure because communication with them is entirely in the
       // browser, so there is no danger of manipulation or eavesdropping on
       // communication with them by third parties.
       WebSecurityPolicy::registerURLSchemeAsSecure,
       // As far as Blink is concerned, they should be allowed to receive CORS
       // requests. At the Extensions layer, requests will actually be blocked
       // unless overridden by the web_accessible_resources manifest key.
       // TODO(kalman): See what happens with a service worker.
       WebSecurityPolicy::registerURLSchemeAsCORSEnabled,
       // Resources should bypass Content Security Policy checks when included in
       // protected resources. TODO(kalman): What are "protected resources"?
       WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy,
       // Extension resources are HTTP-like and safe to expose to the fetch API.
       // The rules for the fetch API are consistent with XHR.
       WebSecurityPolicy::registerURLSchemeAsSupportingFetchAPI,
+      // Extension resources, when loaded as the top-level document, should
+      // bypass Blink's strict first-party origin checks.
+      WebSecurityPolicy::registerURLSchemeAsFirstPartyWhenTopLevel,
   };
 
   WebString extension_scheme(base::ASCIIToUTF16(kExtensionScheme));
   WebString extension_resource_scheme(base::ASCIIToUTF16(
       kExtensionResourceScheme));
   for (RegisterFunction func : register_functions) {
     func(extension_scheme);
     func(extension_resource_scheme);
   }
 }
@@ skipping 1284 matching lines @@
 void Dispatcher::AddChannelSpecificFeatures() {
   // chrome-extension: resources should be allowed to register a Service Worker.
   if (FeatureProvider::GetBehaviorFeature(BehaviorFeature::kServiceWorker)
           ->IsAvailableToEnvironment()
           .is_available())
     WebSecurityPolicy::registerURLSchemeAsAllowingServiceWorkers(
         WebString::fromUTF8(kExtensionScheme));
 }
 
 }  // namespace extensions