tab capture: Change the permissions for tabs.captureVisibleTab().

extensions/common/permissions/permissions_data_unittest.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <vector>
 
 #include "base/command_line.h"
 #include "base/memory/ref_counted.h"
 #include "base/strings/string16.h"
 #include "base/strings/utf_string_conversions.h"
@@ skipping 230 matching lines @@
     urls_.insert(favicon_url);
     urls_.insert(extension_url);
     urls_.insert(settings_url);
     urls_.insert(about_url);
     // Ignore the policy delegate for this test.
     PermissionsData::SetPolicyDelegate(NULL);
   }
 
   bool AllowedScript(const Extension* extension, const GURL& url,
                      const GURL& top_url) {
+    return AllowedScript(extension, url, top_url, -1);
+  }
+
+  bool AllowedScript(const Extension* extension, const GURL& url,
+                     const GURL& top_url, int tab_id) {
     return PermissionsData::CanExecuteScriptOnPage(
-        extension, url, top_url, -1, NULL, -1, NULL);
+        extension, url, top_url, tab_id, NULL, -1, NULL);
   }
 
   bool BlockedScript(const Extension* extension, const GURL& url,
                      const GURL& top_url) {
     return !PermissionsData::CanExecuteScriptOnPage(
         extension, url, top_url, -1, NULL, -1, NULL);
   }
 
   bool Allowed(const Extension* extension, const GURL& url) {
     return Allowed(extension, url, -1);
   }
 
   bool Allowed(const Extension* extension, const GURL& url, int tab_id) {
     return (PermissionsData::CanExecuteScriptOnPage(
                 extension, url, url, tab_id, NULL, -1, NULL) &&
             PermissionsData::CanCaptureVisiblePage(
-                extension, url, tab_id, NULL));
+                extension, tab_id, NULL));
   }
 
   bool CaptureOnly(const Extension* extension, const GURL& url) {
     return CaptureOnly(extension, url, -1);
   }
 
   bool CaptureOnly(const Extension* extension, const GURL& url, int tab_id) {
     return !PermissionsData::CanExecuteScriptOnPage(
                 extension, url, url, tab_id, NULL, -1, NULL) &&
-           PermissionsData::CanCaptureVisiblePage(extension, url, tab_id, NULL);
+           PermissionsData::CanCaptureVisiblePage(extension, tab_id, NULL);
   }
 
   bool Blocked(const Extension* extension, const GURL& url) {
     return Blocked(extension, url, -1);
   }
 
   bool Blocked(const Extension* extension, const GURL& url, int tab_id) {
     return !(PermissionsData::CanExecuteScriptOnPage(
                  extension, url, url, tab_id, NULL, -1, NULL) ||
              PermissionsData::CanCaptureVisiblePage(
-                 extension, url, tab_id, NULL));
+                 extension, tab_id, NULL));
   }
 
-  bool AllowedExclusivelyOnTab(
+  bool ScriptAllowedExclusivelyOnTab(
       const Extension* extension,
       const std::set<GURL>& allowed_urls,
       int tab_id) {
     bool result = true;
     for (std::set<GURL>::iterator it = urls_.begin(); it != urls_.end(); ++it) {
       const GURL& url = *it;
       if (allowed_urls.count(url))
-        result &= Allowed(extension, url, tab_id);
+        result &= AllowedScript(extension, url, url, tab_id);
       else
         result &= Blocked(extension, url, tab_id);
     }
     return result;
   }
 
   // URLs that are "safe" to provide scripting and capture visible tab access
   // to if the permissions allow it.
   const GURL http_url;
   const GURL http_url_with_path;
@@ skipping 14 matching lines @@
   std::set<GURL> urls_;
 };
 
 TEST_F(ExtensionScriptAndCaptureVisibleTest, Permissions) {
   // Test <all_urls> for regular extensions.
   scoped_refptr<Extension> extension = LoadManifestStrict("script_and_capture",
       "extension_regular_all.json");
 
   EXPECT_TRUE(Allowed(extension.get(), http_url));
   EXPECT_TRUE(Allowed(extension.get(), https_url));
-  EXPECT_TRUE(Blocked(extension.get(), file_url));
-  EXPECT_TRUE(Blocked(extension.get(), settings_url));
+  EXPECT_TRUE(CaptureOnly(extension.get(), file_url));
+  EXPECT_TRUE(CaptureOnly(extension.get(), settings_url));

[not at google - send to devlin, 2014/01/16 17:48:26]

Ugh this is tricky. Oh well I don't think there's realistically much we can do
about this besides on tab capture enumerate all of the frames on a page and make
sure none of them are file URLs (unless an extension has been granted file
access).

let me chat to the security people about this.

[not at google - send to devlin, 2014/01/16 18:57:14]

This is ok, turns out you can't put a file:// URL in an iframe. However
taptureVisibleTab should still respect the extension preference for enabling
access to file URLs in the top frame.

   EXPECT_TRUE(CaptureOnly(extension.get(), favicon_url));
-  EXPECT_TRUE(Blocked(extension.get(), about_url));
-  EXPECT_TRUE(Blocked(extension.get(), extension_url));
+  EXPECT_TRUE(CaptureOnly(extension.get(), about_url));
+  EXPECT_TRUE(CaptureOnly(extension.get(), extension_url));
 
   // Test access to iframed content.
   GURL within_extension_url = extension->GetResourceURL("page.html");
   EXPECT_TRUE(AllowedScript(extension.get(), http_url, http_url_with_path));
   EXPECT_TRUE(AllowedScript(extension.get(), https_url, http_url_with_path));
   EXPECT_TRUE(AllowedScript(extension.get(), http_url, within_extension_url));
   EXPECT_TRUE(AllowedScript(extension.get(), https_url, within_extension_url));
   EXPECT_TRUE(BlockedScript(extension.get(), http_url, extension_url));
   EXPECT_TRUE(BlockedScript(extension.get(), https_url, extension_url));
 
   EXPECT_FALSE(
       PermissionsData::HasHostPermission(extension.get(), settings_url));
   EXPECT_FALSE(PermissionsData::HasHostPermission(extension.get(), about_url));
   EXPECT_TRUE(PermissionsData::HasHostPermission(extension.get(), favicon_url));
 
   // Test * for scheme, which implies just the http/https schemes.
   extension = LoadManifestStrict("script_and_capture",
       "extension_wildcard.json");
-  EXPECT_TRUE(Allowed(extension.get(), http_url));
-  EXPECT_TRUE(Allowed(extension.get(), https_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), http_url, http_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), https_url, https_url));
+  EXPECT_FALSE(Allowed(extension.get(), http_url));
+  EXPECT_FALSE(Allowed(extension.get(), https_url));
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
   EXPECT_TRUE(Blocked(extension.get(), about_url));
   EXPECT_TRUE(Blocked(extension.get(), file_url));
   EXPECT_TRUE(Blocked(extension.get(), favicon_url));
   extension =
       LoadManifest("script_and_capture", "extension_wildcard_settings.json");
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
 
   // Having chrome://*/ should not work for regular extensions. Note that
   // for favicon access, we require the explicit pattern chrome://favicon/*.
   std::string error;
   extension = LoadManifestUnchecked("script_and_capture",
                                     "extension_wildcard_chrome.json",
                                     Manifest::INTERNAL, Extension::NO_FLAGS,
                                     &error);
   std::vector<InstallWarning> warnings = extension->install_warnings();
   EXPECT_FALSE(warnings.empty());
   EXPECT_EQ(ErrorUtils::FormatErrorMessage(
                 manifest_errors::kInvalidPermissionScheme,
                 "chrome://*/"),
             warnings[0].message);
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
   EXPECT_TRUE(Blocked(extension.get(), favicon_url));
   EXPECT_TRUE(Blocked(extension.get(), about_url));
 
   // Having chrome://favicon/* should not give you chrome://*
   extension = LoadManifestStrict("script_and_capture",
       "extension_chrome_favicon_wildcard.json");
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
-  EXPECT_TRUE(CaptureOnly(extension.get(), favicon_url));
+  EXPECT_TRUE(Blocked(extension.get(), favicon_url));
   EXPECT_TRUE(Blocked(extension.get(), about_url));
   EXPECT_TRUE(PermissionsData::HasHostPermission(extension.get(), favicon_url));
 
   // Having http://favicon should not give you chrome://favicon
   extension = LoadManifestStrict("script_and_capture",
       "extension_http_favicon.json");
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
   EXPECT_TRUE(Blocked(extension.get(), favicon_url));
 
   // Component extensions with <all_urls> should get everything.
   extension = LoadManifest("script_and_capture", "extension_component_all.json",
       Manifest::COMPONENT, Extension::NO_FLAGS);
   EXPECT_TRUE(Allowed(extension.get(), http_url));
   EXPECT_TRUE(Allowed(extension.get(), https_url));
   EXPECT_TRUE(Allowed(extension.get(), settings_url));
   EXPECT_TRUE(Allowed(extension.get(), about_url));
   EXPECT_TRUE(Allowed(extension.get(), favicon_url));
   EXPECT_TRUE(PermissionsData::HasHostPermission(extension.get(), favicon_url));
 
   // Component extensions should only get access to what they ask for.
   extension = LoadManifest("script_and_capture",
       "extension_component_google.json", Manifest::COMPONENT,
       Extension::NO_FLAGS);
-  EXPECT_TRUE(Allowed(extension.get(), http_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), http_url, http_url));
+  EXPECT_FALSE(Allowed(extension.get(), http_url));
   EXPECT_TRUE(Blocked(extension.get(), https_url));
   EXPECT_TRUE(Blocked(extension.get(), file_url));
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
   EXPECT_TRUE(Blocked(extension.get(), favicon_url));
   EXPECT_TRUE(Blocked(extension.get(), about_url));
   EXPECT_TRUE(Blocked(extension.get(), extension_url));
   EXPECT_FALSE(
       PermissionsData::HasHostPermission(extension.get(), settings_url));
 }
 
 TEST_F(ExtensionScriptAndCaptureVisibleTest, PermissionsWithChromeURLsEnabled) {
   CommandLine::ForCurrentProcess()->AppendSwitch(
       switches::kExtensionsOnChromeURLs);
 
   scoped_refptr<Extension> extension;
 
   // Test <all_urls> for regular extensions.
   extension = LoadManifestStrict("script_and_capture",
       "extension_regular_all.json");
   EXPECT_TRUE(Allowed(extension.get(), http_url));
   EXPECT_TRUE(Allowed(extension.get(), https_url));
-  EXPECT_TRUE(Blocked(extension.get(), file_url));
-  EXPECT_TRUE(Blocked(extension.get(), settings_url));
+  EXPECT_TRUE(CaptureOnly(extension.get(), file_url));
+  EXPECT_TRUE(CaptureOnly(extension.get(), settings_url));
   EXPECT_TRUE(Allowed(extension.get(), favicon_url));  // chrome:// requested
-  EXPECT_TRUE(Blocked(extension.get(), about_url));
-  EXPECT_TRUE(Blocked(extension.get(), extension_url));
+  EXPECT_TRUE(CaptureOnly(extension.get(), about_url));
+  EXPECT_TRUE(CaptureOnly(extension.get(), extension_url));
 
   // Test access to iframed content.
   GURL within_extension_url = extension->GetResourceURL("page.html");
   EXPECT_TRUE(AllowedScript(extension.get(), http_url, http_url_with_path));
   EXPECT_TRUE(AllowedScript(extension.get(), https_url, http_url_with_path));
   EXPECT_TRUE(AllowedScript(extension.get(), http_url, within_extension_url));
   EXPECT_TRUE(AllowedScript(extension.get(), https_url, within_extension_url));
   EXPECT_TRUE(BlockedScript(extension.get(), http_url, extension_url));
   EXPECT_TRUE(BlockedScript(extension.get(), https_url, extension_url));
 
   EXPECT_FALSE(
       PermissionsData::HasHostPermission(extension.get(), settings_url));
   EXPECT_FALSE(PermissionsData::HasHostPermission(extension.get(), about_url));
   EXPECT_TRUE(PermissionsData::HasHostPermission(extension.get(), favicon_url));
 
   // Test * for scheme, which implies just the http/https schemes.
   extension = LoadManifestStrict("script_and_capture",
       "extension_wildcard.json");
-  EXPECT_TRUE(Allowed(extension.get(), http_url));
-  EXPECT_TRUE(Allowed(extension.get(), https_url));
+  EXPECT_FALSE(Allowed(extension.get(), http_url));
+  EXPECT_FALSE(Allowed(extension.get(), https_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), http_url, http_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), https_url, https_url));
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
   EXPECT_TRUE(Blocked(extension.get(), about_url));
   EXPECT_TRUE(Blocked(extension.get(), file_url));
   EXPECT_TRUE(Blocked(extension.get(), favicon_url));
   extension =
       LoadManifest("script_and_capture", "extension_wildcard_settings.json");
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
 
   // Having chrome://*/ should work for regular extensions with the flag
   // enabled.
   std::string error;
   extension = LoadManifestUnchecked("script_and_capture",
                                     "extension_wildcard_chrome.json",
                                     Manifest::INTERNAL, Extension::NO_FLAGS,
                                     &error);
   EXPECT_FALSE(extension.get() == NULL);
   EXPECT_TRUE(Blocked(extension.get(), http_url));
   EXPECT_TRUE(Blocked(extension.get(), https_url));
-  EXPECT_TRUE(Allowed(extension.get(), settings_url));
+  EXPECT_FALSE(Allowed(extension.get(), settings_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), settings_url, settings_url));
   EXPECT_TRUE(Blocked(extension.get(), about_url));
   EXPECT_TRUE(Blocked(extension.get(), file_url));
-  EXPECT_TRUE(Allowed(extension.get(), favicon_url));  // chrome:// requested
+  EXPECT_FALSE(Allowed(extension.get(), favicon_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), favicon_url, favicon_url));
 
   // Having chrome://favicon/* should not give you chrome://*
   extension = LoadManifestStrict("script_and_capture",
       "extension_chrome_favicon_wildcard.json");
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
-  EXPECT_TRUE(Allowed(extension.get(), favicon_url));  // chrome:// requested
+  EXPECT_FALSE(Allowed(extension.get(), favicon_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), favicon_url, favicon_url));
   EXPECT_TRUE(Blocked(extension.get(), about_url));
   EXPECT_TRUE(PermissionsData::HasHostPermission(extension.get(), favicon_url));
 
   // Having http://favicon should not give you chrome://favicon
   extension = LoadManifestStrict("script_and_capture",
       "extension_http_favicon.json");
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
   EXPECT_TRUE(Blocked(extension.get(), favicon_url));
 
   // Component extensions with <all_urls> should get everything.
   extension = LoadManifest("script_and_capture", "extension_component_all.json",
       Manifest::COMPONENT, Extension::NO_FLAGS);
   EXPECT_TRUE(Allowed(extension.get(), http_url));
   EXPECT_TRUE(Allowed(extension.get(), https_url));
   EXPECT_TRUE(Allowed(extension.get(), settings_url));
   EXPECT_TRUE(Allowed(extension.get(), about_url));
   EXPECT_TRUE(Allowed(extension.get(), favicon_url));
   EXPECT_TRUE(PermissionsData::HasHostPermission(extension.get(), favicon_url));
 
   // Component extensions should only get access to what they ask for.
   extension = LoadManifest("script_and_capture",
       "extension_component_google.json", Manifest::COMPONENT,
       Extension::NO_FLAGS);
-  EXPECT_TRUE(Allowed(extension.get(), http_url));
+  EXPECT_FALSE(Allowed(extension.get(), http_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), http_url, http_url));
   EXPECT_TRUE(Blocked(extension.get(), https_url));
   EXPECT_TRUE(Blocked(extension.get(), file_url));
   EXPECT_TRUE(Blocked(extension.get(), settings_url));
   EXPECT_TRUE(Blocked(extension.get(), favicon_url));
   EXPECT_TRUE(Blocked(extension.get(), about_url));
   EXPECT_TRUE(Blocked(extension.get(), extension_url));
   EXPECT_FALSE(
       PermissionsData::HasHostPermission(extension.get(), settings_url));
 }
 
 TEST_F(ExtensionScriptAndCaptureVisibleTest, TabSpecific) {
   scoped_refptr<Extension> extension =
       LoadManifestStrict("script_and_capture", "tab_specific.json");
 
   EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension.get(), 0)
                    .get());
   EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension.get(), 1)
                    .get());
   EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension.get(), 2)
                    .get());
 
   std::set<GURL> no_urls;
 
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 0));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 1));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 2));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 0));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 1));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 2));
 
   URLPatternSet allowed_hosts;
   allowed_hosts.AddPattern(URLPattern(URLPattern::SCHEME_ALL,
                                       http_url.spec()));
   std::set<GURL> allowed_urls;
   allowed_urls.insert(http_url);
   // http_url_with_path() will also be allowed, because Extension should be
   // considering the security origin of the URL not the URL itself, and
   // http_url is in allowed_hosts.
   allowed_urls.insert(http_url_with_path);
 
   {
     scoped_refptr<PermissionSet> permissions(
         new PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
                           allowed_hosts, URLPatternSet()));
     PermissionsData::UpdateTabSpecificPermissions(
         extension.get(), 0, permissions);
     EXPECT_EQ(permissions->explicit_hosts(),
               PermissionsData::GetTabSpecificPermissions(extension.get(), 0)
                   ->explicit_hosts());
   }
 
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), allowed_urls, 0));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 1));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 2));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), allowed_urls, 0));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 1));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 2));
 
   PermissionsData::ClearTabSpecificPermissions(extension.get(), 0);
   EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension.get(), 0)
                    .get());
 
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 0));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 1));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 2));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 0));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 1));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 2));
 
   std::set<GURL> more_allowed_urls = allowed_urls;
   more_allowed_urls.insert(https_url);
   URLPatternSet more_allowed_hosts = allowed_hosts;
   more_allowed_hosts.AddPattern(URLPattern(URLPattern::SCHEME_ALL,
                                            https_url.spec()));
 
   {
     scoped_refptr<PermissionSet> permissions(
         new PermissionSet(APIPermissionSet(),  ManifestPermissionSet(),
                           allowed_hosts, URLPatternSet()));
     PermissionsData::UpdateTabSpecificPermissions(
         extension.get(), 0, permissions);
     EXPECT_EQ(permissions->explicit_hosts(),
               PermissionsData::GetTabSpecificPermissions(extension.get(), 0)
                   ->explicit_hosts());
 
     permissions = new PermissionSet(APIPermissionSet(),
                                     ManifestPermissionSet(),
                                     more_allowed_hosts,
                                     URLPatternSet());
     PermissionsData::UpdateTabSpecificPermissions(
         extension.get(), 1, permissions);
     EXPECT_EQ(permissions->explicit_hosts(),
               PermissionsData::GetTabSpecificPermissions(extension.get(), 1)
                   ->explicit_hosts());
   }
 
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), allowed_urls, 0));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), more_allowed_urls, 1));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 2));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), allowed_urls, 0));
+  EXPECT_TRUE(
+      ScriptAllowedExclusivelyOnTab(extension.get(), more_allowed_urls, 1));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 2));
 
   PermissionsData::ClearTabSpecificPermissions(extension.get(), 0);
   EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension.get(), 0)
                    .get());
 
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 0));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), more_allowed_urls, 1));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 2));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 0));
+  EXPECT_TRUE(
+      ScriptAllowedExclusivelyOnTab(extension.get(), more_allowed_urls, 1));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 2));
 
   PermissionsData::ClearTabSpecificPermissions(extension.get(), 1);
   EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension.get(), 1)
                    .get());
 
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 0));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 1));
-  EXPECT_TRUE(AllowedExclusivelyOnTab(extension.get(), no_urls, 2));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 0));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 1));
+  EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 2));
 }
 
 }  // namespace extensions