extensions/browser/api/web_request/web_request_permissions.cc - Issue 1658913002: Make extensions use a correct same-origin check.

Side by Side Diff: extensions/browser/api/web_request/web_request_permissions.cc

Issue 1658913002: Make extensions use a correct same-origin check. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 4 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "extensions/browser/api/web_request/web_request_permissions.h"	5 #include "extensions/browser/api/web_request/web_request_permissions.h"

6	6

7 #include "base/strings/string_util.h"	7 #include "base/strings/string_util.h"

8 #include "base/strings/stringprintf.h"	8 #include "base/strings/stringprintf.h"

9 #include "content/public/browser/resource_request_info.h"	9 #include "content/public/browser/resource_request_info.h"

10 #include "extensions/browser/guest_view/web_view/web_view_renderer_state.h"	10 #include "extensions/browser/guest_view/web_view/web_view_renderer_state.h"

11 #include "extensions/browser/info_map.h"	11 #include "extensions/browser/info_map.h"

12 #include "extensions/common/constants.h"	12 #include "extensions/common/constants.h"

13 #include "extensions/common/extension.h"	13 #include "extensions/common/extension.h"

14 #include "extensions/common/extension_urls.h"	14 #include "extensions/common/extension_urls.h"

15 #include "extensions/common/permissions/permissions_data.h"	15 #include "extensions/common/permissions/permissions_data.h"

16 #include "net/url_request/url_request.h"	16 #include "net/url_request/url_request.h"

17 #include "url/gurl.h"	17 #include "url/gurl.h"

	18 #include "url/origin.h"

18	19

19 using content::ResourceRequestInfo;	20 using content::ResourceRequestInfo;

20	21

21 namespace {	22 namespace {

22	23

23 // Returns true if the URL is sensitive and requests to this URL must not be	24 // Returns true if the URL is sensitive and requests to this URL must not be

24 // modified/canceled by extensions, e.g. because it is targeted to the webstore	25 // modified/canceled by extensions, e.g. because it is targeted to the webstore

25 // to check for updates, extension blacklisting, etc.	26 // to check for updates, extension blacklisting, etc.

26 bool IsSensitiveURL(const GURL& url) {	27 bool IsSensitiveURL(const GURL& url) {

27 // TODO(battre) Merge this, CanExtensionAccessURL and	28 // TODO(battre) Merge this, CanExtensionAccessURL and

(...skipping 95 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
123 return false;	124 return false;

124	125

125 switch (host_permissions_check) {	126 switch (host_permissions_check) {

126 case DO_NOT_CHECK_HOST:	127 case DO_NOT_CHECK_HOST:

127 break;	128 break;

128 case REQUIRE_HOST_PERMISSION:	129 case REQUIRE_HOST_PERMISSION:

129 // about: URLs are not covered in host permissions, but are allowed	130 // about: URLs are not covered in host permissions, but are allowed

130 // anyway.	131 // anyway.

131 if (!((url.SchemeIs(url::kAboutScheme) \|\|	132 if (!((url.SchemeIs(url::kAboutScheme) \|\|

132 extension->permissions_data()->HasHostPermission(url) \|\|	133 extension->permissions_data()->HasHostPermission(url) \|\|

133 url.GetOrigin() == extension->url()))) {	134 url::Origin(url).IsSameOriginWith(

	135 url::Origin(extension->url()))))) {
	meacer 2016/02/02 01:35:08 While you are at it, do you mind applying De Morga While you are at it, do you mind applying De Morgan's law here? This seems a bit easier to reason about: if (url.SchemeIs(url::kAboutScheme) && !extension->permissions_data()->HasHostPermission(url) && !url::Origin(url).IsSameOriginWith(url::Origin(extension->url()) { return false; } palmer 2016/02/02 23:12:38 Good idea. But, it should be !url.SchemeIs(ur Show quoted text On 2016/02/02 01:35:08, Mustafa Emre Acer wrote: > While you are at it, do you mind applying De Morgan's law here? This seems a bit > easier to reason about: > > if (url.SchemeIs(url::kAboutScheme) && > !extension->permissions_data()->HasHostPermission(url) && > !url::Origin(url).IsSameOriginWith(url::Origin(extension->url()) { > return false; > } Good idea. But, it should be !url.SchemeIs(url::kAboutScheme) , right? meacer 2016/02/02 23:27:22 Sure :) Show quoted text On 2016/02/02 23:12:38, palmer wrote: > On 2016/02/02 01:35:08, Mustafa Emre Acer wrote: > > While you are at it, do you mind applying De Morgan's law here? This seems a > bit > > easier to reason about: > > > > if (url.SchemeIs(url::kAboutScheme) && > > !extension->permissions_data()->HasHostPermission(url) && > > !url::Origin(url).IsSameOriginWith(url::Origin(extension->url()) { > > return false; > > } > > Good idea. But, it should be > > !url.SchemeIs(url::kAboutScheme) > > , right? Sure :)
134 return false;	136 return false;

135 }	137 }

136 break;	138 break;

137 case REQUIRE_ALL_URLS:	139 case REQUIRE_ALL_URLS:

138 if (!extension->permissions_data()->HasEffectiveAccessToAllHosts())	140 if (!extension->permissions_data()->HasEffectiveAccessToAllHosts())

139 return false;	141 return false;

140 break;	142 break;

141 }	143 }

142	144

143 return true;	145 return true;

144 }	146 }

OLD	NEW

« no previous file with comments | « no previous file | extensions/browser/guest_view/extension_options/extension_options_guest.cc » ('j') | no next file with comments »