[Extensions] Add an access check before executing native code in the renderer

extensions/renderer/object_backed_native_handler.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/renderer/object_backed_native_handler.h"
 
 #include <stddef.h>
 
 #include "base/logging.h"
 #include "base/memory/linked_ptr.h"
+#include "content/public/child/worker_thread.h"
 #include "extensions/renderer/console.h"
 #include "extensions/renderer/module_system.h"
 #include "extensions/renderer/script_context.h"
 #include "extensions/renderer/script_context_set.h"
+#include "extensions/renderer/v8_helpers.h"
 #include "v8/include/v8.h"
 
 namespace extensions {
 
 namespace {
 // Key for the base::Bound routed function.
 const char* kHandlerFunction = "handler_function";
+const char* kFeatureName = "feature_name";
 }  // namespace
 
 ObjectBackedNativeHandler::ObjectBackedNativeHandler(ScriptContext* context)
     : router_data_(context->isolate()),
       context_(context),
       object_template_(context->isolate(),
                        v8::ObjectTemplate::New(context->isolate())) {
 }
 
 ObjectBackedNativeHandler::~ObjectBackedNativeHandler() {
 }
 
 v8::Local<v8::Object> ObjectBackedNativeHandler::NewInstance() {
   return v8::Local<v8::ObjectTemplate>::New(GetIsolate(), object_template_)
       ->NewInstance();
 }
 
 // static
 void ObjectBackedNativeHandler::Router(
     const v8::FunctionCallbackInfo<v8::Value>& args) {
   v8::Isolate* isolate = args.GetIsolate();
   v8::HandleScope handle_scope(isolate);
   v8::Local<v8::Object> data = args.Data().As<v8::Object>();
   v8::Local<v8::Context> context = isolate->GetCurrentContext();
 
   v8::Local<v8::Value> handler_function_value;
+  v8::Local<v8::Value> feature_name_value;
   // See comment in header file for why we do this.
   if (!GetPrivate(context, data, kHandlerFunction, &handler_function_value) ||
-      handler_function_value->IsUndefined()) {
+      handler_function_value->IsUndefined() ||
+      !GetPrivate(context, data, kFeatureName, &feature_name_value) ||
+      !feature_name_value->IsString()) {
     ScriptContext* script_context =
         ScriptContextSet::GetContextByV8Context(context);
     console::Error(script_context ? script_context->GetRenderFrame() : nullptr,
                    "Extension view no longer exists");
     return;
   }
+
+  if (content::WorkerThread::GetCurrentId() == 0) {

[jochen (gone - plz use gerrit), 2016/03/31 15:13:50]

why is this check needed?

[Devlin, 2016/03/31 16:38:07]

There probably should have been a TODO here to figure out a way around this. 
Reason we need it right now is because we can't access ScriptContextSet() on the
worker thread.  Luckily, we also don't inject many bindings on the worker
thread, so this isn't as big of a deal.

I've added a comment/todo to that effect.

+    ScriptContext* script_context =
+        ScriptContextSet::GetContextByV8Context(context);
+    v8::Local<v8::String> feature_name_string =
+        feature_name_value->ToString(context).ToLocalChecked();
+    std::string feature_name = *v8::String::Utf8Value(feature_name_string);
+    if (script_context &&
+        !feature_name.empty() &&
+        !script_context->GetAvailability(feature_name).is_available()) {

[Devlin, 2016/03/30 22:02:28]

This check is kind of annoying - ideally we wouldn't have to worry about it. 
But it's gotten to the point where I'm thinking it might be better to just
default to doing it.

+      return;
+    }
+  }
   // This CHECK is *important*. Otherwise, we'll go around happily executing
   // something random.  See crbug.com/548273.
   CHECK(handler_function_value->IsExternal());
   static_cast<HandlerFunction*>(
       handler_function_value.As<v8::External>()->Value())->Run(args);
 }
 
 void ObjectBackedNativeHandler::RouteFunction(
     const std::string& name,
     const HandlerFunction& handler_function) {
+  RouteFunction(name, "", handler_function);
+}
+
+void ObjectBackedNativeHandler::RouteFunction(
+    const std::string& name,
+    const std::string& feature_name,
+    const HandlerFunction& handler_function) {
   v8::Isolate* isolate = v8::Isolate::GetCurrent();
   v8::HandleScope handle_scope(isolate);
   v8::Context::Scope context_scope(context_->v8_context());
 
   v8::Local<v8::Object> data = v8::Object::New(isolate);
   SetPrivate(data, kHandlerFunction,
              v8::External::New(isolate, new HandlerFunction(handler_function)));
+  SetPrivate(data, kFeatureName,
+             v8_helpers::ToV8StringUnsafe(isolate, feature_name));
   v8::Local<v8::FunctionTemplate> function_template =
       v8::FunctionTemplate::New(isolate, Router, data);
   v8::Local<v8::ObjectTemplate>::New(isolate, object_template_)
       ->Set(isolate, name.c_str(), function_template);
   router_data_.Append(data);
 }
 
 v8::Isolate* ObjectBackedNativeHandler::GetIsolate() const {
   return context_->isolate();
 }
@@ skipping 64 matching lines @@
                                               v8::Local<v8::Object> obj,
                                               const char* key) {
   obj->DeletePrivate(context,
                      v8::Private::ForApi(
                          context->GetIsolate(),
                          v8::String::NewFromUtf8(context->GetIsolate(), key)))
       .FromJust();
 }
 
 }  // namespace extensions