Prevent module system from loading arbitrary modules

extensions/renderer/resources/binding.js

Index: extensions/renderer/resources/binding.js
diff --git a/extensions/renderer/resources/binding.js b/extensions/renderer/resources/binding.js
index 0c96fce85dbd7fce8c442fc1fd610a2e8cfca9ad..16f09d26b79f3d6f8b5d5d7dcc6725f7c70c4663 100644
--- a/extensions/renderer/resources/binding.js
+++ b/extensions/renderer/resources/binding.js
@@ -164,6 +164,19 @@ function createCustomType(type) {
   var jsModuleName = type.js_module;
   logging.CHECK(jsModuleName, 'Custom type ' + type.id +
                 ' has no "js_module" property.');
+  // This list contains all types that has a js_module property. It is ugly to
+  // hard-code them here, but the number of APIs that use js_module has not
+  // changed since the introduction of js_modules in crbug.com/222156.
+  // This whitelist serves as an extra line of defence to avoid exposing
+  // arbitrary extension modules when the |type| definition is poisoned.
+  var whitelistedModules = [
+    'ChromeDirectSetting',
+    'ChromeSetting',
+    'ContentSetting',
+    'StorageArea',
+  ];
+  logging.CHECK($Array.indexOf(whitelistedModules, jsModuleName) !== -1,
+                'Module ' + jsModuleName + ' does not define a custom type.');
   var jsModule = require(jsModuleName);
   logging.CHECK(jsModule, 'No module ' + jsModuleName + ' found for ' +
                 type.id + '.');