OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "extensions/browser/url_request_util.h" | 5 #include "extensions/browser/url_request_util.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "content/public/browser/resource_request_info.h" | 9 #include "content/public/browser/resource_request_info.h" |
10 #include "extensions/browser/guest_view/web_view/web_view_renderer_state.h" | 10 #include "extensions/browser/guest_view/web_view/web_view_renderer_state.h" |
(...skipping 21 matching lines...) Expand all Loading... |
32 std::string owner_extension_id; | 32 std::string owner_extension_id; |
33 int owner_process_id; | 33 int owner_process_id; |
34 WebViewRendererState::GetInstance()->GetOwnerInfo( | 34 WebViewRendererState::GetInstance()->GetOwnerInfo( |
35 info->GetChildID(), &owner_process_id, &owner_extension_id); | 35 info->GetChildID(), &owner_process_id, &owner_extension_id); |
36 const Extension* owner_extension = | 36 const Extension* owner_extension = |
37 extension_info_map->extensions().GetByID(owner_extension_id); | 37 extension_info_map->extensions().GetByID(owner_extension_id); |
38 std::string partition_id; | 38 std::string partition_id; |
39 bool is_guest = WebViewRendererState::GetInstance()->GetPartitionID( | 39 bool is_guest = WebViewRendererState::GetInstance()->GetPartitionID( |
40 info->GetChildID(), &partition_id); | 40 info->GetChildID(), &partition_id); |
41 std::string resource_path = request->url().path(); | 41 std::string resource_path = request->url().path(); |
| 42 |
42 // |owner_extension == extension| needs to be checked because extension | 43 // |owner_extension == extension| needs to be checked because extension |
43 // resources should only be accessible to WebViews owned by that extension. | 44 // resources should only be accessible to WebViews owned by that extension. |
44 if (is_guest && owner_extension == extension && | 45 if (is_guest && owner_extension == extension && |
45 WebviewInfo::IsResourceWebviewAccessible(extension, partition_id, | 46 WebviewInfo::IsResourceWebviewAccessible(extension, partition_id, |
46 resource_path)) { | 47 resource_path)) { |
47 *allowed = true; | 48 *allowed = true; |
48 return true; | 49 return true; |
49 } | 50 } |
50 | 51 |
51 // If the request is for navigations outside of webviews, then it should be | |
52 // allowed. The navigation logic in CrossSiteResourceHandler will properly | |
53 // transfer the navigation to a privileged process before it commits. | |
54 if (content::IsResourceTypeFrame(info->GetResourceType()) && !is_guest) { | |
55 *allowed = true; | |
56 return true; | |
57 } | |
58 | |
59 if (!ui::PageTransitionIsWebTriggerable(info->GetPageTransition())) { | 52 if (!ui::PageTransitionIsWebTriggerable(info->GetPageTransition())) { |
60 *allowed = false; | 53 *allowed = false; |
61 return true; | 54 return true; |
62 } | 55 } |
63 | 56 |
64 // The following checks require that we have an actual extension object. If we | 57 // The following checks require that we have an actual extension object. If we |
65 // don't have it, allow the request handling to continue with the rest of the | 58 // don't have it, allow the request handling to continue with the rest of the |
66 // checks. | 59 // checks. |
67 if (!extension) { | 60 if (!extension) { |
68 *allowed = true; | 61 *allowed = true; |
69 return true; | 62 return true; |
70 } | 63 } |
71 | 64 |
72 // Disallow loading of packaged resources for hosted apps. We don't allow | 65 // Disallow loading of packaged resources for hosted apps. We don't allow |
73 // hybrid hosted/packaged apps. The one exception is access to icons, since | 66 // hybrid hosted/packaged apps. The one exception is access to icons, since |
74 // some extensions want to be able to do things like create their own | 67 // some extensions want to be able to do things like create their own |
75 // launchers. | 68 // launchers. |
76 std::string resource_root_relative_path = | 69 std::string resource_root_relative_path = |
77 request->url().path().empty() ? std::string() | 70 request->url().path().empty() ? std::string() |
78 : request->url().path().substr(1); | 71 : request->url().path().substr(1); |
79 if (extension->is_hosted_app() && | 72 if (extension->is_hosted_app() && |
80 !IconsInfo::GetIcons(extension) | 73 !IconsInfo::GetIcons(extension) |
81 .ContainsPath(resource_root_relative_path)) { | 74 .ContainsPath(resource_root_relative_path)) { |
82 LOG(ERROR) << "Denying load of " << request->url().spec() << " from " | 75 LOG(ERROR) << "Denying load of " << request->url().spec() << " from " |
83 << "hosted app."; | 76 << "hosted app."; |
84 *allowed = false; | 77 *allowed = false; |
85 return true; | 78 return true; |
86 } | 79 } |
87 | 80 |
88 // Extensions with web_accessible_resources: allow loading by regular | 81 DCHECK_EQ(extension->url(), request->url().GetWithEmptyPath()); |
89 // renderers. Since not all subresources are required to be listed in a v2 | 82 |
90 // manifest, we must allow all loads if there are any web accessible | 83 // Extensions with manifest before v2 did not have web_accessible_resource |
91 // resources. See http://crbug.com/179127. | 84 // section, therefore the request needs to be allowed. |
92 if (extension->manifest_version() < 2 || | 85 if (extension->manifest_version() < 2) { |
| 86 *allowed = true; |
| 87 return true; |
| 88 } |
| 89 |
| 90 // Navigating the main frame to an extension URL is allowed, even if not |
| 91 // explicitly listed as web_accessible_resource. |
| 92 if (info->GetResourceType() == content::RESOURCE_TYPE_MAIN_FRAME) { |
| 93 *allowed = true; |
| 94 return true; |
| 95 } else if (info->GetResourceType() == content::RESOURCE_TYPE_SUB_FRAME) { |
| 96 // When navigating in subframe, allow if it is the same origin |
| 97 // as the top-level frame. This can only be the case if the subframe |
| 98 // request is coming from the extension process. |
| 99 if (extension_info_map->process_map().Contains(info->GetChildID())) { |
| 100 *allowed = true; |
| 101 return true; |
| 102 } |
| 103 |
| 104 // Also allow if the file is explicitly listed as a web_accessible_resource. |
| 105 if (WebAccessibleResourcesInfo::IsResourceWebAccessible(extension, |
| 106 resource_path)) { |
| 107 *allowed = true; |
| 108 return true; |
| 109 } |
| 110 } |
| 111 |
| 112 // Since not all subresources are required to be listed in a v2 |
| 113 // manifest, we must allow all subresource loads if there are any web |
| 114 // accessible resources. See http://crbug.com/179127. |
| 115 if (!content::IsResourceTypeFrame(info->GetResourceType()) && |
93 WebAccessibleResourcesInfo::HasWebAccessibleResources(extension)) { | 116 WebAccessibleResourcesInfo::HasWebAccessibleResources(extension)) { |
94 *allowed = true; | 117 *allowed = true; |
95 return true; | 118 return true; |
96 } | 119 } |
97 | 120 |
98 // Couldn't determine if the resource is allowed or not. | 121 // Couldn't determine if the resource is allowed or not. |
99 return false; | 122 return false; |
100 } | 123 } |
101 | 124 |
102 bool IsWebViewRequest(const net::URLRequest* request) { | 125 bool IsWebViewRequest(const net::URLRequest* request) { |
103 const content::ResourceRequestInfo* info = | 126 const content::ResourceRequestInfo* info = |
104 content::ResourceRequestInfo::ForRequest(request); | 127 content::ResourceRequestInfo::ForRequest(request); |
105 // |info| can be NULL sometimes: http://crbug.com/370070. | 128 // |info| can be NULL sometimes: http://crbug.com/370070. |
106 if (!info) | 129 if (!info) |
107 return false; | 130 return false; |
108 return WebViewRendererState::GetInstance()->IsGuest(info->GetChildID()); | 131 return WebViewRendererState::GetInstance()->IsGuest(info->GetChildID()); |
109 } | 132 } |
110 | 133 |
111 } // namespace url_request_util | 134 } // namespace url_request_util |
112 } // namespace extensions | 135 } // namespace extensions |
OLD | NEW |