Fix web_accesible_resources enforcement for Site Isolation.

extensions/browser/extension_navigation_throttle.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "extensions/browser/extension_navigation_throttle.h"
+
+#include "content/public/browser/browser_thread.h"
+#include "content/public/browser/navigation_handle.h"
+#include "content/public/browser/render_frame_host.h"
+#include "content/public/browser/web_contents.h"
+#include "extensions/browser/extension_registry.h"
+#include "extensions/common/constants.h"
+#include "extensions/common/extension.h"
+#include "extensions/common/extension_set.h"
+#include "extensions/common/manifest_handlers/web_accessible_resources_info.h"
+
+namespace extensions {
+
+ExtensionNavigationThrottle::ExtensionNavigationThrottle(
+    content::NavigationHandle* navigation_handle)
+    : content::NavigationThrottle(navigation_handle) {}
+
+ExtensionNavigationThrottle::~ExtensionNavigationThrottle() {}
+
+content::NavigationThrottle::ThrottleCheckResult
+ExtensionNavigationThrottle::WillStartRequest() {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+
+  // This method for now enforces only web_accessible_resources for navigations.
+  // Top-level navigations should always be allowed.
+  DCHECK(!navigation_handle()->IsInMainFrame());
+
+  // If the navigation is not to a chrome-extension:// URL, no need to perform
+  // any more checks.
+  if (!navigation_handle()->GetURL().SchemeIs(extensions::kExtensionScheme))
+    return content::NavigationThrottle::PROCEED;
+
+  // The subframe which is navigated needs to have all of its ancestors be
+  // at the same origin, otherwise the resource needs to be explicitly listed
+  // in web_accessible_resources.
+  // Since the RenderFrameHost is not known until navigation has committed,
+  // we can't get it from NavigationHandle. However, this code only cares about
+  // the ancestor chain, so find the current RenderFrameHost and use it to
+  // traverse up to the main frame.
+  std::vector<content::RenderFrameHost*> frames =
+      navigation_handle()->GetWebContents()->GetAllFrames();

[Devlin, 2016/06/03 22:22:45]

nit: I'd probably just inline this on line 47:
for (content::RenderFrameHost* frame :
navigation_handle()->GetWebContents()->GetAllFrames())

I'm actually surprised we don't have a method for this on NavigationHandle yet -
is it that rare to want to get the navigating frame?

[nasko, 2016/06/06 17:40:44]

It isn't rare, but you don't know which RenderFrameHost will be chosen to commit
the navigation until commit time. This is called before the request is even
sent, so you cannot get to RFH this early.
I hoped the comment above captures the notion of why doing it this way is safe,
as we don't really care about the RFH itself, but all of its parents, which will
not be changing.

+  content::RenderFrameHost* navigating_frame = nullptr;
+  for (auto frame : frames) {
+    if (frame->GetFrameTreeNodeId() ==
+        navigation_handle()->GetFrameTreeNodeId()) {
+      navigating_frame = frame;
+      break;
+    }
+  }
+  DCHECK(navigating_frame);
+
+  // Traverse the chain of parent frames, checking if they are the same origin
+  // as the URL of this navigation.
+  content::RenderFrameHost* ancestor = navigating_frame->GetParent();
+  bool external_ancestor = false;
+  while (ancestor) {
+    if (ancestor->GetLastCommittedURL().GetOrigin() !=
+        navigation_handle()->GetURL().GetOrigin()) {
+      // Ignore DevTools, as it is allowed to embed extension pages.
+      if (!ancestor->GetLastCommittedURL().SchemeIs("chrome-devtools")) {

[Devlin, 2016/06/03 22:22:45]

nit: content::kChromeDevToolsScheme

[nasko, 2016/06/06 17:40:44]

Thanks! Already done, but didn't upload.

+        external_ancestor = true;
+        break;
+      }
+    }
+    ancestor = ancestor->GetParent();
+  }
+
+  if (!external_ancestor)
+    return content::NavigationThrottle::PROCEED;
+
+  // Since there was at least one origin different than the navigation URL,
+  // explicitly check for the resource in web_accessible_resources.
+  std::string resource_path = navigation_handle()->GetURL().path();
+  extensions::ExtensionRegistry* registry = extensions::ExtensionRegistry::Get(

[Devlin, 2016/06/03 22:22:45]

no extensions:: prefix needed

[nasko, 2016/06/06 17:40:44]

Done.

+      navigation_handle()->GetWebContents()->GetBrowserContext());
+  const extensions::Extension* extension =
+      registry->enabled_extensions().GetByID(
+          navigation_handle()->GetURL().host());
+
+  if (extensions::WebAccessibleResourcesInfo::IsResourceWebAccessible(
+          extension, resource_path)) {
+    return content::NavigationThrottle::PROCEED;
+  }
+
+  return content::NavigationThrottle::BLOCK_REQUEST;
+}
+
+}  // namespace extensions