Fix extension bindings injection for iframes (reland)

extensions/renderer/script_context.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/renderer/script_context.h"
 
-#include <memory>
-
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/values.h"
 #include "content/public/child/v8_value_converter.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
@@ skipping 82 matching lines @@
                              Feature::Context effective_context_type)
     : is_valid_(true),
       v8_context_(v8_context->GetIsolate(), v8_context),
       web_frame_(web_frame),
       extension_(extension),
       context_type_(context_type),
       effective_extension_(effective_extension),
       effective_context_type_(effective_context_type),
       safe_builtins_(this),
       isolate_(v8_context->GetIsolate()),
-      url_(web_frame_ ? GetDataSourceURLForFrame(web_frame_) : GURL()),
       runner_(new Runner(this)) {
   VLOG(1) << "Created context:\n" << GetDebugString();
   gin::PerContextData* gin_data = gin::PerContextData::From(v8_context);
   CHECK(gin_data);
   gin_data->set_runner(runner_.get());
+  if (web_frame_)
+    url_ = GetAccessCheckedFrameURL(web_frame_);
 }
 
 ScriptContext::~ScriptContext() {
   VLOG(1) << "Destroyed context for extension\n"
           << "  extension id: " << GetExtensionID() << "\n"
           << "  effective extension id: "
           << (effective_extension_.get() ? effective_extension_->id() : "");
   CHECK(!is_valid_) << "ScriptContexts must be invalidated before destruction";
 }
 
@@ skipping 147 matching lines @@
   // changes to match the parent document after Gmail document.writes into
   // it to create the editor.
   // http://code.google.com/p/chromium/issues/detail?id=86742
   blink::WebDataSource* data_source = frame->provisionalDataSource()
                                           ? frame->provisionalDataSource()
                                           : frame->dataSource();
   return data_source ? GURL(data_source->request().url()) : GURL();
 }
 
 // static
+GURL ScriptContext::GetAccessCheckedFrameURL(const blink::WebFrame* frame) {
+  const blink::WebURL& weburl = frame->document().url();
+  if (weburl.isEmpty()) {
+    blink::WebDataSource* data_source = frame->provisionalDataSource()
+                                            ? frame->provisionalDataSource()
+                                            : frame->dataSource();
+    if (data_source &&
+        frame->getSecurityOrigin().canAccess(
+            blink::WebSecurityOrigin::create(data_source->request().url()))) {
+      return GURL(data_source->request().url());
+    }
+  }
+  return GURL(weburl);
+}
+
+// static
 GURL ScriptContext::GetEffectiveDocumentURL(const blink::WebFrame* frame,
                                             const GURL& document_url,
                                             bool match_about_blank) {
   // Common scenario. If |match_about_blank| is false (as is the case in most
   // extensions), or if the frame is not an about:-page, just return
   // |document_url| (supposedly the URL of the frame).
   if (!match_about_blank || !document_url.SchemeIs(url::kAboutScheme))
     return document_url;
 
   // Non-sandboxed about:blank and about:srcdoc pages inherit their security
@@ skipping 191 matching lines @@
     v8::Local<v8::Value> argv[]) {
   return context_->CallFunction(function, argc, argv);
 }
 
 gin::ContextHolder* ScriptContext::Runner::GetContextHolder() {
   v8::HandleScope handle_scope(context_->isolate());
   return gin::PerContextData::From(context_->v8_context())->context_holder();
 }
 
 }  // namespace extensions