Allow content script insertion on about:-URLs.

chrome/renderer/extensions/user_script_slave.cc

Index: chrome/renderer/extensions/user_script_slave.cc
diff --git a/chrome/renderer/extensions/user_script_slave.cc b/chrome/renderer/extensions/user_script_slave.cc
index bdaff10bb86692bbe69c3f3e69cadc438f90067c..c868de377517108e434bca797b51a20b495e5b73 100644
--- a/chrome/renderer/extensions/user_script_slave.cc
+++ b/chrome/renderer/extensions/user_script_slave.cc
@@ -38,6 +38,7 @@
 #include "url/gurl.h"
 
 using blink::WebFrame;
+using blink::WebDocument;
 using blink::WebSecurityOrigin;
 using blink::WebSecurityPolicy;
 using blink::WebString;
@@ -194,6 +195,31 @@ GURL UserScriptSlave::GetDataSourceURLForFrame(const WebFrame* frame) {
   return GURL(data_source->request().url());
 }
 
+GURL UserScriptSlave::GetEffectiveDocumentURL(const WebFrame* frame,
+                                              const GURL& document_url,
+                                              bool match_about_blank) {
+  if (!match_about_blank || !document_url.SchemeIs(content::kAboutScheme))
+    return document_url;
+
+  // Non-sandboxed about:blank and about:srcdoc pages inherit their security
+  // origin from their parent frame/window. So, traverse the frame/window
+  // hierarchy to find the closest non-about:-page and return its URL.
+  const WebFrame* parent = frame;
+  do {
+    parent = parent->parent() ? parent->parent() : parent->opener();
+  } while (parent != NULL &&
+           GURL(parent->document().url()).SchemeIs(content::kAboutScheme));
+

[not at google - send to devlin, 2014/05/02 16:01:48]

not quite sure about this. if we're in an non-about-blank iframe on the same
domain then |parent| will be the non-NULL parent at this point.

e.g. "google.com/foo" has an iframe to "google.com/bar".

then the "if (parent)" check will pass, and the "securityOrigin.canAccess" check
will pass, so we'll end up returning "google.com/bar" here when really it should
be "google.com/foo".

this might matter in practice, if an extension requests a content script to be
executed on "google.com/foo/*" with allFrames=true, it will end up being
injected into the google.com/bar iframe too. unless there are checks elsewhere,
which is very possible. not a big deal for security reasons, but, it's still
wrong.

[robwu, 2014/05/02 17:03:40]

If we're on a non-about:blank frame, then the code doesn't even reach this line.
This loop only runs for frames whose URL is about:blank. The caller of the
function explicitly passes the URL of the frame via |document_url|. If the
scheme is not "about:", then the function returns the same value again. I've
added a comment to emphasize this. 

+  if (parent) {
+    // Only return the parent URL if the frame can access it.
+    const WebDocument& parentDocument = parent->document();

[not at google - send to devlin, 2014/05/02 16:01:48]

as you pointed out, parent_document not parentDocument.

[robwu, 2014/05/02 17:03:40]

Done.

+    if (frame->document().securityOrigin().canAccess(
+            parentDocument.securityOrigin()))
+      return GURL(parentDocument.url());

[not at google - send to devlin, 2014/05/02 16:01:48]

WebURL has a GURL operator so you don't need the explicit GURL(..) constructor:

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit...

[robwu, 2014/05/02 17:03:40]

Done.

+  }
+  return document_url;
+}
+
 void UserScriptSlave::InjectScripts(WebFrame* frame,
                                     UserScript::RunLocation location) {
   GURL data_source_url = GetDataSourceURLForFrame(frame);
@@ -224,12 +250,15 @@ void UserScriptSlave::InjectScripts(WebFrame* frame,
     if (!extension)
       continue;
 
+    const GURL& document_url = GetEffectiveDocumentURL(
+        frame, data_source_url, script->match_about_blank());
+
     // Content scripts are not tab-specific.
     const int kNoTabId = -1;
     // We don't have a process id in this context.
     const int kNoProcessId = -1;
     if (!PermissionsData::CanExecuteScriptOnPage(extension,
-                                                 data_source_url,
+                                                 document_url,
                                                  frame->top()->document().url(),
                                                  kNoTabId,
                                                  script,