Index: chrome/renderer/extensions/user_script_slave.cc |
diff --git a/chrome/renderer/extensions/user_script_slave.cc b/chrome/renderer/extensions/user_script_slave.cc |
index bdaff10bb86692bbe69c3f3e69cadc438f90067c..46c586ce25cc8281acf27a72a3abd9e0d8f52a12 100644 |
--- a/chrome/renderer/extensions/user_script_slave.cc |
+++ b/chrome/renderer/extensions/user_script_slave.cc |
@@ -38,6 +38,7 @@ |
#include "url/gurl.h" |
using blink::WebFrame; |
+using blink::WebDocument; |
using blink::WebSecurityOrigin; |
using blink::WebSecurityPolicy; |
using blink::WebString; |
@@ -194,6 +195,34 @@ GURL UserScriptSlave::GetDataSourceURLForFrame(const WebFrame* frame) { |
return GURL(data_source->request().url()); |
} |
+GURL UserScriptSlave::GetEffectiveDocumentURL(const WebFrame* frame, |
+ const GURL& document_url, |
+ bool match_about_blank) { |
+ // Common scenario. If |match_about_blank| is false (as is the case in most |
+ // extensions), or if the frame is not an about:-page, just return |
+ // |document_url| (supposedly the URL of the frame). |
+ if (!match_about_blank || !document_url.SchemeIs(content::kAboutScheme)) |
+ return document_url; |
+ |
+ // Non-sandboxed about:blank and about:srcdoc pages inherit their security |
+ // origin from their parent frame/window. So, traverse the frame/window |
+ // hierarchy to find the closest non-about:-page and return its URL. |
+ const WebFrame* parent = frame; |
+ do { |
+ parent = parent->parent() ? parent->parent() : parent->opener(); |
+ } while (parent != NULL && |
+ GURL(parent->document().url()).SchemeIs(content::kAboutScheme)); |
+ |
+ if (parent) { |
+ // Only return the parent URL if the frame can access it. |
+ const WebDocument& parent_document = parent->document(); |
+ if (frame->document().securityOrigin().canAccess( |
+ parent_document.securityOrigin())) |
dcheng
2014/05/02 17:23:19
I believe this check should be inside the loop. Ot
not at google - send to devlin
2014/05/02 17:43:49
oh, good point.
robwu
2014/05/02 20:17:04
I've intentionally used do-while instead of while
not at google - send to devlin
2014/05/02 20:20:10
Such an ad network would be severely limiting its
robwu
2014/05/02 20:45:53
Actually, never mind this discussion. If an iframe
robwu
2014/05/07 21:52:55
Done.
|
+ return parent_document.url(); |
+ } |
+ return document_url; |
+} |
+ |
void UserScriptSlave::InjectScripts(WebFrame* frame, |
UserScript::RunLocation location) { |
GURL data_source_url = GetDataSourceURLForFrame(frame); |
@@ -224,12 +253,15 @@ void UserScriptSlave::InjectScripts(WebFrame* frame, |
if (!extension) |
continue; |
+ const GURL& document_url = GetEffectiveDocumentURL( |
+ frame, data_source_url, script->match_about_blank()); |
+ |
// Content scripts are not tab-specific. |
const int kNoTabId = -1; |
// We don't have a process id in this context. |
const int kNoProcessId = -1; |
if (!PermissionsData::CanExecuteScriptOnPage(extension, |
- data_source_url, |
+ document_url, |
frame->top()->document().url(), |
kNoTabId, |
script, |