Allow content script insertion on about:-URLs.

chrome/renderer/extensions/user_script_slave.cc

Index: chrome/renderer/extensions/user_script_slave.cc
diff --git a/chrome/renderer/extensions/user_script_slave.cc b/chrome/renderer/extensions/user_script_slave.cc
index bdaff10bb86692bbe69c3f3e69cadc438f90067c..f4a3e429d9572485ece71b76d8894ef2b40de25e 100644
--- a/chrome/renderer/extensions/user_script_slave.cc
+++ b/chrome/renderer/extensions/user_script_slave.cc
@@ -194,6 +194,18 @@ GURL UserScriptSlave::GetDataSourceURLForFrame(const WebFrame* frame) {
   return GURL(data_source->request().url());
 }
 
+GURL UserScriptSlave::GetOriginURLForFrame(const WebFrame* frame) {
+  // All pages served with the about:-scheme inherit the security origin from
+  // their parent document (i.e. either the page that contains the document or
+  // the page that opened a new window containing this page).
+  // If this parent document is accessible by the extension, then access to
+  // the about:-frame is allowed if the extension has requested access to it.
+  GURL document_origin_url(frame->document().securityOrigin().toString());
+  if (document_origin_url.is_valid())
+    return document_origin_url;
+  return frame->document().url().GetOrigin();
+}
+
 void UserScriptSlave::InjectScripts(WebFrame* frame,
                                     UserScript::RunLocation location) {
   GURL data_source_url = GetDataSourceURLForFrame(frame);
@@ -224,15 +236,27 @@ void UserScriptSlave::InjectScripts(WebFrame* frame,
     if (!extension)
       continue;
 
+    const bool is_about_scheme =
+        data_source_url.SchemeIs(content::kAboutScheme);
+    if (is_about_scheme) {
+      if (!script->match_about_blank())
+        continue;
+      data_source_url = GetOriginURLForFrame(frame);
+    }
+
     // Content scripts are not tab-specific.
     const int kNoTabId = -1;
     // We don't have a process id in this context.
     const int kNoProcessId = -1;
+    // If the page is about:blank, pass NULL instead of a UserScript. This
+    // ensures that the URL is checked against the extension's host permissions
+    // instead of the script's URL patterns.
+    const UserScript* script_or_null = is_about_scheme ? NULL : script;

[not at google - send to devlin, 2014/04/21 22:34:41]

I see. a bit of a hack to assume that's what the implementation of
CanExecuteScriptOnPage does.

it will end up querying GetActivePermissions:
https://code.google.com/p/chromium/codesearch#chromium/src/extensions/common/...
has that added the content script permissions at that point? I'm not sure, but
if not, this code won't work for manifest-declared content scripts.

I don't really understand why this needs to have a special case.

[robwu, 2014/04/21 23:21:46]

I disliked the alternative (adding yet another (boolean) parameter to
CanExecuteScriptOnPage).
See my reply to your other comment.
The intention is to always match as many about:blank pages as possible, based on
the origin and host permissions. The initial implementation (inserting on about
blank depending on the matches pattern did not work (because "about:"

[not at google - send to devlin, 2014/04/21 23:37:39]

We're in this code because we're running a declared content script, so we should
be using the content script's permission checking not the host permissions.

[robwu, 2014/04/22 13:29:52]

Submitted patch to Blink so I can get rid of this hack by using inheritedURL()
instead of securityOrigin() - https://codereview.chromium.org/246433004/.

     if (!PermissionsData::CanExecuteScriptOnPage(extension,
                                                  data_source_url,
                                                  frame->top()->document().url(),
                                                  kNoTabId,
-                                                 script,
+                                                 script_or_null,
                                                  kNoProcessId,
                                                  NULL)) {
       continue;