Chromium Code Reviews Chromium Code Reviews
Issue 226663003:
Allow content script insertion on about:-URLs. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: chrome/renderer/extensions/user_script_slave.cc |
| diff --git a/chrome/renderer/extensions/user_script_slave.cc b/chrome/renderer/extensions/user_script_slave.cc |
| index bdaff10bb86692bbe69c3f3e69cadc438f90067c..6b89753ac0f66874ab2c417371d21df9c2eefef2 100644 |
| --- a/chrome/renderer/extensions/user_script_slave.cc |
| +++ b/chrome/renderer/extensions/user_script_slave.cc |
| @@ -38,6 +38,7 @@ |
| #include "url/gurl.h" |
| using blink::WebFrame; |
| +using blink::WebDocument; |
| using blink::WebSecurityOrigin; |
| using blink::WebSecurityPolicy; |
| using blink::WebString; |
| @@ -194,6 +195,38 @@ GURL UserScriptSlave::GetDataSourceURLForFrame(const WebFrame* frame) { |
| return GURL(data_source->request().url()); |
| } |
| +GURL UserScriptSlave::GetEffectiveDocumentURL(const WebFrame* frame, |
| + const GURL& document_url, |
| + bool match_about_blank) { |
| + if (!match_about_blank || !document_url.SchemeIs(content::kAboutScheme)) |
| + return document_url; |
| + |
| + // Scripts on about:blank and about:srcdoc can access their parent document, |
| + // so traverse the document tree until a non-about:blank frame is found. |
| + WebDocument originDocument = frame->document(); |
| + const WebSecurityOrigin securityOrigin = originDocument.securityOrigin(); |
|
not at google - send to devlin
2014/05/01 20:32:19
security_origin
robwu
2014/05/01 21:30:38
Done. Should I also use underscores for |parentDoc
not at google - send to devlin
2014/05/02 16:01:48
yep, thanks. always underscore style in Chromium (
|
| + WebFrame* parent = frame->parent() ? frame->parent() : frame->opener(); |
|
not at google - send to devlin
2014/05/01 20:32:19
nit: this big block is hard to read, perhaps a bla
|
| + // Note: The next loop body is usually run at most once. It is only repeated |
| + // when an about:-frame is embedded in another about:-frame. |
| + while (parent != NULL) { |
|
not at google - send to devlin
2014/05/01 20:32:19
i think this loop, whole function really, could be
|
| + WebDocument parentDocument = parent->document(); |
| + // Immediately stop traversing the document hierarchy when the page does |
| + // not have the permission to access its parent document. |
| + if (!securityOrigin.canAccess(parentDocument.securityOrigin())) |
| + return document_url; |
| + |
| + // Return the first accessible non-about: URL if found. |
| + GURL parentDocumentUrl(parentDocument.url()); |
| + if (!parentDocumentUrl.SchemeIs(content::kAboutScheme)) |
| + return parentDocumentUrl; |
| + |
| + originDocument = parentDocument; |
|
not at google - send to devlin
2014/05/01 20:32:19
you don't use this variable inside nor after the l
|
| + parent = parent->parent() ? parent->parent() : parent->opener(); |
| + } |
| + // A standalone top-level document, just return the original URL. |
| + return document_url; |
| +} |
| + |
| void UserScriptSlave::InjectScripts(WebFrame* frame, |
| UserScript::RunLocation location) { |
| GURL data_source_url = GetDataSourceURLForFrame(frame); |
| @@ -224,12 +257,15 @@ void UserScriptSlave::InjectScripts(WebFrame* frame, |
| if (!extension) |
| continue; |
| + const GURL& document_url = GetEffectiveDocumentURL( |
| + frame, data_source_url, script->match_about_blank()); |
| + |
| // Content scripts are not tab-specific. |
| const int kNoTabId = -1; |
| // We don't have a process id in this context. |
| const int kNoProcessId = -1; |
| if (!PermissionsData::CanExecuteScriptOnPage(extension, |
| - data_source_url, |
| + document_url, |
| frame->top()->document().url(), |
| kNoTabId, |
| script, |
