Support webview tag when the container extension is embedded in a webUI

chrome/browser/chrome_content_browser_client.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chrome_content_browser_client.h"
 
 #include <set>
 #include <utility>
 #include <vector>
 
@@ skipping 108 matching lines @@
 #include "content/public/browser/child_process_data.h"
 #include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/resource_context.h"
 #include "content/public/browser/site_instance.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_contents_view.h"
 #include "content/public/common/child_process_host.h"
 #include "content/public/common/content_descriptors.h"
+#include "content/public/common/url_utils.h"
 #include "extensions/browser/view_type_utils.h"
 #include "extensions/common/constants.h"
 #include "extensions/common/switches.h"
 #include "grit/generated_resources.h"
 #include "grit/ui_resources.h"
 #include "net/base/escape.h"
 #include "net/base/mime_util.h"
 #include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_options.h"
 #include "net/ssl/ssl_cert_request_info.h"
@@ skipping 657 matching lines @@
   } else if (api_type == "webview") {
     *guest_delegate = new WebViewGuest(guest_web_contents);
   } else {
     NOTREACHED();
   }
 }
 
 void ChromeContentBrowserClient::GuestWebContentsAttached(
     WebContents* guest_web_contents,
     WebContents* embedder_web_contents,
+    const GURL& embedder_frame_url,
     const base::DictionaryValue& extra_params) {
   Profile* profile = Profile::FromBrowserContext(
       embedder_web_contents->GetBrowserContext());
   ExtensionService* service =
       extensions::ExtensionSystem::Get(profile)->extension_service();
   if (!service) {
     NOTREACHED();
     return;
   }
-  const GURL& url = embedder_web_contents->GetSiteInstance()->GetSiteURL();
-  const Extension* extension =
-      service->extensions()->GetExtensionOrAppByURL(url);
+
+  // Only trust |embedder_frame_url| reported by a WebUI renderer.

[Charlie Reis, 2013/09/13 21:17:24]

Let's be a little more explicit here.  Something like:

We usually require BrowserPlugins to be hosted by a storage isolated extension. 
We treat WebUI pages as a special case if they host the BrowserPlugin in a
component extension iframe.  In that case, we use the iframe's URL to determine
the extension.

[guohui, 2013/09/16 22:27:02]

Done.

+  const GURL& embedder_site_url =
+      embedder_web_contents->GetSiteInstance()->GetSiteURL();
+  const Extension* extension = service->extensions()->GetExtensionOrAppByURL(
+      content::HasWebUIScheme(embedder_site_url) ?
+          embedder_frame_url : embedder_site_url);
   if (!extension) {

[Charlie Reis, 2013/09/13 21:17:24]

Fady, would it make sense to add || !extension->is_storage_isolated() to this
check?  (Or perhaps it belongs in SupportsBrowserPlugin?)

If not, we might try to create a guest partition inside the default profile
directory, which would be very bad.

[guohui, 2013/09/16 22:27:02]

A webview (browser plugin) always has an isolated storage, regardless of the
isolation setting of the embedder ext/app. The partition is put under [profile
name]/storage/ext/[ext-id]/[partition-id].
https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/chr...

Actually, storage isolation setting is only supported for apps, but not for
extensions (in the strict sense), so the check for is_stoarge_isolated does not
make sense for component extensions.

[Charlie Reis, 2013/09/18 17:42:23]

Ok.  Fady and I talked about this and skipping this check should be ok as long
as we explicitly support creating storage/ext/[ext-id] directories for
non-storage-isolated extensions when they can host guests.  This requires tests
and making sure that the directory won't be deleted on cleanup.  See
http://crbug.com/293722.

[guohui, 2013/09/19 13:48:41]

Can we address this issue in a separate CL?

[Charlie Reis, 2013/09/19 17:21:22]

Yes.  As we discussed on https://codereview.chromium.org/23653012/, the
StoragePartition management is a prerequisite to support webviews in WebUI and
component extensions in general.  As long as your component extension is the
only one on the whitelist and you're ok with the risk of bugs, we can proceed
with this independently of the fix for http://crbug.com/293722.

[guohui, 2013/09/19 17:59:11]

Done.

     // It's ok to return here, since we could be running a browser plugin
     // outside an extension, and don't need to attach a
     // BrowserPluginGuestDelegate in that case;
     // e.g. running with flag --enable-browser-plugin-for-all-view-types.
     return;
   }
 
   GuestView* guest = GuestView::FromWebContents(guest_web_contents);
   if (!guest) {
     NOTREACHED();
@@ skipping 1506 matching lines @@
   }
   return NULL;
 }
 
 bool ChromeContentBrowserClient::SupportsBrowserPlugin(
     content::BrowserContext* browser_context, const GURL& site_url) {
   if (CommandLine::ForCurrentProcess()->HasSwitch(
           switches::kEnableBrowserPluginForAllViewTypes))
     return true;
 
+  if (content::HasWebUIScheme(site_url))

[Charlie Reis, 2013/09/13 21:17:24]

Do we need all WebUI pages to be able to do this, or just particular ones that
we might be able to whitelist here?  There are enough requirements (e.g., must
host in an component extension iframe, extension must be storage isolated) that
I'm hesitant to open it up to all WebUI pages.

I'm also wondering if it's easy to check the embedder_frame_url here as you've
done above, or if that's difficult to pass in here.

[guohui, 2013/09/16 22:27:02]

As i replied to Fady, SupportsBrowserPlugin is called before RenderViewHost is
even created, so there is no way we could get the frame URL at this time point.

Also, this method is only called to determine whether the RenderViewHost should
monitor messages from guests, we have other checks in places that prevents
webview from creation outside of the context of a component extension with
webview permission declared.

[Charlie Reis, 2013/09/18 17:42:23]

Ok, let's skip the frame URL check.
Where are those checks?  Can we limit the support to particular WebUI URLs, or
is it necessary to support webviews in all WebUI processes?  I'd prefer to lock
it down to a whitelist if possible, since not all WebUI pages will have the
constraints you're relying on.  More general support will be possible with
out-of-process iframes.

[guohui, 2013/09/19 13:48:41]

I prefer to allows it for all WebUI URLs if possible. The reason is we want to
embed the gaia auth extension in any WebUI that needs to trigger inline signin
flow. To avoid unwanted use until general support is available,  i limited the
feature to whitelisted component extensions only in the CL 23530029.

[Charlie Reis, 2013/09/19 17:21:22]

Ok.  The whitelist in CL 23653012 should be sufficient.

[guohui, 2013/09/19 17:59:11]

Done.

+    return true;
+
   Profile* profile = Profile::FromBrowserContext(browser_context);
   ExtensionService* service =
       extensions::ExtensionSystem::Get(profile)->extension_service();
   if (!service)
     return false;
 
   const Extension* extension =
       service->extensions()->GetExtensionOrAppByURL(site_url);
   if (!extension)
     return false;
@@ skipping 181 matching lines @@
 #if defined(USE_NSS)
 crypto::CryptoModuleBlockingPasswordDelegate*
     ChromeContentBrowserClient::GetCryptoPasswordDelegate(
         const GURL& url) {
   return chrome::NewCryptoModuleBlockingDialogDelegate(
       chrome::kCryptoModulePasswordKeygen, url.host());
 }
 #endif
 
 }  // namespace chrome