chrome.webRequest support for ExtensionSettings

extensions/browser/api/web_request/web_request_api.cc

Index: extensions/browser/api/web_request/web_request_api.cc
diff --git a/extensions/browser/api/web_request/web_request_api.cc b/extensions/browser/api/web_request/web_request_api.cc
index d2e230904eab9a3009dd1badf2bc0149b903aa46..c04ced36354e476a8e9dfe9be204d22c93a3fb62 100644
--- a/extensions/browser/api/web_request/web_request_api.cc
+++ b/extensions/browser/api/web_request/web_request_api.cc
@@ -1499,6 +1499,18 @@ void ExtensionWebRequestEventRouter::GetMatchingListenersImpl(
               extension_info_map, listener->id.extension_id, url,
               frame_data.tab_id, crosses_incognito,
               WebRequestPermissions::REQUIRE_HOST_PERMISSION);
+
+      // Check if URL blocked from view/modification due to a policy protected
+      // origin.
+      if (extension_info_map) {
+        const extensions::Extension* extension =
+            extension_info_map->extensions().GetByID(listener->id.extension_id);

[Devlin, 2017/05/25 20:38:32]

Can we just put this in WebRequestPermissions::CanExtensionAccessURL?

[nrpeter, 2017/05/26 02:46:52]

I would like to but doing so would change the behavior of existing extensions
regardless of whether they are using the ExtensionSettings policy. 

It may be helpful to re-read #17 & #21

[Devlin, 2017/06/01 15:21:32]

I'm suggesting putting the entire block, including the IsRuntimeBlockedHost()
check, in WebRequestPermissions.  How would that change behavior?

[nrpeter, 2017/06/06 21:42:07]

Done.

+        if (request->initiator() &&
+            extension->permissions_data()->IsRuntimeBlockedHost(
+                request->initiator()->GetURLWithoutSuborigin()))
+          access = PermissionsData::ACCESS_DENIED;
+      }
+
       if (access != PermissionsData::ACCESS_ALLOWED) {
         if (access == PermissionsData::ACCESS_WITHHELD &&
             web_request_event_router_delegate_) {