Chromium Code Reviews Chromium Code Reviews
Issue 2499493004:
Communicate ExtensionSettings policy to renderers (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/common/permissions/permissions_data.h" | 5 #include "extensions/common/permissions/permissions_data.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 80 bool PermissionsData::ShouldSkipPermissionWarnings( | 80 bool PermissionsData::ShouldSkipPermissionWarnings( |
| 81 const std::string& extension_id) { | 81 const std::string& extension_id) { |
| 82 // See http://b/4946060 for more details. | 82 // See http://b/4946060 for more details. |
| 83 return extension_id == extension_misc::kProdHangoutsExtensionId; | 83 return extension_id == extension_misc::kProdHangoutsExtensionId; |
| 84 } | 84 } |
| 85 | 85 |
| 86 // static | 86 // static |
| 87 bool PermissionsData::IsRestrictedUrl(const GURL& document_url, | 87 bool PermissionsData::IsRestrictedUrl(const GURL& document_url, |
| 88 const Extension* extension, | 88 const Extension* extension, |
| 89 std::string* error) { | 89 std::string* error) { |
| 90 if (extension && | |
| 91 extension->permissions_data()->IsRuntimeBlockedHost(document_url)) { | |
|
Devlin
2016/11/23 17:22:56
This isn't the same type of restricted url as the
nrpeter
2017/01/02 19:57:45
The idea was to block any manipulation of a webpag
| |
| 92 *error = manifest_errors::kCannotAccessPage; | |
| 93 return true; | |
| 94 } | |
| 90 if (extension && CanExecuteScriptEverywhere(extension)) | 95 if (extension && CanExecuteScriptEverywhere(extension)) |
| 91 return false; | 96 return false; |
| 92 | 97 |
| 93 // Check if the scheme is valid for extensions. If not, return. | 98 // Check if the scheme is valid for extensions. If not, return. |
| 94 if (!URLPattern::IsValidSchemeForExtensions(document_url.scheme()) && | 99 if (!URLPattern::IsValidSchemeForExtensions(document_url.scheme()) && |
| 95 document_url.spec() != url::kAboutBlankURL) { | 100 document_url.spec() != url::kAboutBlankURL) { |
| 96 if (error) { | 101 if (error) { |
| 97 if (extension->permissions_data()->active_permissions().HasAPIPermission( | 102 if (extension->permissions_data()->active_permissions().HasAPIPermission( |
| 98 APIPermission::kTab)) { | 103 APIPermission::kTab)) { |
| 99 *error = ErrorUtils::FormatErrorMessage( | 104 *error = ErrorUtils::FormatErrorMessage( |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 133 } | 138 } |
| 134 | 139 |
| 135 void PermissionsData::SetPermissions( | 140 void PermissionsData::SetPermissions( |
| 136 std::unique_ptr<const PermissionSet> active, | 141 std::unique_ptr<const PermissionSet> active, |
| 137 std::unique_ptr<const PermissionSet> withheld) const { | 142 std::unique_ptr<const PermissionSet> withheld) const { |
| 138 AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get()); | 143 AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get()); |
| 139 active_permissions_unsafe_ = std::move(active); | 144 active_permissions_unsafe_ = std::move(active); |
| 140 withheld_permissions_unsafe_ = std::move(withheld); | 145 withheld_permissions_unsafe_ = std::move(withheld); |
| 141 } | 146 } |
| 142 | 147 |
| 148 void PermissionsData::SetRuntimeBlockedAllowedHosts( | |
| 149 const URLPatternSet runtime_blocked_hosts, | |
| 150 const URLPatternSet runtime_allowed_hosts) const { | |
| 151 AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get()); | |
| 152 runtime_blocked_hosts_unsafe_ = runtime_blocked_hosts; | |
| 153 runtime_allowed_hosts_unsafe_ = runtime_allowed_hosts; | |
| 154 } | |
| 155 | |
| 143 void PermissionsData::SetActivePermissions( | 156 void PermissionsData::SetActivePermissions( |
| 144 std::unique_ptr<const PermissionSet> active) const { | 157 std::unique_ptr<const PermissionSet> active) const { |
| 145 AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get()); | 158 AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get()); |
| 146 active_permissions_unsafe_ = std::move(active); | 159 active_permissions_unsafe_ = std::move(active); |
| 147 } | 160 } |
| 148 | 161 |
| 149 void PermissionsData::UpdateTabSpecificPermissions( | 162 void PermissionsData::UpdateTabSpecificPermissions( |
| 150 int tab_id, | 163 int tab_id, |
| 151 const PermissionSet& permissions) const { | 164 const PermissionSet& permissions) const { |
| 152 AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get()); | 165 AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get()); |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 201 URLPatternSet PermissionsData::GetEffectiveHostPermissions() const { | 214 URLPatternSet PermissionsData::GetEffectiveHostPermissions() const { |
| 202 base::AutoLock auto_lock(runtime_lock_); | 215 base::AutoLock auto_lock(runtime_lock_); |
| 203 URLPatternSet effective_hosts = active_permissions_unsafe_->effective_hosts(); | 216 URLPatternSet effective_hosts = active_permissions_unsafe_->effective_hosts(); |
| 204 for (const auto& val : tab_specific_permissions_) | 217 for (const auto& val : tab_specific_permissions_) |
| 205 effective_hosts.AddPatterns(val.second->effective_hosts()); | 218 effective_hosts.AddPatterns(val.second->effective_hosts()); |
| 206 return effective_hosts; | 219 return effective_hosts; |
| 207 } | 220 } |
| 208 | 221 |
| 209 bool PermissionsData::HasHostPermission(const GURL& url) const { | 222 bool PermissionsData::HasHostPermission(const GURL& url) const { |
| 210 base::AutoLock auto_lock(runtime_lock_); | 223 base::AutoLock auto_lock(runtime_lock_); |
| 211 return active_permissions_unsafe_->HasExplicitAccessToOrigin(url); | 224 return active_permissions_unsafe_->HasExplicitAccessToOrigin(url) && |
| 225 !IsRuntimeBlockedHost(url); | |
| 212 } | 226 } |
| 213 | 227 |
| 214 bool PermissionsData::HasEffectiveAccessToAllHosts() const { | 228 bool PermissionsData::HasEffectiveAccessToAllHosts() const { |
| 215 base::AutoLock auto_lock(runtime_lock_); | 229 base::AutoLock auto_lock(runtime_lock_); |
| 216 return active_permissions_unsafe_->HasEffectiveAccessToAllHosts(); | 230 return active_permissions_unsafe_->HasEffectiveAccessToAllHosts(); |
| 217 } | 231 } |
| 218 | 232 |
| 219 PermissionMessages PermissionsData::GetPermissionMessages() const { | 233 PermissionMessages PermissionsData::GetPermissionMessages() const { |
| 220 base::AutoLock auto_lock(runtime_lock_); | 234 base::AutoLock auto_lock(runtime_lock_); |
| 221 return PermissionMessageProvider::Get()->GetPermissionMessages( | 235 return PermissionMessageProvider::Get()->GetPermissionMessages( |
| (...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 320 if (tab_id >= 0) { | 334 if (tab_id >= 0) { |
| 321 const PermissionSet* tab_permissions = GetTabSpecificPermissions(tab_id); | 335 const PermissionSet* tab_permissions = GetTabSpecificPermissions(tab_id); |
| 322 if (tab_permissions && | 336 if (tab_permissions && |
| 323 tab_permissions->explicit_hosts().MatchesSecurityOrigin(url)) { | 337 tab_permissions->explicit_hosts().MatchesSecurityOrigin(url)) { |
| 324 return true; | 338 return true; |
| 325 } | 339 } |
| 326 } | 340 } |
| 327 return false; | 341 return false; |
| 328 } | 342 } |
| 329 | 343 |
| 344 bool PermissionsData::IsRuntimeBlockedHost(const GURL& url) const { | |
| 345 if (runtime_blocked_hosts_unsafe_.MatchesURL(url)) { | |
|
asargent_no_longer_on_chrome
2016/11/23 01:19:23
It seems like one of 2 things should happen here:
nrpeter
2017/01/02 19:57:45
I may need a little bit of help with this. I tried
| |
| 346 if (!runtime_allowed_hosts_unsafe_.MatchesURL(url)) | |
| 347 return true; | |
| 348 } | |
| 349 return false; | |
| 350 } | |
| 351 | |
| 330 PermissionsData::AccessType PermissionsData::CanRunOnPage( | 352 PermissionsData::AccessType PermissionsData::CanRunOnPage( |
| 331 const Extension* extension, | 353 const Extension* extension, |
| 332 const GURL& document_url, | 354 const GURL& document_url, |
| 333 int tab_id, | 355 int tab_id, |
| 334 const URLPatternSet& permitted_url_patterns, | 356 const URLPatternSet& permitted_url_patterns, |
| 335 const URLPatternSet& withheld_url_patterns, | 357 const URLPatternSet& withheld_url_patterns, |
| 336 std::string* error) const { | 358 std::string* error) const { |
| 337 runtime_lock_.AssertAcquired(); | 359 runtime_lock_.AssertAcquired(); |
| 338 if (g_policy_delegate && | 360 if (g_policy_delegate && |
| 339 !g_policy_delegate->CanExecuteScriptOnPage(extension, document_url, | 361 !g_policy_delegate->CanExecuteScriptOnPage(extension, document_url, |
| 340 tab_id, error)) { | 362 tab_id, error)) |
| 363 return ACCESS_DENIED; | |
| 364 | |
| 365 if (IsRuntimeBlockedHost(document_url)) { | |
| 366 if (error) | |
| 367 *error = manifest_errors::kCannotScriptPageByPolicy; | |
| 341 return ACCESS_DENIED; | 368 return ACCESS_DENIED; |
| 342 } | 369 } |
| 343 | 370 |
| 344 if (IsRestrictedUrl(document_url, extension, error)) | 371 if (IsRestrictedUrl(document_url, extension, error)) |
| 345 return ACCESS_DENIED; | 372 return ACCESS_DENIED; |
| 346 | 373 |
| 347 if (HasTabSpecificPermissionToExecuteScript(tab_id, document_url)) | 374 if (HasTabSpecificPermissionToExecuteScript(tab_id, document_url)) |
| 348 return ACCESS_ALLOWED; | 375 return ACCESS_ALLOWED; |
| 349 | 376 |
| 350 if (permitted_url_patterns.MatchesURL(document_url)) | 377 if (permitted_url_patterns.MatchesURL(document_url)) |
| 351 return ACCESS_ALLOWED; | 378 return ACCESS_ALLOWED; |
| 352 | 379 |
| 353 if (withheld_url_patterns.MatchesURL(document_url)) | 380 if (withheld_url_patterns.MatchesURL(document_url)) |
| 354 return ACCESS_WITHHELD; | 381 return ACCESS_WITHHELD; |
| 355 | 382 |
| 356 if (error) { | 383 if (error) { |
| 357 if (extension->permissions_data()->active_permissions().HasAPIPermission( | 384 if (extension->permissions_data()->active_permissions().HasAPIPermission( |
| 358 APIPermission::kTab)) { | 385 APIPermission::kTab)) { |
| 359 *error = ErrorUtils::FormatErrorMessage( | 386 *error = ErrorUtils::FormatErrorMessage( |
| 360 manifest_errors::kCannotAccessPageWithUrl, document_url.spec()); | 387 manifest_errors::kCannotAccessPageWithUrl, document_url.spec()); |
| 361 } else { | 388 } else { |
| 362 *error = manifest_errors::kCannotAccessPage; | 389 *error = manifest_errors::kCannotAccessPage; |
| 363 } | 390 } |
| 364 } | 391 } |
| 365 | 392 |
| 366 return ACCESS_DENIED; | 393 return ACCESS_DENIED; |
| 367 } | 394 } |
| 368 | 395 |
| 369 } // namespace extensions | 396 } // namespace extensions |
| OLD | NEW |
