Communicate ExtensionSettings policy to renderers

extensions/common/permissions/permissions_data.h

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
 #define EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
 
 #include <map>
 #include <memory>
 #include <string>
@@ skipping 64 matching lines @@
   // with the given |extension_id|.
   static bool ShouldSkipPermissionWarnings(const std::string& extension_id);
 
   // Returns true if the given |url| is restricted for the given |extension|,
   // as is commonly the case for chrome:// urls.
   // NOTE: You probably want to use CanAccessPage().
   static bool IsRestrictedUrl(const GURL& document_url,
                               const Extension* extension,
                               std::string* error);
 
+  // Check if a specific URL is blocked by policy from extension use at runtime.
+  bool IsRuntimeBlockedHost(const GURL& url) const;

[Devlin, 2016/11/23 17:22:56]

Why does this need to be public?

[nrpeter, 2017/01/02 19:57:45]

Not all API calls / events that disclose information about a particular website
/ tab / url require a host permission. For example, if an extension declares the
"webNavigation" permission it can spy on every webpage the user visits. This
could easily leak info about new projects, bearer tokens in URLs, etc.

In a later CL, we modify webNavigation to not emit events when the navigation is
to or from one of the URLs protected by this policy. This is detailed in the
go/limit-host-permissions doc that talks about this overall effort.

+
   // Locks the permissions data to the current thread. We don't do this on
   // construction, since extensions are initialized across multiple threads.
   void BindToCurrentThread() const;
 
   // Sets the runtime permissions of the given |extension| to |active| and
   // |withheld|.
   void SetPermissions(std::unique_ptr<const PermissionSet> active,
                       std::unique_ptr<const PermissionSet> withheld) const;
 
+  // Sets the runtime policy of the given |extension|.
+  void SetRuntimeBlockedAllowedHosts(
+      const URLPatternSet runtime_blocked_hosts,
+      const URLPatternSet runtime_allowed_hosts) const;
+
   // Sets the active permissions, leaving withheld the same.
   void SetActivePermissions(std::unique_ptr<const PermissionSet> active) const;
 
   // Updates the tab-specific permissions of |tab_id| to include those from
   // |permissions|.
   void UpdateTabSpecificPermissions(int tab_id,
                                     const PermissionSet& permissions) const;
 
   // Clears the tab-specific permissions of |tab_id|.
   void ClearTabSpecificPermissions(int tab_id) const;
@@ skipping 90 matching lines @@
   const PermissionSet& active_permissions() const {
     DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
     return *active_permissions_unsafe_;
   }
 
   const PermissionSet& withheld_permissions() const {
     DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
     return *withheld_permissions_unsafe_;
   }
 
+  const URLPatternSet& runtime_blocked_hosts() const {

[Devlin, 2016/11/23 17:22:56]

ditto

[nrpeter, 2017/01/02 19:57:45]

This is used during the renderer_startup_helper to provide an extension's
current list of blocked hosts to a new renderer.

+    DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
+    return runtime_blocked_hosts_unsafe_;
+  }
+
+  const URLPatternSet& runtime_allowed_hosts() const {
+    DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
+    return runtime_allowed_hosts_unsafe_;
+  }
+
 #if defined(UNIT_TEST)
   const PermissionSet* GetTabSpecificPermissionsForTesting(int tab_id) const {
     base::AutoLock auto_lock(runtime_lock_);
     return GetTabSpecificPermissions(tab_id);
   }
 #endif
 
  private:
   // Gets the tab-specific host permissions of |tab_id|, or NULL if there
   // aren't any.
@@ skipping 34 matching lines @@
   // active_permissions() accessor.
   mutable std::unique_ptr<const PermissionSet> active_permissions_unsafe_;
 
   // The permissions the extension requested, but was not granted due because
   // they are too powerful. This includes things like all_hosts.
   // Unsafe indicates that we must lock anytime this is directly accessed.
   // Unless you need to change |withheld_permissions_unsafe_|, use the (safe)
   // withheld_permissions() accessor.
   mutable std::unique_ptr<const PermissionSet> withheld_permissions_unsafe_;
 
+  // The list of hosts an extension may not interact with by policy.
+  // Unless you need to change |runtime_blocked_hosts_unsafe_|, use the (safe)
+  // runtime_blocked_hosts() accessor.
+  mutable URLPatternSet runtime_blocked_hosts_unsafe_;

[Devlin, 2016/11/23 17:22:56]

Do we need this for each extension?  It seems like almost all extensions will
use the default settings, so we shouldn't need to copy these over for every
single item when they're identical.  Could we have these *only* if they differ
from the default?

[nrpeter, 2017/01/02 19:57:45]

Done.

+
+  // The exclusive list of hosts an extension may interact with by policy.
+  // Unless you need to change |runtime_allowed_hosts_unsafe_|, use the (safe)
+  // runtime_allowed_hosts() accessor.
+  mutable URLPatternSet runtime_allowed_hosts_unsafe_;
+
   mutable TabPermissionsMap tab_specific_permissions_;
 
   mutable std::unique_ptr<base::ThreadChecker> thread_checker_;
 
   DISALLOW_COPY_AND_ASSIGN(PermissionsData);
 };
 
 }  // namespace extensions
 
 #endif  // EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_