Communicate ExtensionSettings policy to renderers

extensions/renderer/dispatcher.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/renderer/dispatcher.h"
 
 #include <stddef.h>
 
 #include <memory>
 #include <utility>
@@ skipping 916 matching lines @@
   IPC_MESSAGE_HANDLER(ExtensionMsg_SetScriptingWhitelist,
                       OnSetScriptingWhitelist)
   IPC_MESSAGE_HANDLER(ExtensionMsg_SetSystemFont, OnSetSystemFont)
   IPC_MESSAGE_HANDLER(ExtensionMsg_SetWebViewPartitionID,
                       OnSetWebViewPartitionID)
   IPC_MESSAGE_HANDLER(ExtensionMsg_ShouldSuspend, OnShouldSuspend)
   IPC_MESSAGE_HANDLER(ExtensionMsg_Suspend, OnSuspend)
   IPC_MESSAGE_HANDLER(ExtensionMsg_TransferBlobs, OnTransferBlobs)
   IPC_MESSAGE_HANDLER(ExtensionMsg_Unloaded, OnUnloaded)
   IPC_MESSAGE_HANDLER(ExtensionMsg_UpdatePermissions, OnUpdatePermissions)
+  IPC_MESSAGE_HANDLER(ExtensionMsg_UpdateDefaultPolicyHostRestrictions,
+                      OnUpdateDefaultPolicyHostRestrictions)
   IPC_MESSAGE_HANDLER(ExtensionMsg_UpdateTabSpecificPermissions,
                       OnUpdateTabSpecificPermissions)
   IPC_MESSAGE_HANDLER(ExtensionMsg_ClearTabSpecificPermissions,
                       OnClearTabSpecificPermissions)
   IPC_MESSAGE_HANDLER(ExtensionMsg_SetActivityLoggingEnabled,
                       OnSetActivityLoggingEnabled)
   IPC_MESSAGE_FORWARD(ExtensionMsg_WatchPages,
                       content_watcher_.get(),
                       ContentWatcher::OnWatchPages)
   IPC_MESSAGE_UNHANDLED(handled = false)
@@ skipping 109 matching lines @@
   for (const auto& param : loaded_extensions) {
     std::string error;
     scoped_refptr<const Extension> extension = param.ConvertToExtension(&error);
     if (!extension.get()) {
       NOTREACHED() << error;
       // Note: in tests |param.id| has been observed to be empty (see comment
       // just below) so this isn't all that reliable.
       extension_load_errors_[param.id] = error;
       continue;
     }
-
     RendererExtensionRegistry* extension_registry =
         RendererExtensionRegistry::Get();
     // TODO(kalman): This test is deliberately not a CHECK (though I wish it
     // could be) and uses extension->id() not params.id:
     // 1. For some reason params.id can be empty. I've only seen it with
     //    the webstore extension, in tests, and I've spent some time trying to
     //    figure out why - but cost/benefit won.
     // 2. The browser only sends this IPC to RenderProcessHosts once, but the
     //    Dispatcher is attached to a RenderThread. Presumably there is a
     //    mismatch there. In theory one would think it's possible for the
     //    browser to figure this out itself - but again, cost/benefit.
     if (!extension_registry->Insert(extension)) {
       // TODO(devlin): This may be fixed by crbug.com/528026. Monitor, and
       // consider making this a release CHECK.
       NOTREACHED();
     }
+    extension->permissions_data()->SetPolicyHostRestrictions(
+        param.runtime_blocked_hosts, param.runtime_allowed_hosts,
+        param.is_default_runtime_blocked_allowed_hosts);
   }
 
   // Update the available bindings for all contexts. These may have changed if
   // an externally_connectable extension was loaded that can connect to an
   // open webpage.
-  UpdateBindings("");
+  UpdateBindings(std::string());
 }
 
 void Dispatcher::OnMessageInvoke(const std::string& extension_id,
                                  const std::string& module_name,
                                  const std::string& function_name,
                                  const base::ListValue& args,
                                  bool user_gesture) {
   InvokeModuleSystemMethod(
       NULL, extension_id, module_name, function_name, args, user_gesture);
 }
@@ skipping 81 matching lines @@
 
   // Invalidates the messages map for the extension in case the extension is
   // reloaded with a new messages map.
   EraseL10nMessagesMap(id);
 
   // We don't do anything with existing platform-app stylesheets. They will
   // stay resident, but the URL pattern corresponding to the unloaded
   // extension's URL just won't match anything anymore.
 }
 
+void Dispatcher::OnUpdateDefaultPolicyHostRestrictions(
+    const ExtensionMsg_UpdateDefaultPolicyHostRestrictions_Params& params) {
+  PermissionsData::SetDefaultPolicyHostRestrictions(
+      params.default_runtime_blocked_hosts,
+      params.default_runtime_allowed_hosts);
+  UpdateBindings(std::string());
+}
+
 void Dispatcher::OnUpdatePermissions(
     const ExtensionMsg_UpdatePermissions_Params& params) {
   const Extension* extension =
       RendererExtensionRegistry::Get()->GetByID(params.extension_id);
   if (!extension)
     return;
 
   std::unique_ptr<const PermissionSet> active =
       params.active_permissions.ToPermissionSet();
   std::unique_ptr<const PermissionSet> withheld =
       params.withheld_permissions.ToPermissionSet();
 
   UpdateOriginPermissions(
       extension->url(),
       extension->permissions_data()->GetEffectiveHostPermissions(),
       active->effective_hosts());
 
   extension->permissions_data()->SetPermissions(std::move(active),
                                                 std::move(withheld));
+  URLPatternSet runtime_blocked_hosts;
+  URLPatternSet runtime_allowed_hosts;
+  if (!params.uses_default_policy_host_restrictions) {
+    runtime_blocked_hosts = params.runtime_blocked_hosts;

[Devlin, 2017/02/14 23:17:10]

won't params.runtime_blocked_hosts be empty if
params.uses_default_policy_host_restrictions is true?

So can't we just do SetPolicyHostRestrictions(params.blocked, params.allowed,
params.uses_default)?

[nrpeter, 2017/03/22 23:47:39]

We could, but SetPolicyHostRestrictions has to acquire a lock before proceeding.
I figured it'd be better performance wise to avoid that if possible.

[Devlin, 2017/03/29 21:36:49]

We unconditionally call SetPolicyHostRestrictions(), though, don't we?  It's not
conditional based on the if on line 1223.  So all we're doing here is creating
an extra URLPatternSet and causing a potentially-expensive copy when there are
policy restrictions.  Or am I missing something?

[nrpeter, 2017/03/30 00:06:05]

Done.

+    runtime_allowed_hosts = params.runtime_allowed_hosts;
+  }
+  extension->permissions_data()->SetPolicyHostRestrictions(
+      runtime_blocked_hosts, runtime_allowed_hosts,
+      params.uses_default_policy_host_restrictions);
   UpdateBindings(extension->id());
 }
 
 void Dispatcher::OnUpdateTabSpecificPermissions(const GURL& visible_url,
                                                 const std::string& extension_id,
                                                 const URLPatternSet& new_hosts,
                                                 bool update_origin_whitelist,
                                                 int tab_id) {
   const Extension* extension =
       RendererExtensionRegistry::Get()->GetByID(extension_id);
@@ skipping 431 matching lines @@
   // The "guestViewDeny" module must always be loaded last. It registers
   // error-providing custom elements for the GuestView types that are not
   // available, and thus all of those types must have been checked and loaded
   // (or not loaded) beforehand.
   if (context_type == Feature::BLESSED_EXTENSION_CONTEXT) {
     module_system->Require("guestViewDeny");
   }
 }
 
 }  // namespace extensions