Communicate ExtensionSettings policy to renderers

extensions/common/permissions/permissions_data.cc

Index: extensions/common/permissions/permissions_data.cc
diff --git a/extensions/common/permissions/permissions_data.cc b/extensions/common/permissions/permissions_data.cc
index 4025d23c0ff0096e075b60521ae95bb0b0e5675c..b1dc2e9e0f2636a2e592a30a2525a840ee3970ca 100644
--- a/extensions/common/permissions/permissions_data.cc
+++ b/extensions/common/permissions/permissions_data.cc
@@ -87,6 +87,11 @@ bool PermissionsData::ShouldSkipPermissionWarnings(
 bool PermissionsData::IsRestrictedUrl(const GURL& document_url,
                                       const Extension* extension,
                                       std::string* error) {
+  if (extension &&
+      extension->permissions_data()->IsRuntimeBlockedHost(document_url)) {

[Devlin, 2016/11/23 17:22:56]

This isn't the same type of restricted url as the rest here, and this is
redundant with the check in CanRunOnPage.

[nrpeter, 2017/01/02 19:57:45]

The idea was to block any manipulation of a webpage protected by this policy in
a way similar to the webstore. I was thinking there are some situations where
this is called instead of CanRunOnPage.

+    *error = manifest_errors::kCannotAccessPage;
+    return true;
+  }
   if (extension && CanExecuteScriptEverywhere(extension))
     return false;
 
@@ -140,6 +145,14 @@ void PermissionsData::SetPermissions(
   withheld_permissions_unsafe_ = std::move(withheld);
 }
 
+void PermissionsData::SetRuntimeBlockedAllowedHosts(
+    const URLPatternSet runtime_blocked_hosts,
+    const URLPatternSet runtime_allowed_hosts) const {
+  AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
+  runtime_blocked_hosts_unsafe_ = runtime_blocked_hosts;
+  runtime_allowed_hosts_unsafe_ = runtime_allowed_hosts;
+}
+
 void PermissionsData::SetActivePermissions(
     std::unique_ptr<const PermissionSet> active) const {
   AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
@@ -208,7 +221,8 @@ URLPatternSet PermissionsData::GetEffectiveHostPermissions() const {
 
 bool PermissionsData::HasHostPermission(const GURL& url) const {
   base::AutoLock auto_lock(runtime_lock_);
-  return active_permissions_unsafe_->HasExplicitAccessToOrigin(url);
+  return active_permissions_unsafe_->HasExplicitAccessToOrigin(url) &&
+         !IsRuntimeBlockedHost(url);
 }
 
 bool PermissionsData::HasEffectiveAccessToAllHosts() const {
@@ -327,6 +341,14 @@ bool PermissionsData::HasTabSpecificPermissionToExecuteScript(
   return false;
 }
 
+bool PermissionsData::IsRuntimeBlockedHost(const GURL& url) const {
+  if (runtime_blocked_hosts_unsafe_.MatchesURL(url)) {

[asargent_no_longer_on_chrome, 2016/11/23 01:19:23]

It seems like one of 2 things should happen here:

a) runtime_lock_ is held

b) use untime_blocked_hosts() to test against (instead of
runtime_blocked_hosts_unsafe_)

(same thing below for runtime_allowed_hosts_unsafe)

[nrpeter, 2017/01/02 19:57:45]

I may need a little bit of help with this. I tried making sure runtime_lock_ is
held and it works in most every test except for when a new extension is added.
Would you have 15 minutes to look at the trace of the issue?

+    if (!runtime_allowed_hosts_unsafe_.MatchesURL(url))
+      return true;
+  }
+  return false;
+}
+
 PermissionsData::AccessType PermissionsData::CanRunOnPage(
     const Extension* extension,
     const GURL& document_url,
@@ -337,7 +359,12 @@ PermissionsData::AccessType PermissionsData::CanRunOnPage(
   runtime_lock_.AssertAcquired();
   if (g_policy_delegate &&
       !g_policy_delegate->CanExecuteScriptOnPage(extension, document_url,
-                                                 tab_id, error)) {
+                                                 tab_id, error))
+    return ACCESS_DENIED;
+
+  if (IsRuntimeBlockedHost(document_url)) {
+    if (error)
+      *error = manifest_errors::kCannotScriptPageByPolicy;
     return ACCESS_DENIED;
   }