Communicate ExtensionSettings policy to renderers

extensions/common/permissions/permissions_data.h

Index: extensions/common/permissions/permissions_data.h
diff --git a/extensions/common/permissions/permissions_data.h b/extensions/common/permissions/permissions_data.h
index 3b87e79bc393161819710e7d8cca9703cc0857e2..6ea3d02a57e1cca6d6d258e9cc9e6ed42cdff20d 100644
--- a/extensions/common/permissions/permissions_data.h
+++ b/extensions/common/permissions/permissions_data.h
@@ -82,6 +82,9 @@ class PermissionsData {
                               const Extension* extension,
                               std::string* error);
 
+  // Check if a specific URL is blocked by policy from extension use at runtime.
+  bool IsRuntimeBlockedHost(const GURL& url) const;

[Devlin, 2016/11/23 17:22:56]

Why does this need to be public?

[nrpeter, 2017/01/02 19:57:45]

Not all API calls / events that disclose information about a particular website
/ tab / url require a host permission. For example, if an extension declares the
"webNavigation" permission it can spy on every webpage the user visits. This
could easily leak info about new projects, bearer tokens in URLs, etc.

In a later CL, we modify webNavigation to not emit events when the navigation is
to or from one of the URLs protected by this policy. This is detailed in the
go/limit-host-permissions doc that talks about this overall effort.

+
   // Locks the permissions data to the current thread. We don't do this on
   // construction, since extensions are initialized across multiple threads.
   void BindToCurrentThread() const;
@@ -91,6 +94,11 @@ class PermissionsData {
   void SetPermissions(std::unique_ptr<const PermissionSet> active,
                       std::unique_ptr<const PermissionSet> withheld) const;
 
+  // Sets the runtime policy of the given |extension|.
+  void SetRuntimeBlockedAllowedHosts(
+      const URLPatternSet runtime_blocked_hosts,
+      const URLPatternSet runtime_allowed_hosts) const;
+
   // Sets the active permissions, leaving withheld the same.
   void SetActivePermissions(std::unique_ptr<const PermissionSet> active) const;
 
@@ -201,6 +209,16 @@ class PermissionsData {
     return *withheld_permissions_unsafe_;
   }
 
+  const URLPatternSet& runtime_blocked_hosts() const {

[Devlin, 2016/11/23 17:22:56]

ditto

[nrpeter, 2017/01/02 19:57:45]

This is used during the renderer_startup_helper to provide an extension's
current list of blocked hosts to a new renderer.

+    DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
+    return runtime_blocked_hosts_unsafe_;
+  }
+
+  const URLPatternSet& runtime_allowed_hosts() const {
+    DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
+    return runtime_allowed_hosts_unsafe_;
+  }
+
 #if defined(UNIT_TEST)
   const PermissionSet* GetTabSpecificPermissionsForTesting(int tab_id) const {
     base::AutoLock auto_lock(runtime_lock_);
@@ -255,6 +273,16 @@ class PermissionsData {
   // withheld_permissions() accessor.
   mutable std::unique_ptr<const PermissionSet> withheld_permissions_unsafe_;
 
+  // The list of hosts an extension may not interact with by policy.
+  // Unless you need to change |runtime_blocked_hosts_unsafe_|, use the (safe)
+  // runtime_blocked_hosts() accessor.
+  mutable URLPatternSet runtime_blocked_hosts_unsafe_;

[Devlin, 2016/11/23 17:22:56]

Do we need this for each extension?  It seems like almost all extensions will
use the default settings, so we shouldn't need to copy these over for every
single item when they're identical.  Could we have these *only* if they differ
from the default?

[nrpeter, 2017/01/02 19:57:45]

Done.

+
+  // The exclusive list of hosts an extension may interact with by policy.
+  // Unless you need to change |runtime_allowed_hosts_unsafe_|, use the (safe)
+  // runtime_allowed_hosts() accessor.
+  mutable URLPatternSet runtime_allowed_hosts_unsafe_;
+
   mutable TabPermissionsMap tab_specific_permissions_;
 
   mutable std::unique_ptr<base::ThreadChecker> thread_checker_;