Communicate ExtensionSettings policy to renderers

extensions/common/permissions/permissions_data.cc

Index: extensions/common/permissions/permissions_data.cc
diff --git a/extensions/common/permissions/permissions_data.cc b/extensions/common/permissions/permissions_data.cc
index 4025d23c0ff0096e075b60521ae95bb0b0e5675c..2f954fecb3795ae268dc6633f9df81ac1d675cf6 100644
--- a/extensions/common/permissions/permissions_data.cc
+++ b/extensions/common/permissions/permissions_data.cc
@@ -29,6 +29,13 @@ namespace extensions {
 namespace {
 
 PermissionsData::PolicyDelegate* g_policy_delegate = nullptr;
+// URLs an extension can't interact with. Overridden by
+// runtime_blocked_hosts of an individual extension's PermissionsData.
+URLPatternSet* default_runtime_blocked_hosts_unsafe_ = nullptr;

[Devlin, 2017/02/14 23:17:10]

I think I'd prefer these to be stored in a struct with a (leaky) LazyInstance.

[Devlin, 2017/02/14 23:17:10]

the trailing _ is used for member variables; this shouldn't have one.

[nrpeter, 2017/03/22 23:47:39]

Done.

[nrpeter, 2017/03/22 23:47:39]

Done.

+// URLs an extension can interact with regardless of
+// default_runtime_blocked_hosts_unsafe. Overridden by
+// runtime_allowed_hosts of an individual extension's PermissionsData.
+URLPatternSet* default_runtime_allowed_hosts_unsafe_ = nullptr;
 
 class AutoLockOnValidThread {
  public:
@@ -87,6 +94,11 @@ bool PermissionsData::ShouldSkipPermissionWarnings(
 bool PermissionsData::IsRestrictedUrl(const GURL& document_url,
                                       const Extension* extension,
                                       std::string* error) {
+  if (extension &&
+      extension->permissions_data()->IsRuntimeBlockedHost(document_url)) {
+    *error = manifest_errors::kCannotAccessPage;
+    return true;
+  }
   if (extension && CanExecuteScriptEverywhere(extension))
     return false;
 
@@ -127,6 +139,35 @@ bool PermissionsData::IsRestrictedUrl(const GURL& document_url,
   return false;
 }
 
+bool PermissionsData::UsesDefaultPolicyHostRestrictions() const {
+  DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
+  return uses_default_policy_host_restrictions_;
+}
+
+const URLPatternSet& PermissionsData::default_runtime_blocked_hosts() {
+  if (!default_runtime_blocked_hosts_unsafe_)
+    default_runtime_blocked_hosts_unsafe_ = new URLPatternSet();
+  return *default_runtime_blocked_hosts_unsafe_;
+}
+
+const URLPatternSet& PermissionsData::default_runtime_allowed_hosts() {
+  if (!default_runtime_allowed_hosts_unsafe_)
+    default_runtime_allowed_hosts_unsafe_ = new URLPatternSet();
+  return *default_runtime_allowed_hosts_unsafe_;
+}
+
+const URLPatternSet& PermissionsData::runtime_blocked_hosts() const {

[Devlin, 2017/02/14 23:17:10]

We should check thread access here.

[nrpeter, 2017/03/22 23:47:39]

Done.

+  if (uses_default_policy_host_restrictions_)
+    return default_runtime_blocked_hosts();
+  return runtime_blocked_hosts_unsafe_;
+}
+
+const URLPatternSet& PermissionsData::runtime_allowed_hosts() const {
+  if (uses_default_policy_host_restrictions_)
+    return default_runtime_allowed_hosts();
+  return runtime_allowed_hosts_unsafe_;
+}
+
 void PermissionsData::BindToCurrentThread() const {
   DCHECK(!thread_checker_);
   thread_checker_.reset(new base::ThreadChecker());
@@ -140,6 +181,31 @@ void PermissionsData::SetPermissions(
   withheld_permissions_unsafe_ = std::move(withheld);
 }
 
+void PermissionsData::SetPolicyHostRestrictions(
+    const URLPatternSet& runtime_blocked_hosts,
+    const URLPatternSet& runtime_allowed_hosts,
+    const bool uses_default_policy_host_restrictions) const {
+  AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
+  runtime_blocked_hosts_unsafe_ = runtime_blocked_hosts;
+  runtime_allowed_hosts_unsafe_ = runtime_allowed_hosts;
+  uses_default_policy_host_restrictions_ =
+      uses_default_policy_host_restrictions;
+}
+
+// static
+void PermissionsData::SetDefaultPolicyHostRestrictions(
+    const URLPatternSet& default_runtime_blocked_hosts,
+    const URLPatternSet& default_runtime_allowed_hosts) {
+  URLPatternSet* old_blocked = default_runtime_blocked_hosts_unsafe_;
+  default_runtime_blocked_hosts_unsafe_ =
+      new URLPatternSet(default_runtime_blocked_hosts);
+  delete old_blocked;
+  URLPatternSet* old_allowed = default_runtime_allowed_hosts_unsafe_;
+  default_runtime_allowed_hosts_unsafe_ =
+      new URLPatternSet(default_runtime_allowed_hosts);
+  delete old_allowed;
+}
+
 void PermissionsData::SetActivePermissions(
     std::unique_ptr<const PermissionSet> active) const {
   AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
@@ -208,7 +274,8 @@ URLPatternSet PermissionsData::GetEffectiveHostPermissions() const {
 
 bool PermissionsData::HasHostPermission(const GURL& url) const {
   base::AutoLock auto_lock(runtime_lock_);
-  return active_permissions_unsafe_->HasExplicitAccessToOrigin(url);
+  return active_permissions_unsafe_->HasExplicitAccessToOrigin(url) &&
+         !IsRuntimeBlockedHost(url);
 }
 
 bool PermissionsData::HasEffectiveAccessToAllHosts() const {
@@ -327,6 +394,11 @@ bool PermissionsData::HasTabSpecificPermissionToExecuteScript(
   return false;
 }
 
+bool PermissionsData::IsRuntimeBlockedHost(const GURL& url) const {
+  return runtime_blocked_hosts().MatchesURL(url) &&

[Devlin, 2017/02/14 23:17:10]

we can use the sets directly here.

[nrpeter, 2017/03/22 23:47:39]

If we did, we'd end up duplicating the code to check whether we're using default
restrictions or per-extension restrictions. I'd rather not duplicate code if it
can be avoided.

+         !runtime_allowed_hosts().MatchesURL(url);
+}
+
 PermissionsData::AccessType PermissionsData::CanRunOnPage(
     const Extension* extension,
     const GURL& document_url,
@@ -337,7 +409,13 @@ PermissionsData::AccessType PermissionsData::CanRunOnPage(
   runtime_lock_.AssertAcquired();
   if (g_policy_delegate &&
       !g_policy_delegate->CanExecuteScriptOnPage(extension, document_url,
-                                                 tab_id, error)) {
+                                                 tab_id, error))
+    return ACCESS_DENIED;
+
+  if (IsRuntimeBlockedHost(document_url)) {
+    if (error)
+      *error =
+          "This page cannot be scripted due to an ExtensionsSettings policy.";
     return ACCESS_DENIED;
   }