PS - Remove Clipboard Read permission from extensions in Public Sessions (except for whitelisted on…

chrome/browser/extensions/permissions_updater.cc

Index: chrome/browser/extensions/permissions_updater.cc
diff --git a/chrome/browser/extensions/permissions_updater.cc b/chrome/browser/extensions/permissions_updater.cc
index 26730a999aaa4510a01500c6c3bab92db4b18f12..032cfaa66fc561a8472d5b7e760b2805730c48a7 100644
--- a/chrome/browser/extensions/permissions_updater.cc
+++ b/chrome/browser/extensions/permissions_updater.cc
@@ -11,6 +11,7 @@
 #include "chrome/browser/extensions/api/permissions/permissions_api_helpers.h"
 #include "chrome/browser/extensions/scripting_permissions_modifier.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/profiles/profiles_state.h"
 #include "chrome/common/extensions/api/permissions.h"
 #include "content/public/browser/notification_observer.h"
 #include "content/public/browser/notification_registrar.h"
@@ -25,6 +26,10 @@
 #include "extensions/common/permissions/permission_set.h"
 #include "extensions/common/permissions/permissions_data.h"
 
+#if defined(OS_CHROMEOS)
+#include "chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.h"
+#endif
+
 using content::RenderProcessHost;
 using extensions::permissions_api_helpers::PackPermissionSet;
 
@@ -199,6 +204,23 @@ void PermissionsUpdater::InitializePermissions(const Extension* extension) {
 
   SetPermissions(extension, std::move(granted_permissions),
                  std::move(withheld_permissions));
+
+#if defined(OS_CHROMEOS)

[Devlin, 2017/04/03 20:39:20]

I'd like to avoid adding so many #ifdefs and chromeos + public sessions specific
logic here.  Could we instead do something like:

namespace {

PermissionsUpdater* g_delegate = nullptr;

}

void PermissionsUpdater::SetPlatformDelegate(Delegate* delegate) {
  g_delegate = delegate;
}

void InitializePermissions() {
  ....

  if (g_delegate)
    g_delegate->InitializePermissions(...);
}

and then in CrOS-specific code, have a PermissionsUpdaterDelegate that
implements an InitializePermissions function that withholds this?

It's a bit more code, but I think it's a little cleaner in the sense that it
keeps core extensions code from needing to know (more) about public sessions,
etc.

+  // In Public Sessions, apps and extensions are force-installed by admin policy
+  // so the user does not get a chance to review the permissions for these apps.
+  // This is not acceptable from a security standpoint, so we remove
+  // ClipboardRead permission from them (except for whitelisted ones - eg.
+  // remote desktop clients). This forceful removal of permission is safe since
+  // the clipboard pasting code checks for this permission before doing the
+  // paste.
+  if (profiles::IsPublicSession() &&
+      !chromeos::DeviceLocalAccountManagementPolicyProvider::IsWhitelisted(
+          extension)) {
+    ScriptingPermissionsModifier(browser_context_,
+                                 make_scoped_refptr(extension))
+        .WithholdClipboardRead();
+  }
+#endif
 }
 
 void PermissionsUpdater::SetPermissions(