ExtensionNavigationThrottle: block extension iframes in platform apps.

extensions/browser/extension_navigation_throttle.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/extension_navigation_throttle.h"
 
 #include "components/guest_view/browser/guest_view_base.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/navigation_handle.h"
 #include "content/public/browser/render_frame_host.h"
@@ skipping 94 matching lines @@
           is_guest, target_extension, owner_extension, partition_id, url.path(),
           navigation_handle()->GetPageTransition(), &allowed);
       if (!allowed)
         return content::NavigationThrottle::BLOCK_REQUEST;
     }
 
     return content::NavigationThrottle::PROCEED;
   }
 
   // This is a subframe navigation to a |target_extension| resource.
-  // Enforce the web_accessible_resources restriction.
+  // Enforce the web_accessible_resources restriction, and same-origin
+  // restrictions for platform apps.
   content::RenderFrameHost* parent = navigation_handle()->GetParentFrame();
 
   // Look to see if all ancestors belong to |target_extension|. If not,
   // then the web_accessible_resource restriction applies.
   bool external_ancestor = false;
   for (auto* ancestor = parent; ancestor; ancestor = ancestor->GetParent()) {
     // Look for a match on the last committed origin. This handles the
     // common case, and the about:blank case.
     if (ancestor->GetLastCommittedOrigin() == target_origin)
       continue;
@@ skipping 15 matching lines @@
 
   if (external_ancestor) {
     // Cancel navigations to nested URLs, to match the main frame behavior.
     if (!url_has_extension_scheme)
       return content::NavigationThrottle::CANCEL;
 
     // |url| must be in the manifest's "web_accessible_resources" section.
     if (!WebAccessibleResourcesInfo::IsResourceWebAccessible(target_extension,
                                                              url.path()))
       return content::NavigationThrottle::BLOCK_REQUEST;
+
+    // A platform app may not be loaded in an <iframe> by another origin.
+    //
+    // In fact, platform apps may not have any cross-origin iframes at all; for
+    // non-extension origins of |url| this is enforced by means of a Content
+    // Security Policy. But CSP is incapable of blocking the chrome-extension
+    // scheme. Thus, this case must be handled specially here.
+    if (target_extension->is_platform_app())
+      return content::NavigationThrottle::CANCEL;
+
+    // A platform app may not load another extension in an <iframe>.
+    const Extension* parent_extension =
+        registry->enabled_extensions().GetExtensionOrAppByURL(
+            parent->GetSiteInstance()->GetSiteURL());
+    if (parent_extension && parent_extension->is_platform_app())
+      return content::NavigationThrottle::BLOCK_REQUEST;
   }
 
   return content::NavigationThrottle::PROCEED;
 }
 
 content::NavigationThrottle::ThrottleCheckResult
 ExtensionNavigationThrottle::WillStartRequest() {
   return WillStartOrRedirectRequest();
 }
 
 content::NavigationThrottle::ThrottleCheckResult
 ExtensionNavigationThrottle::WillRedirectRequest() {
   ThrottleCheckResult result = WillStartOrRedirectRequest();
   if (result == BLOCK_REQUEST) {
     // TODO(nick): https://crbug.com/695421 means that BLOCK_REQUEST does not
     // work here. Once PlzNavigate is enabled 100%, just return |result|.
     return CANCEL;
   }
   return result;
 }
 
 const char* ExtensionNavigationThrottle::GetNameForLogging() {
   return "ExtensionNavigationThrottle";
 }
 
 }  // namespace extensions