extensions/browser/extension_navigation_throttle.cc - Issue 2841413003: ExtensionNavigationThrottle: block extension iframes in platform apps.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: extensions/browser/extension_navigation_throttle.cc

Issue 2841413003: ExtensionNavigationThrottle: block extension iframes in platform apps. (Closed)

Patch Set: Merge branch 'kill_107_reboot2_s' into kill_107_reboot3' Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: extensions/browser/extension_navigation_throttle.cc

diff --git a/extensions/browser/extension_navigation_throttle.cc b/extensions/browser/extension_navigation_throttle.cc

index 9412f16d6ef98f342a477e7b81046a69956b38f6..8fcc2c66ade7d604939000228e137c7cdf5afc4c 100644

--- a/extensions/browser/extension_navigation_throttle.cc

+++ b/extensions/browser/extension_navigation_throttle.cc

@@ -112,7 +112,8 @@ ExtensionNavigationThrottle::WillStartOrRedirectRequest() {

}

// This is a subframe navigation to a |target_extension| resource.

- // Enforce the web_accessible_resources restriction.

+ // Enforce the web_accessible_resources restriction, and same-origin

+ // restrictions for platform apps.

content::RenderFrameHost* parent = navigation_handle()->GetParentFrame();

// Look to see if all ancestors belong to |target_extension|. If not,

@@ -148,6 +149,22 @@ ExtensionNavigationThrottle::WillStartOrRedirectRequest() {

if (!WebAccessibleResourcesInfo::IsResourceWebAccessible(target_extension,

url.path()))

return content::NavigationThrottle::BLOCK_REQUEST;

+ // A platform app may not be loaded in an <iframe> by another origin.

+ //

+ // In fact, platform apps may not have any cross-origin iframes at all; for

+ // non-extension origins of |url| this is enforced by means of a Content

+ // Security Policy. But CSP is incapable of blocking the chrome-extension

+ // scheme. Thus, this case must be handled specially here.

+ if (target_extension->is_platform_app())

+ return content::NavigationThrottle::CANCEL;

+ // A platform app may not load another extension in an <iframe>.

+ const Extension* parent_extension =

+ registry->enabled_extensions().GetExtensionOrAppByURL(

+ parent->GetSiteInstance()->GetSiteURL());

+ if (parent_extension && parent_extension->is_platform_app())

+ return content::NavigationThrottle::BLOCK_REQUEST;

}

return content::NavigationThrottle::PROCEED;

« no previous file with comments | « no previous file | no next file » | no next file with comments »