extensions/browser/extension_navigation_throttle.cc - Issue 2841413003: ExtensionNavigationThrottle: block extension iframes in platform apps.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: extensions/browser/extension_navigation_throttle.cc

Issue 2841413003: ExtensionNavigationThrottle: block extension iframes in platform apps. (Closed)

Patch Set: Rebase Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Index: extensions/browser/extension_navigation_throttle.cc

diff --git a/extensions/browser/extension_navigation_throttle.cc b/extensions/browser/extension_navigation_throttle.cc

index 9d207ab2f6974092c35a2b97df75423eef135591..33e6e79c7f365775e1f3d070625d3ddbf43af275 100644

--- a/extensions/browser/extension_navigation_throttle.cc

+++ b/extensions/browser/extension_navigation_throttle.cc

@@ -116,7 +116,8 @@ ExtensionNavigationThrottle::WillStartRequest() {

}

// This is a subframe navigation to a |target_extension| resource.

- // Enforce the web_accessible_resources restriction.

+ // Enforce the web_accessible_resources restriction, and same-origin

+ // restrictions for platform apps.

content::RenderFrameHost* parent = web_contents->FindFrameByFrameTreeNodeId(

navigation_handle()->GetParentFrameTreeNodeId());

@@ -153,6 +154,22 @@ ExtensionNavigationThrottle::WillStartRequest() {

if (!WebAccessibleResourcesInfo::IsResourceWebAccessible(target_extension,

url.path()))

return content::NavigationThrottle::BLOCK_REQUEST;

+ // A platform app may not be loaded in an <iframe> by another origin.

+ //

+ // In fact, platform apps may not have any cross-origin iframes at all; for

+ // non-extension origins of |url| this is enforced by means of a Content

+ // Security Policy. But CSP is incapable of blocking the chrome-extension

+ // scheme. Thus, this case must be handled specially here.

+ if (target_extension->is_platform_app())

+ return content::NavigationThrottle::CANCEL;

+ // A platform app may not load another extension in an <iframe>.

+ const Extension* parent_extension =

+ registry->enabled_extensions().GetExtensionOrAppByURL(

+ parent->GetSiteInstance()->GetSiteURL());

+ if (parent_extension && parent_extension->is_platform_app())

+ return content::NavigationThrottle::BLOCK_REQUEST;

Devlin 2017/05/01 22:10:36 Document why the BLOCK vs CANCEL?

}

return content::NavigationThrottle::PROCEED;

« no previous file with comments | « no previous file | no next file » | no next file with comments »