Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1811)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: extensions/browser/extension_navigation_throttle.cc

Issue 2875493002: Block navigations to hosted apps non-icon resources with PlzNavigate. (Closed)
Patch Set: Add a test for allowed navigation to an icon file. Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/test/data/extensions/hosted_app/manifest.json ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: extensions/browser/extension_navigation_throttle.cc
diff --git a/extensions/browser/extension_navigation_throttle.cc b/extensions/browser/extension_navigation_throttle.cc
index 9412f16d6ef98f342a477e7b81046a69956b38f6..4284339535b9c609dea0ee39526637b068962916 100644
--- a/extensions/browser/extension_navigation_throttle.cc
+++ b/extensions/browser/extension_navigation_throttle.cc
@@ -17,6 +17,7 @@
#include "extensions/common/constants.h"
#include "extensions/common/extension.h"
#include "extensions/common/extension_set.h"
+#include "extensions/common/manifest_handlers/icons_handler.h"
#include "extensions/common/manifest_handlers/web_accessible_resources_info.h"
#include "extensions/common/manifest_handlers/webview_info.h"
#include "extensions/common/permissions/api_permission.h"
@@ -65,6 +66,21 @@ ExtensionNavigationThrottle::WillStartOrRedirectRequest() {
return content::NavigationThrottle::BLOCK_REQUEST;
}
+ // Hosted apps don't have any associated resources outside of icons, so
+ // block any requests to URLs in their extension origin.
+ // TODO(nasko): An equivalent check is performed in the renderer process
+ // inside ResourceRequestPolicy::CanRequestResource. It can be removed
+ // once PlzNavigate is the default.
ncarter (slow) 2017/05/24 21:13:16 Can we though? If you remove the enforcement in Re
nasko 2017/05/24 21:15:43 This is a good point. It might still be possible,
+ if (target_extension->is_hosted_app()) {
+ base::StringPiece resource_root_relative_path =
+ url.path_piece().empty() ? base::StringPiece()
+ : url.path_piece().substr(1);
+ if (!IconsInfo::GetIcons(target_extension)
+ .ContainsPath(resource_root_relative_path)) {
+ return content::NavigationThrottle::BLOCK_REQUEST;
+ }
+ }
+
if (navigation_handle()->IsInMainFrame()) {
// Block top-level navigations to blob: or filesystem: URLs with extension
// origin from non-extension processes. See https://crbug.com/645028.
« no previous file with comments | « chrome/test/data/extensions/hosted_app/manifest.json ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698