Block content scripts from executing until user grants permission

extensions/renderer/user_script_slave.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/renderer/user_script_slave.h"
 
 #include <map>
 
 #include "base/logging.h"
 #include "base/memory/shared_memory.h"
@@ skipping 12 matching lines @@
 #include "third_party/WebKit/public/web/WebFrame.h"
 #include "third_party/WebKit/public/web/WebSecurityOrigin.h"
 #include "third_party/WebKit/public/web/WebSecurityPolicy.h"
 #include "third_party/WebKit/public/web/WebView.h"
 #include "url/gurl.h"
 
 using blink::WebFrame;
 using blink::WebSecurityOrigin;
 using blink::WebSecurityPolicy;
 using blink::WebString;
-using blink::WebView;
 using content::RenderThread;
 
 namespace extensions {
 
 int UserScriptSlave::GetIsolatedWorldIdForExtension(const Extension* extension,
                                                     WebFrame* frame) {
   static int g_next_isolated_world_id =
       ExtensionsRendererClient::Get()->GetLowestIsolatedWorldId();
 
   int id = 0;
@@ skipping 50 matching lines @@
     DCHECK(!(*iter)->extension_id().empty());
     extension_ids->insert((*iter)->extension_id());
   }
 }
 
 const Extension* UserScriptSlave::GetExtension(
     const std::string& extension_id) {
   return extensions_->GetByID(extension_id);
 }
 
-bool UserScriptSlave::UpdateScripts(base::SharedMemoryHandle shared_memory) {
-  script_injections_.clear();
-
+bool UserScriptSlave::UpdateScripts(
+    base::SharedMemoryHandle shared_memory,
+    const std::set<std::string>& changed_extensions) {
   bool only_inject_incognito =
       ExtensionsRendererClient::Get()->IsIncognitoProcess();
 
   // Create the shared memory object (read only).
   shared_memory_.reset(new base::SharedMemory(shared_memory, true));
   if (!shared_memory_.get())
     return false;
 
   // First get the size of the memory block.
   if (!shared_memory_->Map(sizeof(Pickle::Header)))
     return false;
   Pickle::Header* pickle_header =
       reinterpret_cast<Pickle::Header*>(shared_memory_->memory());
 
   // Now map in the rest of the block.
   int pickle_size = sizeof(Pickle::Header) + pickle_header->payload_size;
   shared_memory_->Unmap();
   if (!shared_memory_->Map(pickle_size))
     return false;
 
   // Unpickle scripts.
   uint64 num_scripts = 0;
   Pickle pickle(reinterpret_cast<char*>(shared_memory_->memory()), pickle_size);
   PickleIterator iter(pickle);
   CHECK(pickle.ReadUInt64(&iter, &num_scripts));
 
-  script_injections_.reserve(num_scripts);
+  // If we pass no explicit extension ids, we should refresh all extensions.
+  bool include_all_extensions = changed_extensions.empty();
+
+  // If we include all extensions, then we clear the script injections and
+  // start from scratch. If not, then clear only the scripts for extension ids
+  // that we are updating.

[not at google - send to devlin, 2014/05/21 15:01:07]

could you mention "this is important to maintain pending script injection state
for each ScriptInjection"

[Devlin, 2014/05/21 17:05:11]

Good call. Done.

+  if (include_all_extensions) {
+    script_injections_.clear();
+  } else {
+    for (ScopedVector<ScriptInjection>::iterator iter =
+             script_injections_.begin();
+         iter != script_injections_.end();) {
+      if (changed_extensions.count((*iter)->extension_id()) > 0)
+        iter = script_injections_.erase(iter);
+      else
+        ++iter;
+    }
+  }
+

[not at google - send to devlin, 2014/05/21 15:01:07]

you might as well still call reserve()

[Devlin, 2014/05/21 17:05:11]

Done.

   for (uint64 i = 0; i < num_scripts; ++i) {
     scoped_ptr<UserScript> script(new UserScript());
     script->Unpickle(pickle, &iter);
 
     // Note that this is a pointer into shared memory. We don't own it. It gets
     // cleared up when the last renderer or browser process drops their
     // reference to the shared memory.
     for (size_t j = 0; j < script->js_scripts().size(); ++j) {
       const char* body = NULL;
       int body_length = 0;
       CHECK(pickle.ReadData(&iter, &body, &body_length));
       script->js_scripts()[j].set_external_content(
           base::StringPiece(body, body_length));
     }
     for (size_t j = 0; j < script->css_scripts().size(); ++j) {
       const char* body = NULL;
       int body_length = 0;
       CHECK(pickle.ReadData(&iter, &body, &body_length));
       script->css_scripts()[j].set_external_content(
           base::StringPiece(body, body_length));
     }
 
-    if (only_inject_incognito && !script->is_incognito_enabled())
-      continue; // This script shouldn't run in an incognito tab.
+    // Don't add the script if it shouldn't shouldn't run in this tab, or if
+    // we don't need to reload that extension.
+    // It's a shame we don't catch this sooner, but since we lump all the user
+    // scripts together, we can't skip parsing any.
+    if ((only_inject_incognito && !script->is_incognito_enabled()) ||
+        (!include_all_extensions &&
+             changed_extensions.count(script->extension_id()) == 0)) {
+      continue;
+    }
 
     script_injections_.push_back(new ScriptInjection(script.Pass(), this));
   }
 
   return true;
 }
 
 void UserScriptSlave::InjectScripts(WebFrame* frame,
                                     UserScript::RunLocation location) {
   GURL document_url = ScriptInjection::GetDocumentUrlForFrame(frame);
   if (document_url.is_empty())
     return;
 
-  content::RenderView* top_render_view =
-      content::RenderView::FromWebView(frame->top()->view());
-
   ScriptInjection::ScriptsRunInfo scripts_run_info;
   for (ScopedVector<ScriptInjection>::const_iterator iter =
            script_injections_.begin();
        iter != script_injections_.end();
        ++iter) {
-    ScriptInjection* injection = *iter;
-    if (!injection->WantsToRun(frame, location, document_url))
-      continue;
-
-    const Extension* extension = GetExtension(injection->extension_id());
-    DCHECK(extension);
-
-    if (PermissionsData::RequiresActionForScriptExecution(extension)) {
-      // TODO(rdevlin.cronin): Right now, this is just a notification, but soon
-      // we should block without user consent.
-      top_render_view->Send(
-          new ExtensionHostMsg_NotifyExtensionScriptExecution(
-              top_render_view->GetRoutingID(),
-              extension->id(),
-              top_render_view->GetPageId()));
-    }
-
-    injection->Inject(frame, location, &scripts_run_info);
+    (*iter)->InjectIfAllowed(frame, location, document_url, &scripts_run_info);
   }
 
   LogScriptsRun(frame, location, scripts_run_info);
 }
 
+void UserScriptSlave::OnContentScriptGrantedPermission(
+    content::RenderView* render_view, int request_id) {
+  ScriptInjection::ScriptsRunInfo run_info;
+  blink::WebFrame* frame = NULL;
+  // Notify the injections that a request to inject has been granted.
+  for (ScopedVector<ScriptInjection>::iterator iter =
+           script_injections_.begin();
+       iter != script_injections_.end();
+       ++iter) {
+    if ((*iter)->NotifyScriptPermitted(request_id,
+                                       render_view,
+                                       &run_info,
+                                       &frame)) {
+      DCHECK(frame);
+      LogScriptsRun(frame, UserScript::UNDEFINED, run_info);

[not at google - send to devlin, 2014/05/21 15:01:07]

could you define a new run location here like DEFERRED and handle that case
separately? e.g. we might as well count up and UMA the deferred css/js scripts
too.

[Devlin, 2014/05/21 17:05:11]

New location added.  It okay to add histograms in a follow-up to make it clear
to the histograms reviewer what's changing?  (Added a TODO in the meantime.)

[not at google - send to devlin, 2014/05/21 17:36:23]

yes!

+      break;
+    }
+  }
+}
+
+void UserScriptSlave::NotifyFrameDetached(blink::WebFrame* frame) {

[not at google - send to devlin, 2014/05/21 15:01:07]

everywhere else in the codebase this is called "FrameDetached" so please call it
that.

[Devlin, 2014/05/21 17:05:11]

Logic was to make it clear that this wasn't OVERRIDEing the observer method, but
I guess since it's just a direct forward of it, we should name it the same for
consistency. Done.

+  for (ScopedVector<ScriptInjection>::iterator iter =
+           script_injections_.begin();
+       iter != script_injections_.end();
+       ++iter) {
+    (*iter)->NotifyFrameDetached(frame);
+  }
+}
+
 void UserScriptSlave::LogScriptsRun(
     blink::WebFrame* frame,
     UserScript::RunLocation location,
     const ScriptInjection::ScriptsRunInfo& info) {
   // Notify the browser if any extensions are now executing scripts.
   if (!info.executing_scripts.empty()) {
     content::RenderView* render_view =
         content::RenderView::FromWebView(frame->view());
     render_view->Send(new ExtensionHostMsg_ContentScriptsExecuting(
         render_view->GetRoutingID(),
         info.executing_scripts,
         render_view->GetPageId(),
         ScriptContext::GetDataSourceURLForFrame(frame)));
   }
 
   if (location == UserScript::DOCUMENT_START) {

[not at google - send to devlin, 2014/05/21 15:01:07]

bleh, can we change this to a switch() along the way?

[Devlin, 2014/05/21 17:05:11]

Done.

     UMA_HISTOGRAM_COUNTS_100("Extensions.InjectStart_CssCount",
                              info.num_css);
     UMA_HISTOGRAM_COUNTS_100("Extensions.InjectStart_ScriptCount", info.num_js);
     if (info.num_css || info.num_js)
       UMA_HISTOGRAM_TIMES("Extensions.InjectStart_Time", info.timer.Elapsed());
   } else if (location == UserScript::DOCUMENT_END) {
     UMA_HISTOGRAM_COUNTS_100("Extensions.InjectEnd_ScriptCount", info.num_js);
     if (info.num_js)
       UMA_HISTOGRAM_TIMES("Extensions.InjectEnd_Time", info.timer.Elapsed());
   } else if (location == UserScript::DOCUMENT_IDLE) {
     UMA_HISTOGRAM_COUNTS_100("Extensions.InjectIdle_ScriptCount", info.num_js);
     if (info.num_js)
       UMA_HISTOGRAM_TIMES("Extensions.InjectIdle_Time", info.timer.Elapsed());

[not at google - send to devlin, 2014/05/21 15:01:07]

see comment about deferred

[Devlin, 2014/05/21 17:05:11]

Done.

-  } else {
-    NOTREACHED();
   }
 }
 
 }  // namespace extensions