Block content scripts from executing until user grants permission

extensions/renderer/script_injection.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/renderer/script_injection.h"
 
 #include <vector>
 
 #include "base/lazy_instance.h"
 #include "base/metrics/histogram.h"
 #include "content/public/common/url_constants.h"
+#include "content/public/renderer/render_view.h"
 #include "extensions/common/extension.h"
 #include "extensions/common/extension_messages.h"
 #include "extensions/common/permissions/permissions_data.h"
 #include "extensions/renderer/dom_activity_logger.h"
 #include "extensions/renderer/extension_groups.h"
+#include "extensions/renderer/extension_helper.h"
 #include "extensions/renderer/script_context.h"
 #include "extensions/renderer/user_script_slave.h"
 #include "grit/renderer_resources.h"
 #include "third_party/WebKit/public/web/WebDocument.h"
 #include "third_party/WebKit/public/web/WebFrame.h"
 #include "third_party/WebKit/public/web/WebScriptSource.h"
+#include "third_party/WebKit/public/web/WebView.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "url/gurl.h"
 
 namespace extensions {
 
 namespace {
 
+// The id of the next pending injection.
+int64 g_next_pending_id = 0;
+
 // These two strings are injected before and after the Greasemonkey API and
 // user script to wrap it in an anonymous scope.
 const char kUserScriptHead[] = "(function (unsafeWindow) {\n";
 const char kUserScriptTail[] = "\n})(window);";
 
 // Greasemonkey API source that is injected with the scripts.
 struct GreasemonkeyApiJsString {
   GreasemonkeyApiJsString();
   blink::WebScriptSource source;
 };
@@ skipping 10 matching lines @@
     LAZY_INSTANCE_INITIALIZER;
 
 }  // namespace
 
 ScriptInjection::ScriptsRunInfo::ScriptsRunInfo() : num_css(0u), num_js(0u) {
 }
 
 ScriptInjection::ScriptsRunInfo::~ScriptsRunInfo() {
 }
 
+struct ScriptInjection::PendingInjection {
+  PendingInjection(blink::WebFrame* web_frame,
+                   UserScript::RunLocation run_location,
+                   int page_id);
+  ~PendingInjection();
+
+  // The globally-unique id of this request.
+  int64 id;
+
+  // The pointer to the web frame into which the script should be injected.
+  // This is weak, but safe because we remove pending requests when a frame is
+  // terminated.
+  blink::WebFrame* web_frame;
+
+  // The run location to inject at.
+  // Note: This could be a lie - we might inject well after this run location
+  // has come and gone. But we need to know it to know which scripts to inject.
+  UserScript::RunLocation run_location;
+
+  // The corresponding page id, to protect against races.
+  int page_id;
+};
+
+ScriptInjection::PendingInjection::PendingInjection(
+    blink::WebFrame* web_frame,
+    UserScript::RunLocation run_location,
+    int page_id)
+    : id(g_next_pending_id++),
+      web_frame(web_frame),
+      run_location(run_location),
+      page_id(page_id) {
+}
+
+ScriptInjection::PendingInjection::~PendingInjection() {
+}
+
 // static
 GURL ScriptInjection::GetDocumentUrlForFrame(blink::WebFrame* frame) {
   GURL data_source_url = ScriptContext::GetDataSourceURLForFrame(frame);
   if (!data_source_url.is_empty() && frame->isViewSourceModeEnabled()) {
     data_source_url = GURL(content::kViewSourceScheme + std::string(":") +
                            data_source_url.spec());
   }
 
   return data_source_url;
 }
 
 ScriptInjection::ScriptInjection(
     scoped_ptr<UserScript> script,
     UserScriptSlave* user_script_slave)
     : script_(script.Pass()),
       extension_id_(script_->extension_id()),
       user_script_slave_(user_script_slave),
       is_standalone_or_emulate_greasemonkey_(
           script_->is_standalone() || script_->emulate_greasemonkey()) {
 }
 
 ScriptInjection::~ScriptInjection() {
 }
 
+void ScriptInjection::InjectIfAllowed(blink::WebFrame* frame,
+                                      UserScript::RunLocation run_location,
+                                      const GURL& document_url,
+                                      ScriptsRunInfo* scripts_run_info) {
+  if (!WantsToRun(frame, run_location, document_url))
+    return;
+
+  const Extension* extension = user_script_slave_->GetExtension(extension_id_);
+  DCHECK(extension);  // WantsToRun() should be false if there's no extension.
+
+  content::RenderView* top_render_view =
+      content::RenderView::FromWebView(frame->top()->view());
+  // If there's no tab id, we would have no surface to ask for permissions.
+  // Until we resolve this, just allow it.
+  if (PermissionsData::RequiresActionForScriptExecution(extension) &&

[not at google - send to devlin, 2014/05/23 18:05:43]

as noted over chat, we also need a check that the flag is actually enabled lest
we break document_start/end scripts.

note to readers: we know we're going to break it when the flag is turned on. we
just don't want to break it just yet.

[not at google - send to devlin, 2014/05/23 18:06:56]

and it's very worrying that this didn't break any tests.

[Devlin, 2014/05/23 19:19:47]

Done.

+      ExtensionHelper::Get(top_render_view)->tab_id() != -1) {
+    // We use the top render view here (instead of the render view for the
+    // frame), because script injection on any frame requires permission for
+    // the top frame. Additionally, if we have to show any UI for permissions,
+    // it should only be done on the top frame.
+    int page_id = top_render_view->GetPageId();
+    ScopedVector<PendingInjection>::iterator pending_injection =
+        pending_injections_.insert(
+            pending_injections_.end(),
+            new PendingInjection(frame, run_location, page_id));
+
+    top_render_view->Send(
+        new ExtensionHostMsg_RequestContentScriptPermission(
+            top_render_view->GetRoutingID(),
+            extension->id(),
+            page_id,
+            (*pending_injection)->id));
+  } else {
+    Inject(frame, run_location, scripts_run_info);
+  }
+}
+
+bool ScriptInjection::NotifyScriptPermitted(
+    int64 request_id,
+    content::RenderView* render_view,
+    ScriptsRunInfo* scripts_run_info,
+    blink::WebFrame** frame_out) {
+  ScopedVector<PendingInjection>::iterator iter = pending_injections_.begin();
+  while (iter != pending_injections_.end() && (*iter)->id != request_id)
+    ++iter;
+
+  // No matching request.
+  if (iter == pending_injections_.end())
+    return false;
+
+  // We found the request, so pull it out of the pending list.
+  scoped_ptr<PendingInjection> pending_injection(*iter);
+  pending_injections_.weak_erase(iter);
+
+  // Ensure the Page ID and Extension are still valid. Otherwise, don't inject.
+  if (render_view->GetPageId() != pending_injection->page_id)
+    return false;
+
+  const Extension* extension = user_script_slave_->GetExtension(extension_id_);
+  if (!extension)
+    return false;
+
+  // Everything matches! Inject the script.
+  if (frame_out)
+    *frame_out = pending_injection->web_frame;
+  Inject(pending_injection->web_frame,
+         pending_injection->run_location,
+         scripts_run_info);
+  return true;
+}
+
+void ScriptInjection::FrameDetached(blink::WebFrame* frame) {
+  // Any pending injections associated with the given frame will never run.
+  // Remove them.
+  for (ScopedVector<PendingInjection>::iterator iter =
+           pending_injections_.begin();
+       iter != pending_injections_.end();) {
+    if ((*iter)->web_frame == frame)
+      pending_injections_.erase(iter);
+    else
+      ++iter;
+  }
+}
+
 bool ScriptInjection::WantsToRun(blink::WebFrame* frame,
                                  UserScript::RunLocation run_location,
                                  const GURL& document_url) const {
   if (frame->parent() && !script_->match_all_frames())
     return false;  // Only match subframes if the script declared it wanted to.
 
   const Extension* extension = user_script_slave_->GetExtension(extension_id_);
   // Since extension info is sent separately from user script info, they can
   // be out of sync. We just ignore this situation.
   if (!extension)
@@ skipping 99 matching lines @@
   scripts_run_info->num_css += css_scripts.size();
   for (UserScript::FileList::const_iterator iter = css_scripts.begin();
        iter != css_scripts.end();
        ++iter) {
     frame->document().insertStyleSheet(
         blink::WebString::fromUTF8(iter->GetContent().as_string()));
   }
 }
 
 }  // namespace extensions