Block content scripts from executing until user grants permission

extensions/renderer/user_script_slave.cc

Index: extensions/renderer/user_script_slave.cc
diff --git a/extensions/renderer/user_script_slave.cc b/extensions/renderer/user_script_slave.cc
index 036581b3cd5502a929b4014cf0517353a3c8c8dc..420f884b22ce91d0431b4eae4fc33ab237d8c502 100644
--- a/extensions/renderer/user_script_slave.cc
+++ b/extensions/renderer/user_script_slave.cc
@@ -30,7 +30,6 @@ using blink::WebFrame;
 using blink::WebSecurityOrigin;
 using blink::WebSecurityPolicy;
 using blink::WebString;
-using blink::WebView;
 using content::RenderThread;
 
 namespace extensions {
@@ -101,9 +100,9 @@ const Extension* UserScriptSlave::GetExtension(
   return extensions_->GetByID(extension_id);
 }
 
-bool UserScriptSlave::UpdateScripts(base::SharedMemoryHandle shared_memory) {
-  script_injections_.clear();
-
+bool UserScriptSlave::UpdateScripts(
+    base::SharedMemoryHandle shared_memory,
+    const std::set<std::string>& changed_extensions) {
   bool only_inject_incognito =
       ExtensionsRendererClient::Get()->IsIncognitoProcess();
 
@@ -130,7 +129,25 @@ bool UserScriptSlave::UpdateScripts(base::SharedMemoryHandle shared_memory) {
   PickleIterator iter(pickle);
   CHECK(pickle.ReadUInt64(&iter, &num_scripts));
 
-  script_injections_.reserve(num_scripts);
+  // If we pass no explicit extension ids, we should refresh all extensions.
+  bool include_all_extensions = changed_extensions.empty();
+
+  // If we include all extensions, then we clear the script injections and
+  // start from scratch. If not, then clear only the scripts for extension ids
+  // that we are updating.

[not at google - send to devlin, 2014/05/21 15:01:07]

could you mention "this is important to maintain pending script injection state
for each ScriptInjection"

[Devlin, 2014/05/21 17:05:11]

Good call. Done.

+  if (include_all_extensions) {
+    script_injections_.clear();
+  } else {
+    for (ScopedVector<ScriptInjection>::iterator iter =
+             script_injections_.begin();
+         iter != script_injections_.end();) {
+      if (changed_extensions.count((*iter)->extension_id()) > 0)
+        iter = script_injections_.erase(iter);
+      else
+        ++iter;
+    }
+  }
+

[not at google - send to devlin, 2014/05/21 15:01:07]

you might as well still call reserve()

[Devlin, 2014/05/21 17:05:11]

Done.

   for (uint64 i = 0; i < num_scripts; ++i) {
     scoped_ptr<UserScript> script(new UserScript());
     script->Unpickle(pickle, &iter);
@@ -153,8 +170,15 @@ bool UserScriptSlave::UpdateScripts(base::SharedMemoryHandle shared_memory) {
           base::StringPiece(body, body_length));
     }
 
-    if (only_inject_incognito && !script->is_incognito_enabled())
-      continue; // This script shouldn't run in an incognito tab.
+    // Don't add the script if it shouldn't shouldn't run in this tab, or if
+    // we don't need to reload that extension.
+    // It's a shame we don't catch this sooner, but since we lump all the user
+    // scripts together, we can't skip parsing any.
+    if ((only_inject_incognito && !script->is_incognito_enabled()) ||
+        (!include_all_extensions &&
+             changed_extensions.count(script->extension_id()) == 0)) {
+      continue;
+    }
 
     script_injections_.push_back(new ScriptInjection(script.Pass(), this));
   }
@@ -168,35 +192,44 @@ void UserScriptSlave::InjectScripts(WebFrame* frame,
   if (document_url.is_empty())
     return;
 
-  content::RenderView* top_render_view =
-      content::RenderView::FromWebView(frame->top()->view());
-
   ScriptInjection::ScriptsRunInfo scripts_run_info;
   for (ScopedVector<ScriptInjection>::const_iterator iter =
            script_injections_.begin();
        iter != script_injections_.end();
        ++iter) {
-    ScriptInjection* injection = *iter;
-    if (!injection->WantsToRun(frame, location, document_url))
-      continue;
+    (*iter)->InjectIfAllowed(frame, location, document_url, &scripts_run_info);
+  }
 
-    const Extension* extension = GetExtension(injection->extension_id());
-    DCHECK(extension);
-
-    if (PermissionsData::RequiresActionForScriptExecution(extension)) {
-      // TODO(rdevlin.cronin): Right now, this is just a notification, but soon
-      // we should block without user consent.
-      top_render_view->Send(
-          new ExtensionHostMsg_NotifyExtensionScriptExecution(
-              top_render_view->GetRoutingID(),
-              extension->id(),
-              top_render_view->GetPageId()));
-    }
+  LogScriptsRun(frame, location, scripts_run_info);
+}
 
-    injection->Inject(frame, location, &scripts_run_info);
+void UserScriptSlave::OnContentScriptGrantedPermission(
+    content::RenderView* render_view, int request_id) {
+  ScriptInjection::ScriptsRunInfo run_info;
+  blink::WebFrame* frame = NULL;
+  // Notify the injections that a request to inject has been granted.
+  for (ScopedVector<ScriptInjection>::iterator iter =
+           script_injections_.begin();
+       iter != script_injections_.end();
+       ++iter) {
+    if ((*iter)->NotifyScriptPermitted(request_id,
+                                       render_view,
+                                       &run_info,
+                                       &frame)) {
+      DCHECK(frame);
+      LogScriptsRun(frame, UserScript::UNDEFINED, run_info);

[not at google - send to devlin, 2014/05/21 15:01:07]

could you define a new run location here like DEFERRED and handle that case
separately? e.g. we might as well count up and UMA the deferred css/js scripts
too.

[Devlin, 2014/05/21 17:05:11]

New location added.  It okay to add histograms in a follow-up to make it clear
to the histograms reviewer what's changing?  (Added a TODO in the meantime.)

[not at google - send to devlin, 2014/05/21 17:36:23]

yes!

+      break;
+    }
   }
+}
 
-  LogScriptsRun(frame, location, scripts_run_info);
+void UserScriptSlave::NotifyFrameDetached(blink::WebFrame* frame) {

[not at google - send to devlin, 2014/05/21 15:01:07]

everywhere else in the codebase this is called "FrameDetached" so please call it
that.

[Devlin, 2014/05/21 17:05:11]

Logic was to make it clear that this wasn't OVERRIDEing the observer method, but
I guess since it's just a direct forward of it, we should name it the same for
consistency. Done.

+  for (ScopedVector<ScriptInjection>::iterator iter =
+           script_injections_.begin();
+       iter != script_injections_.end();
+       ++iter) {
+    (*iter)->NotifyFrameDetached(frame);
+  }
 }
 
 void UserScriptSlave::LogScriptsRun(
@@ -228,8 +261,6 @@ void UserScriptSlave::LogScriptsRun(
     UMA_HISTOGRAM_COUNTS_100("Extensions.InjectIdle_ScriptCount", info.num_js);
     if (info.num_js)
       UMA_HISTOGRAM_TIMES("Extensions.InjectIdle_Time", info.timer.Elapsed());

[not at google - send to devlin, 2014/05/21 15:01:07]

see comment about deferred

[Devlin, 2014/05/21 17:05:11]

Done.

-  } else {
-    NOTREACHED();
   }
 }