Reland: chrome.webRequest support for ExtensionSettings

extensions/browser/api/web_request/web_request_permissions.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/web_request/web_request_permissions.h"
 
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "chromeos/login/login_state.h"
 #include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/resource_request_info.h"
 #include "extensions/browser/extension_navigation_ui_data.h"
 #include "extensions/browser/guest_view/web_view/web_view_renderer_state.h"
 #include "extensions/browser/info_map.h"
 #include "extensions/common/constants.h"
 #include "extensions/common/extension.h"
 #include "extensions/common/extension_urls.h"
 #include "extensions/common/permissions/permissions_data.h"
 #include "net/url_request/url_request.h"
 #include "url/gurl.h"
-#include "url/origin.h"
 
 #if defined(OS_CHROMEOS)
 #include "chromeos/login/login_state.h"
 #endif  // defined(OS_CHROMEOS)
 
 using content::ResourceRequestInfo;
 using extensions::PermissionsData;
 
 namespace {
 
@@ skipping 111 matching lines @@
   g_allow_all_extension_locations_in_public_session = value;
 }
 
 // static
 PermissionsData::AccessType WebRequestPermissions::CanExtensionAccessURL(
     const extensions::InfoMap* extension_info_map,
     const std::string& extension_id,
     const GURL& url,
     int tab_id,
     bool crosses_incognito,
-    HostPermissionsCheck host_permissions_check) {
+    HostPermissionsCheck host_permissions_check,
+    const base::Optional<url::Origin>& initiator) {
   // extension_info_map can be NULL in testing.
   if (!extension_info_map)
     return PermissionsData::ACCESS_ALLOWED;
 
   const extensions::Extension* extension =
       extension_info_map->extensions().GetByID(extension_id);
   if (!extension)
     return PermissionsData::ACCESS_DENIED;
 
+  // Prevent viewing / modifying requests initiated by a host protected by
+  // policy.
+  if (initiator && extension->permissions_data()->IsRuntimeBlockedHost(
+                       initiator->GetPhysicalOrigin().GetURL()))
+    return PermissionsData::ACCESS_DENIED;
+
   // When we are in a Public Session, allow all URLs for webRequests initiated
   // by a regular extension (but don't allow chrome:// URLs).
 #if defined(OS_CHROMEOS)
   if (chromeos::LoginState::IsInitialized() &&
       chromeos::LoginState::Get()->IsPublicSessionUser() &&
       extension->is_extension() &&
       !url.SchemeIs("chrome")) {
     // Make sure that the extension is truly installed by policy (the assumption
     // in Public Session is that all extensions are installed by policy).
     CHECK(g_allow_all_extension_locations_in_public_session ||
@@ skipping 24 matching lines @@
       break;
     case REQUIRE_ALL_URLS:
       if (extension->permissions_data()->HasEffectiveAccessToAllHosts())
         access = PermissionsData::ACCESS_ALLOWED;
       // else ACCESS_DENIED
       break;
   }
 
   return access;
 }