Reland: chrome.webRequest support for ExtensionSettings

extensions/browser/api/web_request/web_request_permissions.cc

Index: extensions/browser/api/web_request/web_request_permissions.cc
diff --git a/extensions/browser/api/web_request/web_request_permissions.cc b/extensions/browser/api/web_request/web_request_permissions.cc
index a683ec3a66b7ed3e021bba438a91301488a6c019..ccfe22ba48e4572d463701f67c91c540220beaea 100644
--- a/extensions/browser/api/web_request/web_request_permissions.cc
+++ b/extensions/browser/api/web_request/web_request_permissions.cc
@@ -19,7 +19,6 @@
 #include "extensions/common/permissions/permissions_data.h"
 #include "net/url_request/url_request.h"
 #include "url/gurl.h"
-#include "url/origin.h"
 
 #if defined(OS_CHROMEOS)
 #include "chromeos/login/login_state.h"
@@ -151,7 +150,8 @@ PermissionsData::AccessType WebRequestPermissions::CanExtensionAccessURL(
     const GURL& url,
     int tab_id,
     bool crosses_incognito,
-    HostPermissionsCheck host_permissions_check) {
+    HostPermissionsCheck host_permissions_check,
+    const base::Optional<url::Origin>& initiator) {
   // extension_info_map can be NULL in testing.
   if (!extension_info_map)
     return PermissionsData::ACCESS_ALLOWED;
@@ -161,6 +161,12 @@ PermissionsData::AccessType WebRequestPermissions::CanExtensionAccessURL(
   if (!extension)
     return PermissionsData::ACCESS_DENIED;
 
+  // Prevent viewing / modifying requests initiated by a host protected by
+  // policy.
+  if (initiator && extension->permissions_data()->IsRuntimeBlockedHost(
+                       initiator->GetPhysicalOrigin().GetURL()))
+    return PermissionsData::ACCESS_DENIED;
+
   // When we are in a Public Session, allow all URLs for webRequests initiated
   // by a regular extension (but don't allow chrome:// URLs).
 #if defined(OS_CHROMEOS)