Index: extensions/browser/api/web_request/web_request_permissions.cc |
diff --git a/extensions/browser/api/web_request/web_request_permissions.cc b/extensions/browser/api/web_request/web_request_permissions.cc |
index a683ec3a66b7ed3e021bba438a91301488a6c019..ccfe22ba48e4572d463701f67c91c540220beaea 100644 |
--- a/extensions/browser/api/web_request/web_request_permissions.cc |
+++ b/extensions/browser/api/web_request/web_request_permissions.cc |
@@ -19,7 +19,6 @@ |
#include "extensions/common/permissions/permissions_data.h" |
#include "net/url_request/url_request.h" |
#include "url/gurl.h" |
-#include "url/origin.h" |
#if defined(OS_CHROMEOS) |
#include "chromeos/login/login_state.h" |
@@ -151,7 +150,8 @@ PermissionsData::AccessType WebRequestPermissions::CanExtensionAccessURL( |
const GURL& url, |
int tab_id, |
bool crosses_incognito, |
- HostPermissionsCheck host_permissions_check) { |
+ HostPermissionsCheck host_permissions_check, |
+ const base::Optional<url::Origin>& initiator) { |
// extension_info_map can be NULL in testing. |
if (!extension_info_map) |
return PermissionsData::ACCESS_ALLOWED; |
@@ -161,6 +161,12 @@ PermissionsData::AccessType WebRequestPermissions::CanExtensionAccessURL( |
if (!extension) |
return PermissionsData::ACCESS_DENIED; |
+ // Prevent viewing / modifying requests initiated by a host protected by |
+ // policy. |
+ if (initiator && extension->permissions_data()->IsRuntimeBlockedHost( |
+ initiator->GetPhysicalOrigin().GetURL())) |
+ return PermissionsData::ACCESS_DENIED; |
+ |
// When we are in a Public Session, allow all URLs for webRequests initiated |
// by a regular extension (but don't allow chrome:// URLs). |
#if defined(OS_CHROMEOS) |