Support "always allow" for runtime script execution

chrome/browser/extensions/permissions_updater.cc

Index: chrome/browser/extensions/permissions_updater.cc
diff --git a/chrome/browser/extensions/permissions_updater.cc b/chrome/browser/extensions/permissions_updater.cc
index 5f2f62981d5889f7db19804d7734561aaaac5b9f..e75a13cd27efa27e2d548d5840aeee95da266bad 100644
--- a/chrome/browser/extensions/permissions_updater.cc
+++ b/chrome/browser/extensions/permissions_updater.cc
@@ -36,15 +36,25 @@ namespace permissions = api::permissions;
 
 namespace {
 
+URLPatternSet FilterSingleOriginPermissions(const URLPatternSet& permissions) {

[Devlin, 2014/08/13 16:55:04]

Comment on the function

[gpdavis, 2014/08/13 22:18:36]

Done.

+  URLPatternSet single_origin_permissions;
+  for (URLPatternSet::const_iterator iter = permissions.begin();
+       iter != permissions.end();
+       ++iter) {
+    if (iter->MatchesSingleOrigin())

[not at google - send to devlin, 2014/08/13 17:17:47]

I just realised (after chatting to mek@) that this isn't quite right.

Say an extension requests *.google.com in its manifest, and we always-run on
http://www.google.com. The active permissions is {*.google.com,
http://www.google.com}.

Then the extension drops *.google.com from its permissions. The
GetBoundedActivePermissions logic correctly removes *.google.com from the active
permission set, and www.google.com. That latter is somewhat by accident (and the
problem that FilterSingleOriginPermissions etc fixes) *however* it introduces a
different bug. www.google.com *should* have been removed.

To fix this, we should only add back these permissions *if* they're granted by
the bounded active permissions. For *that* we need in addition to
MatchesSingleOrigin a method which extracts that origin. Shouldn't be too hard.
So we'd have:

if (iter->MatchesSingleOrigin() &&
    bounded_active->Matches(iter->ToOrigin()) {
  // add back.
}

I'm not liking the name MatchesSingleOrigin anymore. IsOrigin might be better.

[gpdavis, 2014/08/13 22:18:37]

Alright, this makes sense to me.  Can you think of a good way to test this case
in the unittest?  (I figure maybe you can point me in the right direction, but
I'll see what I can come up with as well).

+      single_origin_permissions.AddPattern(*iter);
+  }
+  return single_origin_permissions;
+}
+
 // Returns a PermissionSet that has the active permissions of the extension,
 // bounded to its current manifest.
 scoped_refptr<const PermissionSet> GetBoundedActivePermissions(
-    const Extension* extension, ExtensionPrefs* extension_prefs) {
+    const Extension* extension,
+    const PermissionSet* active_permissions) {
   // If the extension has used the optional permissions API, it will have a
   // custom set of active permissions defined in the extension prefs. Here,
   // we update the extension's active permissions based on the prefs.
-  scoped_refptr<const PermissionSet> active_permissions =
-      extension_prefs->GetActivePermissions(extension->id());

[Devlin, 2014/08/13 16:55:04]

any particular reason for the change?

[gpdavis, 2014/08/13 22:18:36]

Kalman suggested we pass active permissions in instead of prefs because we need
the active permissions in InitializePermissions in the code that was added.

   if (!active_permissions)
     return extension->permissions_data()->active_permissions();
 
@@ -144,9 +154,11 @@ void PermissionsUpdater::GrantActivePermissions(const Extension* extension) {
 }
 
 void PermissionsUpdater::InitializePermissions(const Extension* extension) {
+  scoped_refptr<const PermissionSet> active_permissions =
+      ExtensionPrefs::Get(browser_context_)
+          ->GetActivePermissions(extension->id());
   scoped_refptr<const PermissionSet> bounded_active =
-      GetBoundedActivePermissions(extension,
-                                  ExtensionPrefs::Get(browser_context_));
+      GetBoundedActivePermissions(extension, active_permissions.get());
 
   // We withhold permissions iff the switch to do so is enabled, the extension
   // shows up in chrome:extensions (so the user can grant withheld permissions),
@@ -175,6 +187,18 @@ void PermissionsUpdater::InitializePermissions(const Extension* extension) {
                           &granted_scriptable_hosts,
                           &withheld_scriptable_hosts);
 
+  // After withholding permissions, add back any origins to the active set that
+  // may have been lost during the set operations that would have dropped them.
+  // For example, the union of <all_urls> and <anything> is <all_urls>, so we

[Devlin, 2014/08/13 16:55:04]

anything is bad.  Use example.com or something.

[gpdavis, 2014/08/13 22:18:36]

Done.

+  // may lose the <anything>. However, that <anything> is important once
+  // <all_urls> is stripped during withholding.
+  if (active_permissions) {
+    granted_explicit_hosts.AddPatterns(

[Devlin, 2014/08/13 16:55:04]

You need to check here that the extension still wants these.

[gpdavis, 2014/08/13 22:18:36]

Is this what kalman was suggesting in the above comment on line 44?  Checking
the manifest permissions to see if these active permissions are still relevant?

+        FilterSingleOriginPermissions(active_permissions->explicit_hosts()));
+    granted_scriptable_hosts.AddPatterns(
+        FilterSingleOriginPermissions(active_permissions->scriptable_hosts()));
+  }
+
   bounded_active = new PermissionSet(bounded_active->apis(),
                                      bounded_active->manifest_permissions(),
                                      granted_explicit_hosts,