Refactor guest view availability to be API not permission based.

extensions/browser/process_map.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef EXTENSIONS_BROWSER_PROCESS_MAP_H_
 #define EXTENSIONS_BROWSER_PROCESS_MAP_H_
 
 #include <set>
 #include <string>
 
@@ skipping 77 matching lines @@
 
   bool Remove(const std::string& extension_id, int process_id,
               int site_instance_id);
   int RemoveAllFromProcess(int process_id);
 
   bool Contains(const std::string& extension_id, int process_id) const;
   bool Contains(int process_id) const;
 
   std::set<std::string> GetExtensionsInProcess(int process_id) const;
 
-  // Guesses the most permissive context type for the process with ID
-  // |process_id|. Context types are renderer (JavaScript) concepts but the
-  // browser can do a decent job in guessing what the process hosts.
+  // Gets the most likely context type for the process with ID |process_id|
+  // which hosts Extension |extension|, if any (may be NULL). Context types are
+  // renderer (JavaScript) concepts but the browser can do a decent job in
+  // guessing what the process hosts.
   //
+  // |extension| is the funky part - unfortunately we need to trust the
+  // caller of this method to be correct that indeed the context does feature
+  // an extension. This matters for iframes, where an extension could be
+  // hosted in another extension's process (privilege level needs to be
+  // downgraded) or in a web page's process (privilege level needs to be
+  // upgraded).
+  //
+  // The latter of these is slightly problematic from a security perspective;
+  // if a web page renderer gets owned it could try to pretend it's an
+  // extension and get access to some unprivileged APIs. Luckly, when OOP
+  // iframes lauch, it won't be an issue.
+  //
+  // Anyhow, the expected behaviour is:
   //   - For hosted app processes, this will be blessed_web_page.
   //   - For other extension processes, this will be blessed_extension.
   //   - For WebUI processes, this will be a webui.
-  //   - For anything else we have the choice of unblessed_extension or
+  //   - For any other extension we have the choice of unblessed_extension or
   //     content_script. Since content scripts are more common, guess that.
   //     We *could* in theory track which web processes have extension frames
   //     in them, and those would be unblessed_extension, but we don't at the
   //     moment, and once OOP iframes exist then there won't even be such a
   //     thing as an unblessed_extension context.
-  //
-  // |extension| isn't used to upgrade the process trust level, but rather used
-  // as a tiebreaker if a process is found to contain multiple extensions.
-  Feature::Context GuessContextType(const Extension* extension,
-                                    int process_id) const;
+  //   - For anything else, web_page.
+  Feature::Context GetMostLikelyContextType(const Extension* extension,
+                                            int process_id) const;
 
  private:
   struct Item;
 
   typedef std::set<Item> ItemSet;
   ItemSet items_;
 
   DISALLOW_COPY_AND_ASSIGN(ProcessMap);
 };
 
 }  // namespace extensions
 
 #endif  // EXTENSIONS_BROWSER_PROCESS_MAP_H_