Change the default implementation of ExtensionFunction::HasPermission to use

extensions/browser/extension_function_dispatcher.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/extension_function_dispatcher.h"
 
 #include "base/bind.h"
 #include "base/json/json_string_value_serializer.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/process/process.h"
 #include "base/values.h"
 #include "build/build_config.h"
 #include "content/public/browser/browser_thread.h"
-#include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/user_metrics.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_contents_observer.h"
 #include "content/public/common/result_codes.h"
 #include "extensions/browser/api_activity_monitor.h"
 #include "extensions/browser/extension_function_registry.h"
 #include "extensions/browser/extension_message_filter.h"
@@ skipping 394 matching lines @@
     const ExtensionHostMsg_Request_Params& params,
     const ExtensionFunction::ResponseCallback& callback) {
   if (!function->HasPermission()) {
     LOG(ERROR) << "Permission denied for " << params.name;
     SendAccessDenied(callback);
     return false;
   }
   return true;
 }
 
-namespace {
-
-// Only COMPONENT hosted apps may call extension APIs, and they are limited
-// to just the permissions they explicitly request. They should not have access
-// to extension APIs like eg chrome.runtime, chrome.windows, etc. that normally
-// are available without permission.
-// TODO(mpcomplete): move this to ExtensionFunction::HasPermission (or remove
-// it altogether).
-bool AllowHostedAppAPICall(const Extension& extension,
-                           const GURL& source_url,
-                           const std::string& function_name) {
-  if (extension.location() != Manifest::COMPONENT)
-    return false;
-
-  if (!extension.web_extent().MatchesURL(source_url))
-    return false;
-
-  // Note: Not BLESSED_WEB_PAGE_CONTEXT here because these component hosted app
-  // entities have traditionally been treated as blessed extensions, for better
-  // or worse.
-  Feature::Availability availability =
-      ExtensionAPI::GetSharedInstance()->IsAvailable(
-          function_name, &extension, Feature::BLESSED_EXTENSION_CONTEXT,
-          source_url);
-  return availability.is_available();
-}
-
-}  // namespace
-
-
 // static
 ExtensionFunction* ExtensionFunctionDispatcher::CreateExtensionFunction(
     const ExtensionHostMsg_Request_Params& params,
     const Extension* extension,
     int requesting_process_id,
     const ProcessMap& process_map,
     ExtensionAPI* api,
     void* profile_id,
     const ExtensionFunction::ResponseCallback& callback) {
-  const char* disallowed_reason = NULL;
-
-  if (extension) {
-    // Extension is calling this API.
-    if (extension->is_hosted_app() &&
-        !AllowHostedAppAPICall(*extension, params.source_url, params.name)) {
-      // Most hosted apps can't call APIs.
-      disallowed_reason = "Hosted apps cannot call privileged APIs";
-    } else if (!process_map.Contains(extension->id(), requesting_process_id) &&
-               !api->IsAvailableInUntrustedContext(params.name, extension)) {
-      // Privileged APIs can only be called from the process the extension
-      // is running in.
-      disallowed_reason =
-          "Privileged APIs cannot be called from untrusted processes";
-    }
-  } else if (content::ChildProcessSecurityPolicy::GetInstance()
-                 ->HasWebUIBindings(requesting_process_id)) {
-    // WebUI is calling this API.
-    if (!api->IsAvailableToWebUI(params.name, params.source_url)) {
-      disallowed_reason = "WebUI can only call webui-enabled APIs";
-    }
-  } else {
-    // Web page is calling this API. However, the APIs that are available to
-    // web pages (e.g. messaging) don't go through ExtensionFunctionDispatcher,
-    // so this should be impossible.
-    NOTREACHED();
-    disallowed_reason = "Specified extension does not exist.";
-  }
-
-  if (disallowed_reason != NULL) {
-    LOG(ERROR) << "Extension API call disallowed - name:" << params.name
-               << ", pid:" << requesting_process_id
-               << ", from URL: " << params.source_url.spec()
-               << ", reason: " << disallowed_reason;
-    SendAccessDenied(callback);
-    return NULL;
-  }
-
   ExtensionFunction* function =
       ExtensionFunctionRegistry::GetInstance()->NewFunction(params.name);
   if (!function) {
     LOG(ERROR) << "Unknown Extension API - " << params.name;
     SendAccessDenied(callback);
     return NULL;
   }
 
   function->SetArgs(&params.arguments);
   function->set_source_url(params.source_url);
   function->set_request_id(params.request_id);
   function->set_has_callback(params.has_callback);
   function->set_user_gesture(params.user_gesture);
   function->set_extension(extension);
   function->set_profile_id(profile_id);
   function->set_response_callback(callback);
   function->set_source_tab_id(params.source_tab_id);
+  function->set_source_context_type(
+      process_map.GuessContextType(extension, requesting_process_id));
 
   return function;
 }
 
 // static
 void ExtensionFunctionDispatcher::SendAccessDenied(
     const ExtensionFunction::ResponseCallback& callback) {
   base::ListValue empty_list;
   callback.Run(ExtensionFunction::FAILED, empty_list,
                "Access to extension API denied.");
 }
 
 }  // namespace extensions