Merge 280354 "Have the Debugger extension api check that it has ..."

extensions/common/permissions/permissions_data_unittest.cc

Index: extensions/common/permissions/permissions_data_unittest.cc
===================================================================
--- extensions/common/permissions/permissions_data_unittest.cc	(revision 287393)
+++ extensions/common/permissions/permissions_data_unittest.cc	(working copy)
@@ -87,6 +87,71 @@
       GURL::EmptyGURL());
 }
 
+// Checks that urls are properly restricted for the given extension.
+void CheckRestrictedUrls(const Extension* extension,
+                         bool block_chrome_urls) {
+  // We log the name so we know _which_ extension failed here.
+  const std::string& name = extension->name();
+  const GURL chrome_settings_url("chrome://settings/");
+  const GURL chrome_extension_url("chrome-extension://foo/bar.html");
+  const GURL google_url("https://www.google.com/");
+  const GURL self_url("chrome-extension://" + extension->id() + "/foo.html");
+  const GURL invalid_url("chrome-debugger://foo/bar.html");
+
+  std::string error;
+  EXPECT_EQ(block_chrome_urls,
+            PermissionsData::IsRestrictedUrl(
+                chrome_settings_url,
+                chrome_settings_url,
+                extension,
+                &error)) << name;
+  if (block_chrome_urls)
+    EXPECT_EQ(manifest_errors::kCannotAccessChromeUrl, error) << name;
+  else
+    EXPECT_TRUE(error.empty()) << name;
+
+  error.clear();
+  EXPECT_EQ(block_chrome_urls,
+            PermissionsData::IsRestrictedUrl(
+                chrome_extension_url,
+                chrome_extension_url,
+                extension,
+                &error)) << name;
+  if (block_chrome_urls)
+    EXPECT_EQ(manifest_errors::kCannotAccessExtensionUrl, error) << name;
+  else
+    EXPECT_TRUE(error.empty()) << name;
+
+  // Google should never be a restricted url.
+  error.clear();
+  EXPECT_FALSE(PermissionsData::IsRestrictedUrl(
+      google_url, google_url, extension, &error)) << name;
+  EXPECT_TRUE(error.empty()) << name;
+
+  // We should always be able to access our own extension pages.
+  error.clear();
+  EXPECT_FALSE(PermissionsData::IsRestrictedUrl(
+      self_url, self_url, extension, &error)) << name;
+  EXPECT_TRUE(error.empty()) << name;
+
+  // We should only allow other schemes for extensions when it's a whitelisted
+  // extension.
+  error.clear();
+  bool allow_on_other_schemes =
+      PermissionsData::CanExecuteScriptEverywhere(extension);
+  EXPECT_EQ(!allow_on_other_schemes,
+            PermissionsData::IsRestrictedUrl(
+                invalid_url, invalid_url, extension, &error)) << name;
+  if (!allow_on_other_schemes) {
+    EXPECT_EQ(ErrorUtils::FormatErrorMessage(
+                  manifest_errors::kCannotAccessPage,
+                  invalid_url.spec()),
+              error) << name;
+  } else {
+    EXPECT_TRUE(error.empty());
+  }
+}
+
 }  // namespace
 
 TEST(ExtensionPermissionsTest, EffectiveHostPermissions) {
@@ -242,6 +307,28 @@
       extension, 0, GURL("https://www.google.com/")));
 }
 
+TEST(ExtensionPermissionsTest, IsRestrictedUrl) {
+  scoped_refptr<const Extension> extension =
+      GetExtensionWithHostPermission("normal_extension",
+                                     kAllHostsPermission,
+                                     Manifest::INTERNAL);
+  // Chrome urls should be blocked for normal extensions.
+  CheckRestrictedUrls(extension, true);
+
+  scoped_refptr<const Extension> component =
+      GetExtensionWithHostPermission("component",
+                                     kAllHostsPermission,
+                                     Manifest::COMPONENT);
+  // Chrome urls should be accessible by component extensions.
+  CheckRestrictedUrls(component, false);
+
+  base::CommandLine::ForCurrentProcess()->AppendSwitch(
+      switches::kExtensionsOnChromeURLs);
+  // Enabling the switch should allow all extensions to access chrome urls.
+  CheckRestrictedUrls(extension, false);
+
+}
+
 TEST(ExtensionPermissionsTest, GetPermissionMessages_ManyAPIPermissions) {
   scoped_refptr<Extension> extension;
   extension = LoadManifest("permissions", "many-apis.json");
@@ -553,8 +640,8 @@
   EXPECT_TRUE(AllowedScript(extension.get(), https_url, http_url_with_path));
   EXPECT_TRUE(AllowedScript(extension.get(), http_url, within_extension_url));
   EXPECT_TRUE(AllowedScript(extension.get(), https_url, within_extension_url));
-  EXPECT_TRUE(BlockedScript(extension.get(), http_url, extension_url));
-  EXPECT_TRUE(BlockedScript(extension.get(), https_url, extension_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), http_url, extension_url));
+  EXPECT_TRUE(AllowedScript(extension.get(), https_url, extension_url));
 
   const PermissionsData* permissions_data = extension->permissions_data();
   EXPECT_FALSE(permissions_data->HasHostPermission(settings_url));