Model <webview> and <appview> script injection after <extensionoptions>

chrome/renderer/extensions/chrome_extensions_dispatcher_delegate.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/renderer/extensions/chrome_extensions_dispatcher_delegate.h"
 
 #include "base/command_line.h"
 #include "base/sha1.h"
 #include "base/strings/string_number_conversions.h"
 #include "chrome/common/chrome_switches.h"
@@ skipping 256 matching lines @@
   if (context_type == extensions::Feature::BLESSED_EXTENSION_CONTEXT &&
       is_within_platform_app &&
       extensions::GetCurrentChannel() <= chrome::VersionInfo::CHANNEL_DEV &&
       CommandLine::ForCurrentProcess()->HasSwitch(
           ::switches::kEnableAppWindowControls)) {
     module_system->Require("windowControls");
   }
 
   const extensions::Extension* extension = context->extension();
 
-  // We used to limit WebView to |BLESSED_EXTENSION_CONTEXT| within platform
-  // apps. An ext/app runs in a blessed extension context, if it is the active
-  // extension in the current process, in other words, if it is loaded in a top
-  // frame. To support webview in a non-frame extension, we have to allow
-  // unblessed extension context as well.
   // Note: setting up the WebView class here, not the chrome.webview API.
   // The API will be automatically set up when first used.
-  if (context_type == extensions::Feature::BLESSED_EXTENSION_CONTEXT ||
-      context_type == extensions::Feature::UNBLESSED_EXTENSION_CONTEXT) {
-    // TODO(fsamuel): Use context->GetAvailability("webViewInternal").
-    if (extension->permissions_data()->HasAPIPermission(
-            extensions::APIPermission::kWebView)) {
-      module_system->Require("webView");
-      if (extensions::GetCurrentChannel() <= chrome::VersionInfo::CHANNEL_DEV) {
-        module_system->Require("webViewExperimental");
-      } else {
-        // TODO(asargent) We need a whitelist for webview experimental.
-        // crbug.com/264852
-        std::string id_hash = base::SHA1HashString(extension->id());
-        std::string hexencoded_id_hash =
-            base::HexEncode(id_hash.c_str(), id_hash.length());
-        if (hexencoded_id_hash == "8C3741E3AF0B93B6E8E0DDD499BB0B74839EA578" ||
-            hexencoded_id_hash == "E703483CEF33DEC18B4B6DD84B5C776FB9182BDB" ||
-            hexencoded_id_hash == "1A26E32DE447A17CBE5E9750CDBA78F58539B39C" ||
-            hexencoded_id_hash == "59048028102D7B4C681DBC7BC6CD980C3DC66DA3") {
-          module_system->Require("webViewExperimental");
-        }
-      }
-    } else {
-      module_system->Require("denyWebView");
+  if (context->GetAvailability("webViewInternal").is_available()) {
+    module_system->Require("webView");
+    // TODO(asargent) We need a whitelist for webview experimental.
+    // crbug.com/264852
+    std::string id_hash = base::SHA1HashString(extension->id());
+    std::string hexencoded_id_hash =
+        base::HexEncode(id_hash.c_str(), id_hash.length());
+    if (extensions::GetCurrentChannel() <= chrome::VersionInfo::CHANNEL_DEV ||

[not at google - send to devlin, 2014/08/26 22:23:26]

You could clean this up by adding a vacuous webViewExperimental API here:

https://code.google.com/p/chromium/codesearch#chromium/src/chrome/common/exte...

Mark it internal (maybe call it webViewExperimentalInternal just for
consistency?) - but has the channel and the whitelist. Then you can replace all
of this with just GetAvailability("webViewExperimentalInternal").is_available().

[Fady Samuel, 2014/08/26 23:30:35]

Done.

+        hexencoded_id_hash == "8C3741E3AF0B93B6E8E0DDD499BB0B74839EA578" ||
+        hexencoded_id_hash == "E703483CEF33DEC18B4B6DD84B5C776FB9182BDB" ||
+        hexencoded_id_hash == "1A26E32DE447A17CBE5E9750CDBA78F58539B39C" ||
+        hexencoded_id_hash == "59048028102D7B4C681DBC7BC6CD980C3DC66DA3") {
+      module_system->Require("webViewExperimental");
     }
+  } else {

[not at google - send to devlin, 2014/08/26 22:23:26]

I think you should have else-if BLESSED or UNBLESSED extension context. We don't
want to deny webview in web contents or content scripts.

[Fady Samuel, 2014/08/26 23:30:35]

Done.

+    module_system->Require("denyWebView");
   }
 
-  if (context_type == extensions::Feature::BLESSED_EXTENSION_CONTEXT) {
-    // TODO(fsamuel): Use context->GetAvailability("appViewInternal").
-    if (CommandLine::ForCurrentProcess()->HasSwitch(
-            extensions::switches::kEnableAppView) &&
-        extension->permissions_data()->HasAPIPermission(
-            extensions::APIPermission::kAppView)) {
-      module_system->Require("appView");
-    } else {
-      module_system->Require("denyAppView");
-    }
+  if (extensions::FeatureSwitch::app_view()->IsEnabled() &&
+      context->GetAvailability("appViewEmbedderInternal").is_available()) {
+    module_system->Require("appView");
+  } else {

[not at google - send to devlin, 2014/08/26 22:23:26]

ditto (though just BLESSED in this case).

[Fady Samuel, 2014/08/26 23:30:35]

Done.

+    module_system->Require("denyAppView");
   }
 
   if (extensions::FeatureSwitch::embedded_extension_options()->IsEnabled() &&
       context->GetAvailability("extensionOptionsInternal").is_available()) {
     module_system->Require("extensionOptions");
   }
 }
 
 void ChromeExtensionsDispatcherDelegate::OnActiveExtensionsUpdated(
     const std::set<std::string>& extension_ids) {
@@ skipping 48 matching lines @@
       new extensions::PermissionSet(extensions::APIPermissionSet(),
                                     extensions::ManifestPermissionSet(),
                                     origin_set,
                                     extensions::URLPatternSet()));
 }
 
 void ChromeExtensionsDispatcherDelegate::HandleWebRequestAPIUsage(
     bool webrequest_used) {
   webrequest_used_ = webrequest_used;
 }