Chromium Code Reviews Chromium Code Reviews
Issue 913393003:
Restrict extensionview to chrome-extension:// (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/browser/guest_view/extension_view/extension_view_guest.h" | 5 #include "extensions/browser/guest_view/extension_view/extension_view_guest.h" |
| 6 | 6 |
| 7 #include "base/metrics/user_metrics.h" | 7 #include "base/metrics/user_metrics.h" |
| 8 #include "components/crx_file/id_util.h" | |
| 9 #include "content/public/browser/child_process_security_policy.h" | |
| 8 #include "content/public/browser/render_process_host.h" | 10 #include "content/public/browser/render_process_host.h" |
| 9 #include "content/public/common/result_codes.h" | 11 #include "content/public/common/result_codes.h" |
| 10 #include "extensions/browser/api/extensions_api_client.h" | 12 #include "extensions/browser/api/extensions_api_client.h" |
| 11 #include "extensions/browser/guest_view/extension_view/extension_view_constants. h" | 13 #include "extensions/browser/guest_view/extension_view/extension_view_constants. h" |
| 12 #include "extensions/common/constants.h" | 14 #include "extensions/common/constants.h" |
| 13 #include "extensions/common/extension_messages.h" | 15 #include "extensions/common/extension_messages.h" |
| 14 #include "extensions/strings/grit/extensions_strings.h" | 16 #include "extensions/strings/grit/extensions_strings.h" |
| 15 | 17 |
| 16 using content::WebContents; | 18 using content::WebContents; |
| 17 using namespace extensions::core_api; | 19 using namespace extensions::core_api; |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 33 } | 35 } |
| 34 | 36 |
| 35 // static | 37 // static |
| 36 extensions::GuestViewBase* ExtensionViewGuest::Create( | 38 extensions::GuestViewBase* ExtensionViewGuest::Create( |
| 37 content::WebContents* owner_web_contents) { | 39 content::WebContents* owner_web_contents) { |
| 38 return new ExtensionViewGuest(owner_web_contents); | 40 return new ExtensionViewGuest(owner_web_contents); |
| 39 } | 41 } |
| 40 | 42 |
| 41 void ExtensionViewGuest::NavigateGuest(const std::string& src, | 43 void ExtensionViewGuest::NavigateGuest(const std::string& src, |
| 42 bool force_navigation) { | 44 bool force_navigation) { |
| 43 if (src.empty()) | 45 GURL url = extension_url_.Resolve(src); |
| 46 | |
| 47 // Do not allow navigating a guest to schemes other than known safe schemes. | |
| 48 bool scheme_is_blocked = | |
| 49 (!content::ChildProcessSecurityPolicy::GetInstance()->IsWebSafeScheme( | |
| 50 url.scheme()) && | |
| 51 !url.SchemeIs(url::kAboutScheme)) || | |
| 52 url.SchemeIs(url::kJavaScriptScheme); | |
| 53 if (scheme_is_blocked || !url.is_valid()) { | |
|
Fady Samuel
2015/02/17 20:17:04
I think a simpler check might be:
// If the URL i
apacible
2015/02/17 23:02:58
Sounds good. Changed.
| |
| 54 NavigateGuest(url::kAboutBlankURL, true /* force_navigation */); | |
| 44 return; | 55 return; |
| 56 } | |
| 45 | 57 |
| 46 GURL url(src); | 58 if (!force_navigation && (view_page_ == url)) |
| 47 if (!url.is_valid() && !force_navigation && (url == view_page_)) | |
| 48 return; | 59 return; |
| 49 | 60 |
| 50 web_contents()->GetRenderProcessHost()->FilterURL(false, &url); | 61 web_contents()->GetRenderProcessHost()->FilterURL(false, &url); |
| 51 web_contents()->GetController().LoadURL(url, content::Referrer(), | 62 web_contents()->GetController().LoadURL(url, content::Referrer(), |
| 52 ui::PAGE_TRANSITION_AUTO_TOPLEVEL, | 63 ui::PAGE_TRANSITION_AUTO_TOPLEVEL, |
| 53 std::string()); | 64 std::string()); |
| 54 | 65 |
| 55 view_page_ = url; | 66 view_page_ = url; |
| 56 } | 67 } |
| 57 | 68 |
| 58 // GuestViewBase implementation. | 69 // GuestViewBase implementation. |
| 59 bool ExtensionViewGuest::CanRunInDetachedState() const { | 70 bool ExtensionViewGuest::CanRunInDetachedState() const { |
| 60 return true; | 71 return true; |
| 61 } | 72 } |
| 62 | 73 |
| 63 void ExtensionViewGuest::CreateWebContents( | 74 void ExtensionViewGuest::CreateWebContents( |
| 64 const base::DictionaryValue& create_params, | 75 const base::DictionaryValue& create_params, |
| 65 const WebContentsCreatedCallback& callback) { | 76 const WebContentsCreatedCallback& callback) { |
| 66 std::string str; | 77 // Gets the extension ID. |
| 67 if (!create_params.GetString(extensionview::kAttributeSrc, &str)) { | 78 create_params.GetString(extensionview::kAttributeExtension, &extension_id_); |
| 79 | |
| 80 if (!crx_file::id_util::IdIsValid(extension_id_)) { | |
| 68 callback.Run(nullptr); | 81 callback.Run(nullptr); |
| 69 return; | 82 return; |
| 70 } | 83 } |
| 71 | 84 |
| 72 GURL source(str); | 85 // Gets the extension URL. |
| 73 if (!source.is_valid()) { | 86 extension_url_ = |
| 87 extensions::Extension::GetBaseURLFromExtensionId(extension_id_); | |
| 88 | |
| 89 if (!extension_url_.is_valid()) { | |
| 90 callback.Run(nullptr); | |
| 91 return; | |
| 92 } | |
| 93 | |
| 94 // Get the src to build URL to render. | |
| 95 std::string src; | |
| 96 if (!create_params.GetString(extensionview::kAttributeSrc, &src)) { | |
| 74 callback.Run(nullptr); | 97 callback.Run(nullptr); |
| 75 return; | 98 return; |
| 76 } | 99 } |
| 77 | 100 |
| 78 content::SiteInstance* view_site_instance = | 101 content::SiteInstance* view_site_instance = |
| 79 content::SiteInstance::CreateForURL(browser_context(), source); | 102 content::SiteInstance::CreateForURL(browser_context(), |
| 103 extension_url_); | |
| 80 | 104 |
| 81 WebContents::CreateParams params(browser_context(), view_site_instance); | 105 WebContents::CreateParams params(browser_context(), view_site_instance); |
| 82 params.guest_delegate = this; | 106 params.guest_delegate = this; |
| 83 callback.Run(WebContents::Create(params)); | 107 callback.Run(WebContents::Create(params)); |
| 84 } | 108 } |
| 85 | 109 |
| 86 void ExtensionViewGuest::DidInitialize( | 110 void ExtensionViewGuest::DidInitialize( |
| 87 const base::DictionaryValue& create_params) { | 111 const base::DictionaryValue& create_params) { |
| 88 extension_function_dispatcher_.reset( | 112 extension_function_dispatcher_.reset( |
| 89 new extensions::ExtensionFunctionDispatcher(browser_context(), this)); | 113 new extensions::ExtensionFunctionDispatcher(browser_context(), this)); |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 123 web_contents()->GetRenderViewHost()); | 147 web_contents()->GetRenderViewHost()); |
| 124 } | 148 } |
| 125 | 149 |
| 126 void ExtensionViewGuest::ApplyAttributes(const base::DictionaryValue& params) { | 150 void ExtensionViewGuest::ApplyAttributes(const base::DictionaryValue& params) { |
| 127 std::string src; | 151 std::string src; |
| 128 params.GetString(extensionview::kAttributeSrc, &src); | 152 params.GetString(extensionview::kAttributeSrc, &src); |
| 129 NavigateGuest(src, false /* force_navigation */); | 153 NavigateGuest(src, false /* force_navigation */); |
| 130 } | 154 } |
| 131 | 155 |
| 132 } // namespace extensions | 156 } // namespace extensions |
| OLD | NEW |
