Enable <webview>.executeScript outside of Apps and Extensions [1]

extensions/renderer/programmatic_script_injector.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/renderer/programmatic_script_injector.h"
 
 #include <vector>
 
 #include "base/values.h"
 #include "content/public/renderer/render_view.h"
@@ skipping 65 matching lines @@
     if (frame->parent()) {
       // This is a subframe inside <webview>, so allow it.
       return PermissionsData::ACCESS_ALLOWED;
     }
 
     return effective_document_url == params_->webview_src
                ? PermissionsData::ACCESS_ALLOWED
                : PermissionsData::ACCESS_DENIED;
   }
 
+  if (injection_host->id().type() != HostID::EXTENSIONS)
+    return PermissionsData::ACCESS_DENIED;

[Fady Samuel, 2015/02/19 19:52:54]

I'm confused by this, doesn't this disable executeScript for WebUI?

[Xi Han, 2015/02/19 19:56:04]

Yes, this disable executeScript for WebUI, but not <webview>.executeCode on
WebUI, which has been handled in line 75. Right?

+
   return injection_host->CanExecuteOnFrame(
       effective_document_url, top_url, tab_id, true /* is_declarative */);
 }
 
 std::vector<blink::WebScriptSource> ProgrammaticScriptInjector::GetJsSources(
     UserScript::RunLocation run_location) const {
   DCHECK_EQ(GetRunLocation(), run_location);
   DCHECK(params_->is_javascript);
 
   return std::vector<blink::WebScriptSource>(
@@ skipping 42 matching lines @@
 
   render_view_->Send(new ExtensionHostMsg_ExecuteCodeFinished(
       render_view_->GetRoutingID(),
       params_->request_id,
       error,
       url_,
       *results_));
 }
 
 }  // namespace extensions