Merge 73313 - Don't create bg pages if the opener doesn't have a background permission.

Now window.open() returns undefined if the caller is trying to open a background
window but does not have the proper permission.

BUG=47119
TEST=verify that window.open(url, "name", "background") returns undefined

Review URL: http://codereview.chromium.org/6250038

TBR=atwilson@chromium.org
Review URL: http://codereview.chromium.org/6334125

git-svn-id: svn://svn.chromium.org/chrome/branches/648/src@73863 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 40 insertions, 14 deletions

diff --git a/chrome/browser/renderer_host/render_message_filter.cc b/chrome/browser/renderer_host/render_message_filter.cc
index e00a6b8..0fafb77 100644
--- a/chrome/browser/renderer_host/render_message_filter.cc
+++ b/chrome/browser/renderer_host/render_message_filter.cc
@@ -447,6 +447,18 @@ void RenderMessageFilter::OnReceiveContextMenuMsg(const IPC::Message& msg) {
 void RenderMessageFilter::OnMsgCreateWindow(
     const ViewHostMsg_CreateWindow_Params& params,
     int* route_id, int64* cloned_session_storage_namespace_id) {
+  // If the opener is trying to create a background window but doesn't have
+  // the appropriate permission, fail the attempt.
+  if (params.window_container_type == WINDOW_CONTAINER_TYPE_BACKGROUND) {
+    ChromeURLRequestContext* context =
+        GetRequestContextForURL(params.opener_url);
+    if (!context->extension_info_map()->CheckURLAccessToExtensionPermission(
+            params.opener_url, Extension::kBackgroundPermission)) {
+      *route_id = MSG_ROUTING_NONE;
+      return;
+    }
+  }
+
   *cloned_session_storage_namespace_id =
       webkit_context_->dom_storage_context()->CloneSessionStorage(
           params.session_storage_namespace_id);
diff --git a/chrome/browser/tab_contents/render_view_host_delegate_helper.cc b/chrome/browser/tab_contents/render_view_host_delegate_helper.cc
index acb8d13..9f29537 100644
--- a/chrome/browser/tab_contents/render_view_host_delegate_helper.cc
+++ b/chrome/browser/tab_contents/render_view_host_delegate_helper.cc
@@ -46,15 +46,13 @@ RenderViewHostDelegateViewHelper::MaybeCreateBackgroundContents(
       !extensions_service->is_ready())
     return NULL;
 
+  // Only hosted apps have web extents, so this ensures that only hosted apps
+  // can create BackgroundContents. We don't have to check for background
+  // permission as that is checked in RenderMessageFilter when the CreateWindow
+  // message is processed.
   const Extension* extension =
-      extensions_service->GetExtensionByURL(opener_url);
+      extensions_service->GetExtensionByWebExtent(opener_url);
   if (!extension)
-    extension = extensions_service->GetExtensionByWebExtent(opener_url);
-  // Only hosted apps with background permission are allowed to create a
-  // BackgroundContents.
-  if (!extension ||
-      !extension->HasApiPermission(Extension::kBackgroundPermission) ||
-      extension->GetType() != Extension::TYPE_HOSTED_APP)
     return NULL;
 
   // Only allow a single background contents per app.
diff --git a/chrome/test/data/extensions/api_test/app_background_page/common/a.html b/chrome/test/data/extensions/api_test/app_background_page/common/a.html
index 9c04317..40371c6 100644
--- a/chrome/test/data/extensions/api_test/app_background_page/common/a.html
+++ b/chrome/test/data/extensions/api_test/app_background_page/common/a.html
@@ -9,7 +9,12 @@ var backgroundWindow;
 window.onload = function() {
   setupScriptTunnel();
   backgroundWindow = window.open('bg.html', 'bg', 'background');
-  setStatus('background page opened');
+  if (backgroundWindow) {
+    setStatus('background page opened');
+  } else {
+    notifyBackgroundPagePermissionDenied();
+    setStatus('background page permission denied');
+  }
 }
 
 function onBackgroundPageLoaded() {
@@ -21,4 +26,4 @@ function onBackgroundPageLoaded() {
   setStatus('background page loaded');
   notifyBackgroundPageLoaded();
 }
-</script>
\ No newline at end of file
+</script>
diff --git a/chrome/test/data/extensions/api_test/app_background_page/common/common.js b/chrome/test/data/extensions/api_test/app_background_page/common/common.js
index 896305a9..b3d3458 100644
--- a/chrome/test/data/extensions/api_test/app_background_page/common/common.js
+++ b/chrome/test/data/extensions/api_test/app_background_page/common/common.js
@@ -40,6 +40,11 @@ function notifyBackgroundPageLoaded() {
   pageToScriptTunnel.dispatchEvent(scriptMessageEvent);
 }
 
+function notifyBackgroundPagePermissionDenied() {
+  pageToScriptTunnel.innerText = JSON.stringify(messageData(arguments));
+  pageToScriptTunnel.dispatchEvent(scriptMessageEvent);
+}
+
 function notifyCounterError() {
   pageToScriptTunnel.innerText = JSON.stringify(messageData(arguments));
   pageToScriptTunnel.dispatchEvent(scriptMessageEvent);
diff --git a/chrome/test/data/extensions/api_test/app_background_page/lacks_permission/test.html b/chrome/test/data/extensions/api_test/app_background_page/lacks_permission/test.html
index 7b1d66d..a344844 100644
--- a/chrome/test/data/extensions/api_test/app_background_page/lacks_permission/test.html
+++ b/chrome/test/data/extensions/api_test/app_background_page/lacks_permission/test.html
@@ -5,13 +5,19 @@
 var pagePrefix =
     'http://a.com:PORT/files/extensions/api_test/app_background_page/common';
 
-// The open(..., 'background') was ignored and a popup window resulted.
-chrome.tabs.onUpdated.addListener(function(tabId, changeInfo, tab) {
-  if (tab.url.match("bg\.html$")) {
-    chrome.test.notifyPass();
-  }
+// Dispatch "tunneled" functions from the live web pages to this testing page.
+chrome.extension.onRequest.addListener(function(request) {
+  window[request.name](request.args);
 });
 
+function onBackgroundPageLoaded() {
+  chrome.test.notifyFail("BackgroundContents loaded without permission");
+}
+
+function onBackgroundPagePermissionDenied() {
+  chrome.test.notifyPass();
+}
+
 // Start the test by opening the first page in the app.
 window.onload = function() {
   // We wait for window.onload before getting the test config.  If the