Enforce content verification for shared extensions on Chrome OS

BUG=235263
TEST=manual

Review URL: https://codereview.chromium.org/313513003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@279070 0039d316-1c4b-4281-b951-d872f2087c98

13 files changed, 166 insertions, 138 deletions

diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
index 7d28fd4..e4ec592 100644
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -398,14 +398,14 @@ const Experiment::Choice kEnableSyncAppListChoices[] = {
 const Experiment::Choice kExtensionContentVerificationChoices[] = {
   { IDS_GENERIC_EXPERIMENT_CHOICE_DEFAULT, "", "" },
   { IDS_FLAGS_EXTENSION_CONTENT_VERIFICATION_BOOTSTRAP,
-    extensions::switches::kExtensionContentVerification,
-    extensions::switches::kExtensionContentVerificationBootstrap },
+    switches::kExtensionContentVerification,
+    switches::kExtensionContentVerificationBootstrap },
   { IDS_FLAGS_EXTENSION_CONTENT_VERIFICATION_ENFORCE,
-    extensions::switches::kExtensionContentVerification,
-    extensions::switches::kExtensionContentVerificationEnforce },
+    switches::kExtensionContentVerification,
+    switches::kExtensionContentVerificationEnforce },
   { IDS_FLAGS_EXTENSION_CONTENT_VERIFICATION_ENFORCE_STRICT,
-    extensions::switches::kExtensionContentVerification,
-    extensions::switches::kExtensionContentVerificationEnforceStrict },
+    switches::kExtensionContentVerification,
+    switches::kExtensionContentVerificationEnforceStrict },
 };
 
 #if defined(OS_ANDROID)
diff --git a/chrome/browser/extensions/content_verifier_browsertest.cc b/chrome/browser/extensions/content_verifier_browsertest.cc
index f657c34..489b95e 100644
--- a/chrome/browser/extensions/content_verifier_browsertest.cc
+++ b/chrome/browser/extensions/content_verifier_browsertest.cc
@@ -4,12 +4,12 @@
 
 #include "base/scoped_observer.h"
 #include "chrome/browser/extensions/extension_browsertest.h"
+#include "chrome/common/chrome_switches.h"
 #include "content/public/test/test_utils.h"
 #include "extensions/browser/content_verify_job.h"
 #include "extensions/browser/extension_prefs.h"
 #include "extensions/browser/extension_registry.h"
 #include "extensions/browser/extension_registry_observer.h"
-#include "extensions/common/switches.h"
 
 namespace extensions {
 
diff --git a/chrome/browser/extensions/extension_assets_manager_chromeos.cc b/chrome/browser/extensions/extension_assets_manager_chromeos.cc
index d76d86a..e237aba 100644
--- a/chrome/browser/extensions/extension_assets_manager_chromeos.cc
+++ b/chrome/browser/extensions/extension_assets_manager_chromeos.cc
@@ -19,6 +19,8 @@
 #include "chrome/browser/chromeos/login/users/user_manager.h"
 #include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/common/extensions/extension_constants.h"
+#include "chrome/common/extensions/manifest_url_handler.h"
 #include "chromeos/chromeos_switches.h"
 #include "content/public/browser/browser_thread.h"
 #include "extensions/browser/extension_prefs.h"
@@ -142,7 +144,7 @@ void ExtensionAssetsManagerChromeOS::InstallExtension(
     const base::FilePath& local_install_dir,
     Profile* profile,
     InstallExtensionCallback callback) {
-  if (!CanShareAssets(extension)) {
+  if (!CanShareAssets(extension, unpacked_extension_root)) {
     InstallLocalExtension(extension->id(),
                           extension->VersionString(),
                           unpacked_extension_root,
@@ -190,6 +192,12 @@ base::FilePath ExtensionAssetsManagerChromeOS::GetSharedInstallDir() {
 }
 
 // static
+bool ExtensionAssetsManagerChromeOS::IsSharedInstall(
+    const Extension* extension) {
+  return GetSharedInstallDir().IsParent(extension->path());
+}
+
+// static
 bool ExtensionAssetsManagerChromeOS::CleanUpSharedExtensions(
     std::multimap<std::string, base::FilePath>* live_extension_paths) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
@@ -242,12 +250,19 @@ base::SequencedTaskRunner* ExtensionAssetsManagerChromeOS::GetFileTaskRunner(
 
 // static
 bool ExtensionAssetsManagerChromeOS::CanShareAssets(
-    const Extension* extension) {
+    const Extension* extension,
+    const base::FilePath& unpacked_extension_root) {
   if (!CommandLine::ForCurrentProcess()->HasSwitch(
           chromeos::switches::kEnableExtensionAssetsSharing)) {
     return false;
   }
 
+  GURL update_url = ManifestURL::GetUpdateURL(extension);
+  if (!update_url.is_empty() &&
+      !extension_urls::IsWebstoreUpdateUrl(update_url)) {
+    return false;
+  }
+
   // Chrome caches crx files for installed by default apps so sharing assets is
   // also possible. User specific apps should be excluded to not expose apps
   // unique for the user outside of user's cryptohome.
diff --git a/chrome/browser/extensions/extension_assets_manager_chromeos.h b/chrome/browser/extensions/extension_assets_manager_chromeos.h
index 99ac2a6..298c991 100644
--- a/chrome/browser/extensions/extension_assets_manager_chromeos.h
+++ b/chrome/browser/extensions/extension_assets_manager_chromeos.h
@@ -52,6 +52,9 @@ class ExtensionAssetsManagerChromeOS : public ExtensionAssetsManager {
   // Return shared install dir.
   static base::FilePath GetSharedInstallDir();
 
+  // Return true if |extension| was installed to shared location.
+  static bool IsSharedInstall(const Extension* extension);
+
   // Cleans up shared extensions list in preferences and returns list of
   // extension IDs and version paths that are in use in |live_extension_paths|.
   // Files on disk are not removed. Must be called on UI thread.
@@ -73,7 +76,8 @@ class ExtensionAssetsManagerChromeOS : public ExtensionAssetsManager {
 
   // Return |true| if |extension| can be installed in a shared place for all
   // users on the device.
-  static bool CanShareAssets(const Extension* extension);
+  static bool CanShareAssets(const Extension* extension,
+                             const base::FilePath& unpacked_extension_root);
 
   // Called on the UI thread to check if a given version of the |extension|
   // already exists at the shared location.
diff --git a/chrome/browser/extensions/extension_system_impl.cc b/chrome/browser/extensions/extension_system_impl.cc
index a9d5dbb..54f9caa 100644
--- a/chrome/browser/extensions/extension_system_impl.cc
+++ b/chrome/browser/extensions/extension_system_impl.cc
@@ -9,6 +9,7 @@
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/memory/weak_ptr.h"
+#include "base/metrics/field_trial.h"
 #include "base/strings/string_tokenizer.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/content_settings/cookie_settings.h"
@@ -71,12 +72,20 @@
 #include "chrome/browser/chromeos/login/users/user.h"
 #include "chrome/browser/chromeos/login/users/user_manager.h"
 #include "chrome/browser/chromeos/policy/device_local_account.h"
+#include "chrome/browser/extensions/extension_assets_manager_chromeos.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/login/login_state.h"
 #endif
 
 using content::BrowserThread;
 
+namespace {
+
+const char kContentVerificationExperimentName[] =
+    "ExtensionContentVerification";
+
+}  // namespace
+
 namespace extensions {
 
 //
@@ -151,15 +160,20 @@ namespace {
 class ContentVerifierDelegateImpl : public ContentVerifierDelegate {
  public:
   explicit ContentVerifierDelegateImpl(ExtensionService* service)
-      : service_(service->AsWeakPtr()) {}
+      : service_(service->AsWeakPtr()), default_mode_(GetDefaultMode()) {}
 
   virtual ~ContentVerifierDelegateImpl() {}
 
-  virtual bool ShouldBeVerified(const Extension& extension) OVERRIDE {
+  virtual Mode ShouldBeVerified(const Extension& extension) OVERRIDE {
+#if defined(OS_CHROMEOS)
+    if (ExtensionAssetsManagerChromeOS::IsSharedInstall(&extension))
+      return ContentVerifierDelegate::ENFORCE_STRICT;
+#endif
+
     if (!extension.is_extension() && !extension.is_legacy_packaged_app())
-      return false;
+      return ContentVerifierDelegate::NONE;
     if (!Manifest::IsAutoUpdateableLocation(extension.location()))
-      return false;
+      return ContentVerifierDelegate::NONE;
 
     if (!ManifestURL::UpdatesFromGallery(&extension)) {
       // It's possible that the webstore update url was overridden for testing
@@ -167,10 +181,10 @@ class ContentVerifierDelegateImpl : public ContentVerifierDelegate {
       // to be from the store as well.
       GURL default_webstore_url = extension_urls::GetDefaultWebstoreUpdateUrl();
       if (ManifestURL::GetUpdateURL(&extension) != default_webstore_url)
-        return false;
+        return ContentVerifierDelegate::NONE;
     }
 
-    return true;
+    return default_mode_;
   }
 
   virtual const ContentVerifierKey& PublicKey() OVERRIDE {
@@ -209,8 +223,58 @@ class ContentVerifierDelegateImpl : public ContentVerifierDelegate {
       service_->DisableExtension(extension_id, Extension::DISABLE_CORRUPTED);
   }
 
+  static Mode GetDefaultMode() {
+    base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
+
+    Mode experiment_value = NONE;
+    const std::string group = base::FieldTrialList::FindFullName(
+        kContentVerificationExperimentName);
+    if (group == "EnforceStrict")
+      experiment_value = ContentVerifierDelegate::ENFORCE_STRICT;
+    else if (group == "Enforce")
+      experiment_value = ContentVerifierDelegate::ENFORCE;
+    else if (group == "Bootstrap")
+      experiment_value = ContentVerifierDelegate::BOOTSTRAP;
+
+    // The field trial value that normally comes from the server can be
+    // overridden on the command line, which we don't want to allow since
+    // malware can set chrome command line flags. There isn't currently a way
+    // to find out what the server-provided value is in this case, so we
+    // conservatively default to the strictest mode if we detect our experiment
+    // name being overridden.
+    if (command_line->HasSwitch(switches::kForceFieldTrials)) {
+      std::string forced_trials =
+          command_line->GetSwitchValueASCII(switches::kForceFieldTrials);
+      if (forced_trials.find(kContentVerificationExperimentName) !=
+              std::string::npos)
+        experiment_value = ContentVerifierDelegate::ENFORCE_STRICT;
+    }
+
+    Mode cmdline_value = NONE;
+    if (command_line->HasSwitch(switches::kExtensionContentVerification)) {
+      std::string switch_value = command_line->GetSwitchValueASCII(
+          switches::kExtensionContentVerification);
+      if (switch_value == switches::kExtensionContentVerificationBootstrap)
+        cmdline_value = ContentVerifierDelegate::BOOTSTRAP;
+      else if (switch_value == switches::kExtensionContentVerificationEnforce)
+        cmdline_value = ContentVerifierDelegate::ENFORCE;
+      else if (switch_value ==
+              switches::kExtensionContentVerificationEnforceStrict)
+        cmdline_value = ContentVerifierDelegate::ENFORCE_STRICT;
+      else
+        // If no value was provided (or the wrong one), just default to enforce.
+        cmdline_value = ContentVerifierDelegate::ENFORCE;
+    }
+
+    // We don't want to allow the command-line flags to eg disable enforcement
+    // if the experiment group says it should be on, or malware may just modify
+    // the command line flags. So return the more restrictive of the 2 values.
+    return std::max(experiment_value, cmdline_value);
+  }
+
  private:
   base::WeakPtr<ExtensionService> service_;
+  ContentVerifierDelegate::Mode default_mode_;
   DISALLOW_COPY_AND_ASSIGN(ContentVerifierDelegateImpl);
 };
 
@@ -252,7 +316,13 @@ void ExtensionSystemImpl::Shared::Init(bool extensions_enabled) {
     install_verifier_->Init();
     content_verifier_ = new ContentVerifier(
         profile_, new ContentVerifierDelegateImpl(extension_service_.get()));
-    content_verifier_->Start();
+    ContentVerifierDelegate::Mode mode =
+        ContentVerifierDelegateImpl::GetDefaultMode();
+#if defined(OS_CHROMEOS)
+    mode = std::max(mode, ContentVerifierDelegate::BOOTSTRAP);
+#endif
+    if (mode > ContentVerifierDelegate::BOOTSTRAP)
+      content_verifier_->Start();
     info_map()->SetContentVerifier(content_verifier_.get());
 
     management_policy_.reset(new ManagementPolicy);
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index 7c1d7c2..516847f 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -665,6 +665,16 @@ const char kEnableWebSocketOverSpdy[]       = "enable-websocket-over-spdy";
 // numbers.
 const char kExplicitlyAllowedPorts[]        = "explicitly-allowed-ports";
 
+// Values for the kExtensionContentVerification flag.
+// See ContentVerifierDelegate::Mode for more explanation.
+const char kExtensionContentVerificationBootstrap[] = "bootstrap";
+const char kExtensionContentVerificationEnforceStrict[] = "enforce_strict";
+const char kExtensionContentVerificationEnforce[] = "enforce";
+
+// Name of the command line flag to force content verification to be on in one
+// of various modes.
+const char kExtensionContentVerification[] = "extension-content-verification";
+
 // Turns on extension install verification if it would not otherwise have been
 // turned on.
 const char kExtensionsInstallVerification[] = "extensions-install-verification";
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index 59583f5..83410ba 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -193,6 +193,10 @@ extern const char kEnableWatchdog[];
 extern const char kEnableWebSocketOverSpdy[];
 extern const char kEnhancedBookmarksExperiment[];
 extern const char kExplicitlyAllowedPorts[];
+extern const char kExtensionContentVerificationBootstrap[];
+extern const char kExtensionContentVerificationEnforceStrict[];
+extern const char kExtensionContentVerificationEnforce[];
+extern const char kExtensionContentVerification[];
 extern const char kExtensionsInstallVerification[];
 extern const char kExtensionsNotWebstore[];
 extern const char kExtensionsUpdateFrequency[];
diff --git a/extensions/browser/content_hash_fetcher.cc b/extensions/browser/content_hash_fetcher.cc
index aeb20b1..53261c1 100644
--- a/extensions/browser/content_hash_fetcher.cc
+++ b/extensions/browser/content_hash_fetcher.cc
@@ -428,8 +428,7 @@ void ContentHashFetcher::Start() {
 }
 
 void ContentHashFetcher::DoFetch(const Extension* extension, bool force) {
-  if (!extension || !delegate_->ShouldBeVerified(*extension))
-    return;
+  DCHECK(extension);
 
   IdAndVersion key(extension->id(), extension->version()->GetString());
   JobMap::iterator found = jobs_.find(key);
diff --git a/extensions/browser/content_verifier.cc b/extensions/browser/content_verifier.cc
index 92721bb..97e2de2 100644
--- a/extensions/browser/content_verifier.cc
+++ b/extensions/browser/content_verifier.cc
@@ -6,31 +6,21 @@
 
 #include <algorithm>
 
-#include "base/command_line.h"
 #include "base/files/file_path.h"
-#include "base/metrics/field_trial.h"
+#include "base/stl_util.h"
 #include "content/public/browser/browser_thread.h"
-#include "content/public/common/content_switches.h"
 #include "extensions/browser/content_hash_fetcher.h"
 #include "extensions/browser/content_hash_reader.h"
 #include "extensions/browser/content_verifier_delegate.h"
 #include "extensions/browser/extension_registry.h"
 #include "extensions/common/constants.h"
 #include "extensions/common/extension_l10n_util.h"
-#include "extensions/common/switches.h"
-
-namespace {
-
-const char kExperimentName[] = "ExtensionContentVerification";
-
-}  // namespace
 
 namespace extensions {
 
 ContentVerifier::ContentVerifier(content::BrowserContext* context,
                                  ContentVerifierDelegate* delegate)
-    : mode_(GetMode()),
-      context_(context),
+    : context_(context),
       delegate_(delegate),
       fetcher_(new ContentHashFetcher(
           context,
@@ -42,8 +32,7 @@ ContentVerifier::~ContentVerifier() {
 }
 
 void ContentVerifier::Start() {
-  if (mode_ >= BOOTSTRAP)
-    fetcher_->Start();
+  fetcher_->Start();
 }
 
 void ContentVerifier::Shutdown() {
@@ -55,9 +44,6 @@ ContentVerifyJob* ContentVerifier::CreateJobFor(
     const std::string& extension_id,
     const base::FilePath& extension_root,
     const base::FilePath& relative_path) {
-  if (mode_ < BOOTSTRAP || !delegate_)
-    return NULL;
-
   ExtensionRegistry* registry = ExtensionRegistry::Get(context_);
   const Extension* extension =
       registry->GetExtensionById(extension_id, ExtensionRegistry::EVERYTHING);
@@ -90,17 +76,21 @@ void ContentVerifier::VerifyFailed(const std::string& extension_id,
 
   VLOG(1) << "VerifyFailed " << extension_id << " reason:" << reason;
 
-  if (!delegate_ || !fetcher_.get() || mode_ < ENFORCE)
+  ExtensionRegistry* registry = ExtensionRegistry::Get(context_);
+  const Extension* extension =
+      registry->GetExtensionById(extension_id, ExtensionRegistry::EVERYTHING);
+
+  if (!delegate_ || !extension)
+    return;
+
+  ContentVerifierDelegate::Mode mode = delegate_->ShouldBeVerified(*extension);
+  if (mode < ContentVerifierDelegate::ENFORCE)
     return;
 
   if (reason == ContentVerifyJob::MISSING_ALL_HASHES) {
     // If we failed because there were no hashes yet for this extension, just
     // request some.
-    ExtensionRegistry* registry = ExtensionRegistry::Get(context_);
-    const Extension* extension =
-        registry->GetExtensionById(extension_id, ExtensionRegistry::EVERYTHING);
-    if (extension)
-      fetcher_->DoFetch(extension, true /* force */);
+    fetcher_->DoFetch(extension, true /* force */);
   } else {
     delegate_->VerifyFailed(extension_id);
   }
@@ -113,16 +103,17 @@ void ContentVerifier::OnFetchComplete(
     const std::set<base::FilePath>& hash_mismatch_paths) {
   VLOG(1) << "OnFetchComplete " << extension_id << " success:" << success;
 
-  if (!delegate_ || mode_ < ENFORCE)
+  ExtensionRegistry* registry = ExtensionRegistry::Get(context_);
+  const Extension* extension =
+      registry->GetExtensionById(extension_id, ExtensionRegistry::EVERYTHING);
+  if (!delegate_ || !extension)
     return;
 
-  if (!success && mode_ < ENFORCE_STRICT)
+  ContentVerifierDelegate::Mode mode = delegate_->ShouldBeVerified(*extension);
+  if (mode < ContentVerifierDelegate::ENFORCE)
     return;
 
-  ExtensionRegistry* registry = ExtensionRegistry::Get(context_);
-  const Extension* extension =
-      registry->GetExtensionById(extension_id, ExtensionRegistry::EVERYTHING);
-  if (!extension)
+  if (!success && mode < ContentVerifierDelegate::ENFORCE_STRICT)
     return;
 
   if ((was_force_check && !success) ||
@@ -133,8 +124,11 @@ void ContentVerifier::OnFetchComplete(
 bool ContentVerifier::ShouldVerifyAnyPaths(
     const Extension* extension,
     const std::set<base::FilePath>& relative_paths) {
-  if (!extension || !extension->version() ||
-      !delegate_->ShouldBeVerified(*extension))
+  if (!extension || !extension->version())
+    return false;
+
+  ContentVerifierDelegate::Mode mode = delegate_->ShouldBeVerified(*extension);
+  if (mode < ContentVerifierDelegate::ENFORCE)
     return false;
 
   // Images used in the browser get transcoded during install, so skip
@@ -180,52 +174,4 @@ bool ContentVerifier::ShouldVerifyAnyPaths(
   return false;
 }
 
-// static
-ContentVerifier::Mode ContentVerifier::GetMode() {
-  base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
-
-  Mode experiment_value = NONE;
-  const std::string group = base::FieldTrialList::FindFullName(kExperimentName);
-  if (group == "EnforceStrict")
-    experiment_value = ENFORCE_STRICT;
-  else if (group == "Enforce")
-    experiment_value = ENFORCE;
-  else if (group == "Bootstrap")
-    experiment_value = BOOTSTRAP;
-
-  // The field trial value that normally comes from the server can be
-  // overridden on the command line, which we don't want to allow since malware
-  // can set chrome command line flags. There isn't currently a way to find out
-  // what the server-provided value is in this case, so we conservatively
-  // default to the strictest mode if we detect our experiment name being
-  // overridden.
-  if (command_line->HasSwitch(::switches::kForceFieldTrials)) {
-    std::string forced_trials =
-        command_line->GetSwitchValueASCII(::switches::kForceFieldTrials);
-    if (forced_trials.find(kExperimentName) != std::string::npos)
-      experiment_value = ENFORCE_STRICT;
-  }
-
-  Mode cmdline_value = NONE;
-  if (command_line->HasSwitch(switches::kExtensionContentVerification)) {
-    std::string switch_value = command_line->GetSwitchValueASCII(
-        switches::kExtensionContentVerification);
-    if (switch_value == switches::kExtensionContentVerificationBootstrap)
-      cmdline_value = BOOTSTRAP;
-    else if (switch_value == switches::kExtensionContentVerificationEnforce)
-      cmdline_value = ENFORCE;
-    else if (switch_value ==
-             switches::kExtensionContentVerificationEnforceStrict)
-      cmdline_value = ENFORCE_STRICT;
-    else
-      // If no value was provided (or the wrong one), just default to enforce.
-      cmdline_value = ENFORCE;
-  }
-
-  // We don't want to allow the command-line flags to eg disable enforcement if
-  // the experiment group says it should be on, or malware may just modify the
-  // command line flags. So return the more restrictive of the 2 values.
-  return std::max(experiment_value, cmdline_value);
-}
-
 }  // namespace extensions
diff --git a/extensions/browser/content_verifier.h b/extensions/browser/content_verifier.h
index 924fb9d..69b6f04 100644
--- a/extensions/browser/content_verifier.h
+++ b/extensions/browser/content_verifier.h
@@ -67,31 +67,6 @@ class ContentVerifier : public base::RefCountedThreadSafe<ContentVerifier> {
   bool ShouldVerifyAnyPaths(const Extension* extension,
                             const std::set<base::FilePath>& relative_paths);
 
-  // Note that it is important for these to appear in increasing "severity"
-  // order, because we use this to let command line flags increase, but not
-  // decrease, the mode you're running in compared to the experiment group.
-  enum Mode {
-    // Do not try to fetch content hashes if they are missing, and do not
-    // enforce them if they are present.
-    NONE = 0,
-
-    // If content hashes are missing, try to fetch them, but do not enforce.
-    BOOTSTRAP,
-
-    // If hashes are present, enforce them. If they are missing, try to fetch
-    // them.
-    ENFORCE,
-
-    // Treat the absence of hashes the same as a verification failure.
-    ENFORCE_STRICT
-  };
-
-  static Mode GetMode();
-
-  // The mode we're running in - set once at creation.
-  const Mode mode_;
-
-  // The associated BrowserContext.
   content::BrowserContext* context_;
 
   scoped_ptr<ContentVerifierDelegate> delegate_;
diff --git a/extensions/browser/content_verifier_delegate.h b/extensions/browser/content_verifier_delegate.h
index eb2b4d8..5f5e57c 100644
--- a/extensions/browser/content_verifier_delegate.h
+++ b/extensions/browser/content_verifier_delegate.h
@@ -34,11 +34,30 @@ struct ContentVerifierKey {
 // This is an interface for clients that want to use a ContentVerifier.
 class ContentVerifierDelegate {
  public:
+  // Note that it is important for these to appear in increasing "severity"
+  // order, because we use this to let command line flags increase, but not
+  // decrease, the mode you're running in compared to the experiment group.
+  enum Mode {
+    // Do not try to fetch content hashes if they are missing, and do not
+    // enforce them if they are present.
+    NONE = 0,
+
+    // If content hashes are missing, try to fetch them, but do not enforce.
+    BOOTSTRAP,
+
+    // If hashes are present, enforce them. If they are missing, try to fetch
+    // them.
+    ENFORCE,
+
+    // Treat the absence of hashes the same as a verification failure.
+    ENFORCE_STRICT
+  };
+
   virtual ~ContentVerifierDelegate() {}
 
   // This should return true if the given extension should have its content
   // verified.
-  virtual bool ShouldBeVerified(const Extension& extension) = 0;
+  virtual Mode ShouldBeVerified(const Extension& extension) = 0;
 
   // Should return the public key to use for validating signatures via the two
   // out parameters. NOTE: the pointer returned *must* remain valid for the
diff --git a/extensions/common/switches.cc b/extensions/common/switches.cc
index c416ac9..d6ab3a1 100644
--- a/extensions/common/switches.cc
+++ b/extensions/common/switches.cc
@@ -35,16 +35,6 @@ const char kEventPageIdleTime[] = "event-page-idle-time";
 // notified of its impending unload and that unload happening.
 const char kEventPageSuspendingTime[] = "event-page-unloading-time";
 
-// Values for the kExtensionContentVerification flag. See ContentVerifier::Mode
-// for more explanation.
-const char kExtensionContentVerificationBootstrap[] = "bootstrap";
-const char kExtensionContentVerificationEnforceStrict[] = "enforce_strict";
-const char kExtensionContentVerificationEnforce[] = "enforce";
-
-// Name of the command line flag to force content verification to be on in one
-// of various modes.
-const char kExtensionContentVerification[] = "extension-content-verification";
-
 // Marks a renderer as extension process.
 const char kExtensionProcess[] = "extension-process";
 
diff --git a/extensions/common/switches.h b/extensions/common/switches.h
index 2faaad4..e81d5dc0 100644
--- a/extensions/common/switches.h
+++ b/extensions/common/switches.h
@@ -18,10 +18,6 @@ extern const char kEnableOverrideBookmarksUI[];
 extern const char kErrorConsole[];
 extern const char kEventPageIdleTime[];
 extern const char kEventPageSuspendingTime[];
-extern const char kExtensionContentVerificationBootstrap[];
-extern const char kExtensionContentVerificationEnforceStrict[];
-extern const char kExtensionContentVerificationEnforce[];
-extern const char kExtensionContentVerification[];
 extern const char kExtensionProcess[];
 extern const char kExtensionsOnChromeURLs[];
 extern const char kForceDevModeHighlighting[];