Enable permission warnings from ManifestHandlers.

BUG=293755,247857

Review URL: https://codereview.chromium.org/51433002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@235332 0039d316-1c4b-4281-b951-d872f2087c98

51 files changed, 2108 insertions, 626 deletions

diff --git a/chrome/browser/extensions/active_tab_permission_granter.cc b/chrome/browser/extensions/active_tab_permission_granter.cc
index d8c0ce6..aebeb39 100644
--- a/chrome/browser/extensions/active_tab_permission_granter.cc
+++ b/chrome/browser/extensions/active_tab_permission_granter.cc
@@ -59,7 +59,8 @@ void ActiveTabPermissionGranter::GrantIfRequested(const Extension* extension) {
   if (!new_apis.empty() || !new_hosts.is_empty()) {
     granted_extensions_.Insert(extension);
     scoped_refptr<const PermissionSet> new_permissions =
-        new PermissionSet(new_apis, new_hosts, URLPatternSet());
+        new PermissionSet(new_apis, ManifestPermissionSet(),
+                          new_hosts, URLPatternSet());
     PermissionsData::UpdateTabSpecificPermissions(extension,
                                                   tab_id_,
                                                   new_permissions);
diff --git a/chrome/browser/extensions/api/permissions/permissions_api_helpers.cc b/chrome/browser/extensions/api/permissions/permissions_api_helpers.cc
index 620c8c5..2b90287 100644
--- a/chrome/browser/extensions/api/permissions/permissions_api_helpers.cc
+++ b/chrome/browser/extensions/api/permissions/permissions_api_helpers.cc
@@ -56,6 +56,9 @@ scoped_ptr<Permissions> PackPermissionSet(const PermissionSet* set) {
     }
   }
 
+  // TODO(rpaquay): We currently don't expose manifest permissions
+  // to apps/extensions via the permissions API.
+
   permissions->origins.reset(new std::vector<std::string>());
   URLPatternSet hosts = set->explicit_hosts();
   for (URLPatternSet::const_iterator i = hosts.begin(); i != hosts.end(); ++i)
@@ -121,6 +124,10 @@ scoped_refptr<PermissionSet> UnpackPermissionSet(
     }
   }
 
+  // TODO(rpaquay): We currently don't expose manifest permissions
+  // to apps/extensions via the permissions API.
+  ManifestPermissionSet manifest_permissions;
+
   URLPatternSet origins;
   if (permissions.origins.get()) {
     for (std::vector<std::string>::iterator it = permissions.origins->begin();
@@ -142,7 +149,7 @@ scoped_refptr<PermissionSet> UnpackPermissionSet(
   }
 
   return scoped_refptr<PermissionSet>(
-      new PermissionSet(apis, origins, URLPatternSet()));
+      new PermissionSet(apis, manifest_permissions, origins, URLPatternSet()));
 }
 
 }  // namespace permissions_api_helpers
diff --git a/chrome/browser/extensions/api/permissions/permissions_api_helpers_unittest.cc b/chrome/browser/extensions/api/permissions/permissions_api_helpers_unittest.cc
index fe3e860..4ac1b81 100644
--- a/chrome/browser/extensions/api/permissions/permissions_api_helpers_unittest.cc
+++ b/chrome/browser/extensions/api/permissions/permissions_api_helpers_unittest.cc
@@ -37,7 +37,7 @@ TEST(ExtensionPermissionsAPIHelpers, Pack) {
   AddPattern(&hosts, "http://b.com/*");
 
   scoped_refptr<PermissionSet> permission_set =
-      new PermissionSet(apis, hosts, URLPatternSet());
+      new PermissionSet(apis, ManifestPermissionSet(), hosts, URLPatternSet());
 
   // Pack the permission set to value and verify its contents.
   scoped_ptr<Permissions> permissions(PackPermissionSet(permission_set.get()));
diff --git a/chrome/browser/extensions/api/permissions/permissions_apitest.cc b/chrome/browser/extensions/api/permissions/permissions_apitest.cc
index 736112f..e3e1552 100644
--- a/chrome/browser/extensions/api/permissions/permissions_apitest.cc
+++ b/chrome/browser/extensions/api/permissions/permissions_apitest.cc
@@ -72,10 +72,12 @@ IN_PROC_BROWSER_TEST_F(ExtensionApiTest, OptionalPermissionsGranted) {
   // Mark all the tested APIs as granted to bypass the confirmation UI.
   APIPermissionSet apis;
   apis.insert(APIPermission::kBookmark);
+  ManifestPermissionSet manifest_permissions;
   URLPatternSet explicit_hosts;
   AddPattern(&explicit_hosts, "http://*.c.com/*");
   scoped_refptr<PermissionSet> granted_permissions =
-      new PermissionSet(apis, explicit_hosts, URLPatternSet());
+      new PermissionSet(apis, manifest_permissions,
+                        explicit_hosts, URLPatternSet());
 
   ExtensionPrefs* prefs =
       browser()->profile()->GetExtensionService()->extension_prefs();
diff --git a/chrome/browser/extensions/api/sockets_tcp/sockets_tcp_api.cc b/chrome/browser/extensions/api/sockets_tcp/sockets_tcp_api.cc
index 729587f..fbf02dc 100644
--- a/chrome/browser/extensions/api/sockets_tcp/sockets_tcp_api.cc
+++ b/chrome/browser/extensions/api/sockets_tcp/sockets_tcp_api.cc
@@ -6,7 +6,7 @@
 
 #include "chrome/browser/extensions/api/socket/tcp_socket.h"
 #include "chrome/browser/extensions/api/sockets_tcp/tcp_socket_event_dispatcher.h"
-#include "chrome/common/extensions/api/sockets/sockets_handler.h"
+#include "chrome/common/extensions/api/sockets/sockets_manifest_data.h"
 #include "content/public/common/socket_permission_request.h"
 #include "net/base/net_errors.h"
 
diff --git a/chrome/browser/extensions/api/sockets_tcp_server/sockets_tcp_server_api.cc b/chrome/browser/extensions/api/sockets_tcp_server/sockets_tcp_server_api.cc
index cace238..e914a5a 100644
--- a/chrome/browser/extensions/api/sockets_tcp_server/sockets_tcp_server_api.cc
+++ b/chrome/browser/extensions/api/sockets_tcp_server/sockets_tcp_server_api.cc
@@ -6,7 +6,7 @@
 
 #include "chrome/browser/extensions/api/socket/tcp_socket.h"
 #include "chrome/browser/extensions/api/sockets_tcp_server/tcp_server_socket_event_dispatcher.h"
-#include "chrome/common/extensions/api/sockets/sockets_handler.h"
+#include "chrome/common/extensions/api/sockets/sockets_manifest_data.h"
 #include "chrome/common/extensions/permissions/permissions_data.h"
 #include "chrome/common/extensions/permissions/socket_permission.h"
 #include "content/public/common/socket_permission_request.h"
diff --git a/chrome/browser/extensions/api/sockets_udp/sockets_udp_api.cc b/chrome/browser/extensions/api/sockets_udp/sockets_udp_api.cc
index 5939c44..fd8101c 100644
--- a/chrome/browser/extensions/api/sockets_udp/sockets_udp_api.cc
+++ b/chrome/browser/extensions/api/sockets_udp/sockets_udp_api.cc
@@ -6,7 +6,7 @@
 
 #include "chrome/browser/extensions/api/socket/udp_socket.h"
 #include "chrome/browser/extensions/api/sockets_udp/udp_socket_event_dispatcher.h"
-#include "chrome/common/extensions/api/sockets/sockets_handler.h"
+#include "chrome/common/extensions/api/sockets/sockets_manifest_data.h"
 #include "content/public/common/socket_permission_request.h"
 #include "net/base/net_errors.h"
 
diff --git a/chrome/browser/extensions/extension_prefs.cc b/chrome/browser/extensions/extension_prefs.cc
index f021de4..d6394e8 100644
--- a/chrome/browser/extensions/extension_prefs.cc
+++ b/chrome/browser/extensions/extension_prefs.cc
@@ -157,6 +157,7 @@ const char kPrefGrantedPermissions[] = "granted_permissions";
 
 // The preference names for PermissionSet values.
 const char kPrefAPIs[] = "api";
+const char kPrefManifestPermissions[] = "manifest_permissions";
 const char kPrefExplicitHosts[] = "explicit_host";
 const char kPrefScriptableHosts[] = "scriptable_host";
 
@@ -545,6 +546,18 @@ PermissionSet* ExtensionPrefs::ReadPrefAsPermissionSet(
                                     &apis, NULL, NULL);
   }
 
+  // Retrieve the Manifest Keys permissions. Please refer to
+  // |SetExtensionPrefPermissionSet| for manifest_permissions_values format.
+  ManifestPermissionSet manifest_permissions;
+  const ListValue* manifest_permissions_values = NULL;
+  std::string manifest_permission_pref =
+      JoinPrefs(pref_key, kPrefManifestPermissions);
+  if (ReadPrefAsList(extension_id, manifest_permission_pref,
+                     &manifest_permissions_values)) {
+    ManifestPermissionSet::ParseFromJSON(
+        manifest_permissions_values, &manifest_permissions, NULL, NULL);
+  }
+
   // Retrieve the explicit host permissions.
   URLPatternSet explicit_hosts;
   ReadPrefAsURLPatternSet(
@@ -557,37 +570,51 @@ PermissionSet* ExtensionPrefs::ReadPrefAsPermissionSet(
       extension_id, JoinPrefs(pref_key, kPrefScriptableHosts),
       &scriptable_hosts, UserScript::ValidUserScriptSchemes());
 
-  return new PermissionSet(apis, explicit_hosts, scriptable_hosts);
-}
-
-void ExtensionPrefs::SetExtensionPrefPermissionSet(
-    const std::string& extension_id,
-    const std::string& pref_key,
-    const PermissionSet* new_value) {
-  // Set the API permissions.
-  // The format of api_values is:
-  // [ "permission_name1",   // permissions do not support detail.
-  //   "permission_name2",
-  //   {"permission_name3": value },
-  //   // permission supports detail, permission detail will be stored in value.
-  //   ...
-  // ]
-  ListValue* api_values = new ListValue();
-  APIPermissionSet apis = new_value->apis();
-  std::string api_pref = JoinPrefs(pref_key, kPrefAPIs);
-  for (APIPermissionSet::const_iterator i = apis.begin();
-       i != apis.end(); ++i) {
+  return new PermissionSet(
+      apis, manifest_permissions, explicit_hosts, scriptable_hosts);
+}
+
+// Set the API or Manifest permissions.
+// The format of api_values is:
+// [ "permission_name1",   // permissions do not support detail.
+//   "permission_name2",
+//   {"permission_name3": value },
+//   // permission supports detail, permission detail will be stored in value.
+//   ...
+// ]
+template<typename T>
+static ListValue* CreatePermissionList(const T& permissions) {
+  ListValue* values = new ListValue();
+  for (typename T::const_iterator i = permissions.begin();
+      i != permissions.end(); ++i) {
     scoped_ptr<Value> detail(i->ToValue());
     if (detail) {
       DictionaryValue* tmp = new DictionaryValue();
       tmp->Set(i->name(), detail.release());
-      api_values->Append(tmp);
+      values->Append(tmp);
     } else {
-      api_values->Append(new base::StringValue(i->name()));
+      values->Append(new base::StringValue(i->name()));
     }
   }
+  return values;
+}
+
+void ExtensionPrefs::SetExtensionPrefPermissionSet(
+    const std::string& extension_id,
+    const std::string& pref_key,
+    const PermissionSet* new_value) {
+  std::string api_pref = JoinPrefs(pref_key, kPrefAPIs);
+  ListValue* api_values = CreatePermissionList(new_value->apis());
   UpdateExtensionPref(extension_id, api_pref, api_values);
 
+  std::string manifest_permissions_pref =
+      JoinPrefs(pref_key, kPrefManifestPermissions);
+  ListValue* manifest_permissions_values = CreatePermissionList(
+      new_value->manifest_permissions());
+  UpdateExtensionPref(extension_id,
+                      manifest_permissions_pref,
+                      manifest_permissions_values);
+
   // Set the explicit host permissions.
   if (!new_value->explicit_hosts().is_empty()) {
     SetExtensionPrefURLPatternSet(extension_id,
diff --git a/chrome/browser/extensions/extension_prefs_unittest.cc b/chrome/browser/extensions/extension_prefs_unittest.cc
index 511aeed..3d1d24f 100644
--- a/chrome/browser/extensions/extension_prefs_unittest.cc
+++ b/chrome/browser/extensions/extension_prefs_unittest.cc
@@ -222,6 +222,7 @@ class ExtensionPrefsGrantedPermissions : public ExtensionPrefsTest {
     AddPattern(&shost_permissions_, "http://example.com/*");
 
     APIPermissionSet empty_set;
+    ManifestPermissionSet empty_manifest_permissions;
     URLPatternSet empty_extent;
     scoped_refptr<PermissionSet> permissions;
     scoped_refptr<PermissionSet> granted_permissions;
@@ -232,7 +233,7 @@ class ExtensionPrefsGrantedPermissions : public ExtensionPrefsTest {
     EXPECT_TRUE(granted_permissions->IsEmpty());
 
     permissions = new PermissionSet(
-        api_perm_set1_, empty_extent, empty_extent);
+        api_perm_set1_, empty_manifest_permissions, empty_extent, empty_extent);
 
     // Add part of the api permissions.
     prefs()->AddGrantedPermissions(extension_id_, permissions.get());
@@ -246,7 +247,7 @@ class ExtensionPrefsGrantedPermissions : public ExtensionPrefsTest {
 
     // Add part of the explicit host permissions.
     permissions = new PermissionSet(
-        empty_set, ehost_perm_set1_, empty_extent);
+        empty_set, empty_manifest_permissions, ehost_perm_set1_, empty_extent);
     prefs()->AddGrantedPermissions(extension_id_, permissions.get());
     granted_permissions = prefs()->GetGrantedPermissions(extension_id_);
     EXPECT_FALSE(granted_permissions->IsEmpty());
@@ -259,7 +260,7 @@ class ExtensionPrefsGrantedPermissions : public ExtensionPrefsTest {
 
     // Add part of the scriptable host permissions.
     permissions = new PermissionSet(
-        empty_set, empty_extent, shost_perm_set1_);
+        empty_set, empty_manifest_permissions, empty_extent, shost_perm_set1_);
     prefs()->AddGrantedPermissions(extension_id_, permissions.get());
     granted_permissions = prefs()->GetGrantedPermissions(extension_id_);
     EXPECT_FALSE(granted_permissions->IsEmpty());
@@ -276,7 +277,8 @@ class ExtensionPrefsGrantedPermissions : public ExtensionPrefsTest {
 
     // Add the rest of the permissions.
     permissions = new PermissionSet(
-        api_perm_set2_, ehost_perm_set2_, shost_perm_set2_);
+        api_perm_set2_, empty_manifest_permissions,
+        ehost_perm_set2_, shost_perm_set2_);
 
     APIPermissionSet::Union(expected_apis, api_perm_set2_, &api_permissions_);
 
@@ -334,6 +336,8 @@ class ExtensionPrefsActivePermissions : public ExtensionPrefsTest {
     api_perms.insert(APIPermission::kBookmark);
     api_perms.insert(APIPermission::kHistory);
 
+    ManifestPermissionSet empty_manifest_permissions;
+
     URLPatternSet ehosts;
     AddPattern(&ehosts, "http://*.google.com/*");
     AddPattern(&ehosts, "http://example.com/*");
@@ -343,7 +347,8 @@ class ExtensionPrefsActivePermissions : public ExtensionPrefsTest {
     AddPattern(&shosts, "https://*.google.com/*");
     AddPattern(&shosts, "http://reddit.com/r/test/*");
 
-    active_perms_ = new PermissionSet(api_perms, ehosts, shosts);
+    active_perms_ = new PermissionSet(
+        api_perms, empty_manifest_permissions, ehosts, shosts);
 
     // Make sure the active permissions start empty.
     scoped_refptr<PermissionSet> active(
diff --git a/chrome/browser/extensions/permissions_updater.cc b/chrome/browser/extensions/permissions_updater.cc
index f8a928e..1e38cb8 100644
--- a/chrome/browser/extensions/permissions_updater.cc
+++ b/chrome/browser/extensions/permissions_updater.cc
@@ -138,13 +138,16 @@ void PermissionsUpdater::NotifyPermissionsUpdated(
        !i.IsAtEnd(); i.Advance()) {
     RenderProcessHost* host = i.GetCurrentValue();
     Profile* profile = Profile::FromBrowserContext(host->GetBrowserContext());
-    if (profile_->IsSameProfile(profile))
-      host->Send(new ExtensionMsg_UpdatePermissions(
-          static_cast<int>(reason),
-          extension->id(),
-          changed->apis(),
-          changed->explicit_hosts(),
-          changed->scriptable_hosts()));
+    if (profile_->IsSameProfile(profile)) {
+      ExtensionMsg_UpdatePermissions_Params info;
+      info.reason_id = static_cast<int>(reason);
+      info.extension_id = extension->id();
+      info.apis = changed->apis();
+      info.manifest_permissions = changed->manifest_permissions();
+      info.explicit_hosts = changed->explicit_hosts();
+      info.scriptable_hosts = changed->scriptable_hosts();
+      host->Send(new ExtensionMsg_UpdatePermissions(info));
+    }
   }
 
   // Trigger the onAdded and onRemoved events in the extension.
diff --git a/chrome/browser/extensions/permissions_updater_unittest.cc b/chrome/browser/extensions/permissions_updater_unittest.cc
index 30d71dc..7a0e431 100644
--- a/chrome/browser/extensions/permissions_updater_unittest.cc
+++ b/chrome/browser/extensions/permissions_updater_unittest.cc
@@ -119,10 +119,13 @@ TEST_F(PermissionsUpdaterTest, AddAndRemovePermissions) {
 
   APIPermissionSet default_apis;
   default_apis.insert(APIPermission::kManagement);
+  ManifestPermissionSet empty_manifest_permissions;
+
   URLPatternSet default_hosts;
   AddPattern(&default_hosts, "http://a.com/*");
   scoped_refptr<PermissionSet> default_permissions =
-      new PermissionSet(default_apis, default_hosts, URLPatternSet());
+      new PermissionSet(default_apis, empty_manifest_permissions,
+                        default_hosts, URLPatternSet());
 
   // Make sure it loaded properly.
   scoped_refptr<const PermissionSet> permissions =
@@ -138,7 +141,8 @@ TEST_F(PermissionsUpdaterTest, AddAndRemovePermissions) {
   AddPattern(&hosts, "http://*.c.com/*");
 
   scoped_refptr<PermissionSet> delta =
-      new PermissionSet(apis, hosts, URLPatternSet());
+      new PermissionSet(apis, empty_manifest_permissions,
+                        hosts, URLPatternSet());
 
   PermissionsUpdaterListener listener;
   PermissionsUpdater updater(profile_.get());
@@ -175,7 +179,8 @@ TEST_F(PermissionsUpdaterTest, AddAndRemovePermissions) {
   // In the second part of the test, we'll remove the permissions that we
   // just added except for 'notification'.
   apis.erase(APIPermission::kNotification);
-  delta = new PermissionSet(apis, hosts, URLPatternSet());
+  delta = new PermissionSet(apis, empty_manifest_permissions,
+                            hosts, URLPatternSet());
 
   listener.Reset();
   updater.RemovePermissions(extension.get(), delta.get());
diff --git a/chrome/browser/themes/theme_syncable_service_unittest.cc b/chrome/browser/themes/theme_syncable_service_unittest.cc
index 82e721b..b95adbe 100644
--- a/chrome/browser/themes/theme_syncable_service_unittest.cc
+++ b/chrome/browser/themes/theme_syncable_service_unittest.cc
@@ -207,9 +207,11 @@ class ThemeSyncableServiceTest : public testing::Test {
                                           GetThemeLocation(),
                                           kCustomThemeUrl);
     extensions::APIPermissionSet empty_set;
+    extensions::ManifestPermissionSet empty_manifest_permissions;
     extensions::URLPatternSet empty_extent;
     scoped_refptr<extensions::PermissionSet> permissions =
-        new extensions::PermissionSet(empty_set, empty_extent, empty_extent);
+        new extensions::PermissionSet(empty_set, empty_manifest_permissions,
+                                      empty_extent, empty_extent);
     service->extension_prefs()->AddGrantedPermissions(
         theme_extension_->id(), permissions.get());
     service->AddExtension(theme_extension_.get());
diff --git a/chrome/chrome_common.gypi b/chrome/chrome_common.gypi
index dbd07b6..1f0f67f 100644
--- a/chrome/chrome_common.gypi
+++ b/chrome/chrome_common.gypi
@@ -145,8 +145,12 @@
         'common/extensions/api/omnibox/omnibox_handler.h',
         'common/extensions/api/plugins/plugins_handler.cc',
         'common/extensions/api/plugins/plugins_handler.h',
-        'common/extensions/api/sockets/sockets_handler.cc',
-        'common/extensions/api/sockets/sockets_handler.h',
+        'common/extensions/api/sockets/sockets_manifest_handler.cc',
+        'common/extensions/api/sockets/sockets_manifest_handler.h',
+        'common/extensions/api/sockets/sockets_manifest_data.cc',
+        'common/extensions/api/sockets/sockets_manifest_data.h',
+        'common/extensions/api/sockets/sockets_manifest_permission.cc',
+        'common/extensions/api/sockets/sockets_manifest_permission.h',
         'common/extensions/api/speech/tts_engine_manifest_handler.cc',
         'common/extensions/api/speech/tts_engine_manifest_handler.h',
         'common/extensions/api/spellcheck/spellcheck_handler.cc',
diff --git a/chrome/chrome_tests_unit.gypi b/chrome/chrome_tests_unit.gypi
index b86305f..b648e4c 100644
--- a/chrome/chrome_tests_unit.gypi
+++ b/chrome/chrome_tests_unit.gypi
@@ -540,6 +540,7 @@
         '../extensions/common/matcher/url_matcher_unittest.cc',
         '../extensions/common/one_shot_event_unittest.cc',
         '../extensions/common/permissions/api_permission_set_unittest.cc',
+        '../extensions/common/permissions/manifest_permission_set_unittest.cc',
         '../extensions/common/url_pattern_set_unittest.cc',
         '../extensions/common/url_pattern_unittest.cc',
         '../extensions/common/user_script_unittest.cc',
@@ -1800,6 +1801,7 @@
         'common/extensions/api/file_browser_handlers/file_browser_handler_manifest_unittest.cc',
         'common/extensions/api/i18n/default_locale_manifest_unittest.cc',
         'common/extensions/api/identity/extension_manifests_auth_unittest.cc',
+        'common/extensions/api/sockets/sockets_manifest_permission_unittest.cc',
         'common/extensions/api/storage/storage_schema_manifest_handler_unittest.cc',
         'common/extensions/command_unittest.cc',
         'common/extensions/csp_validator_unittest.cc',
diff --git a/chrome/common/extensions/api/sockets/sockets_handler.cc b/chrome/common/extensions/api/sockets/sockets_handler.cc
deleted file mode 100644
index a1b51c2..0000000
--- a/chrome/common/extensions/api/sockets/sockets_handler.cc
+++ /dev/null
@@ -1,155 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/common/extensions/api/sockets/sockets_handler.h"
-
-#include "base/memory/scoped_ptr.h"
-#include "base/strings/utf_string_conversions.h"
-#include "base/values.h"
-#include "chrome/common/extensions/api/manifest_types.h"
-#include "chrome/common/extensions/extension.h"
-#include "chrome/common/extensions/permissions/permissions_data.h"
-#include "chrome/common/extensions/permissions/socket_permission_data.h"
-#include "extensions/common/error_utils.h"
-#include "extensions/common/manifest_constants.h"
-#include "extensions/common/permissions/api_permission_set.h"
-
-namespace extensions {
-
-namespace sockets_errors {
-const char kErrorInvalidHostPattern[] = "Invalid host:port pattern '*'";
-}
-
-namespace keys = extensions::manifest_keys;
-namespace errors = sockets_errors;
-using api::manifest_types::Sockets;
-
-SocketsHandler::SocketsHandler() {}
-
-SocketsHandler::~SocketsHandler() {}
-
-bool SocketsHandler::Parse(Extension* extension, string16* error) {
-  const base::Value* sockets = NULL;
-  CHECK(extension->manifest()->Get(keys::kSockets, &sockets));
-  std::vector<InstallWarning> install_warnings;
-  scoped_ptr<SocketsManifestData> data =
-      SocketsManifestData::FromValue(*sockets,
-                                     &install_warnings,
-                                     error);
-  if (!data)
-    return false;
-
-  extension->AddInstallWarnings(install_warnings);
-  extension->SetManifestData(keys::kSockets, data.release());
-  return true;
-}
-
-const std::vector<std::string> SocketsHandler::Keys() const {
-  return SingleKey(manifest_keys::kSockets);
-}
-
-SocketsManifestData::SocketsManifestData() {}
-SocketsManifestData::~SocketsManifestData() {}
-
-// static
-SocketsManifestData* SocketsManifestData::Get(const Extension* extension) {
-  return static_cast<SocketsManifestData*>(
-      extension->GetManifestData(keys::kSockets));
-}
-
-// static
-bool SocketsManifestData::CheckRequest(
-    const Extension* extension,
-    const content::SocketPermissionRequest& request) {
-  SocketsManifestData* data = SocketsManifestData::Get(extension);
-  if (data == NULL)
-    return false;
-
-  return data->CheckRequestImpl(extension, request);
-}
-
-// static
-scoped_ptr<SocketsManifestData> SocketsManifestData::FromValue(
-    const base::Value& value,
-    std::vector<InstallWarning>* install_warnings,
-    string16* error) {
-  scoped_ptr<Sockets> sockets = Sockets::FromValue(value, error);
-  if (!sockets)
-    return scoped_ptr<SocketsManifestData>();
-
-  scoped_ptr<SocketsManifestData> result(new SocketsManifestData());
-  if (sockets->udp) {
-    if (!ParseHostPattern(result.get(),
-        content::SocketPermissionRequest::UDP_BIND,
-        sockets->udp->bind,
-        error)) {
-      return scoped_ptr<SocketsManifestData>();
-    }
-    if (!ParseHostPattern(result.get(),
-        content::SocketPermissionRequest::UDP_SEND_TO,
-        sockets->udp->send,
-        error)) {
-      return scoped_ptr<SocketsManifestData>();
-    }
-    if (!ParseHostPattern(result.get(),
-        content::SocketPermissionRequest::UDP_MULTICAST_MEMBERSHIP,
-        sockets->udp->multicast_membership,
-        error)) {
-      return scoped_ptr<SocketsManifestData>();
-    }
-  }
-  if (sockets->tcp) {
-    if (!ParseHostPattern(result.get(),
-        content::SocketPermissionRequest::TCP_CONNECT,
-        sockets->tcp->connect,
-        error)) {
-      return scoped_ptr<SocketsManifestData>();
-    }
-  }
-  if (sockets->tcp_server) {
-    if (!ParseHostPattern(result.get(),
-        content::SocketPermissionRequest::TCP_LISTEN,
-        sockets->tcp_server->listen,
-        error)) {
-      return scoped_ptr<SocketsManifestData>();
-    }
-  }
-  return result.Pass();
-}
-
-// static
-bool SocketsManifestData::ParseHostPattern(
-    SocketsManifestData* manifest_data,
-    content::SocketPermissionRequest::OperationType operation_type,
-    const scoped_ptr<std::string>& value,
-    string16* error) {
-  if (value) {
-    SocketPermissionEntry entry;
-    if (!SocketPermissionEntry::ParseHostPattern(
-          operation_type, *value, &entry)) {
-      *error = ErrorUtils::FormatErrorMessageUTF16(
-          errors::kErrorInvalidHostPattern, *value);
-      return false;
-    }
-    manifest_data->AddPermission(entry);
-  }
-  return true;
-}
-
-void SocketsManifestData::AddPermission(const SocketPermissionEntry& entry) {
-  permissions_.insert(entry);
-}
-
-bool SocketsManifestData::CheckRequestImpl(
-    const Extension* extension,
-    const content::SocketPermissionRequest& request) {
-  for (PermissionSet::const_iterator it = permissions_.begin();
-       it != permissions_.end(); ++it) {
-    if (it->Check(request))
-      return true;
-  }
-  return false;
-}
-
-}  // namespace extensions
diff --git a/chrome/common/extensions/api/sockets/sockets_handler.h b/chrome/common/extensions/api/sockets/sockets_handler.h
deleted file mode 100644
index 2859407..0000000
--- a/chrome/common/extensions/api/sockets/sockets_handler.h
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_HANDLER_H_
-#define CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_HANDLER_H_
-
-#include "base/strings/string16.h"
-#include "chrome/common/extensions/extension.h"
-#include "chrome/common/extensions/permissions/socket_permission_data.h"
-#include "extensions/common/manifest_handler.h"
-
-namespace extensions {
-
-// Parses the "sockets" manifest key.
-class SocketsHandler : public ManifestHandler {
- public:
-  SocketsHandler();
-  virtual ~SocketsHandler();
-
-  virtual bool Parse(Extension* extension, string16* error) OVERRIDE;
-
- private:
-  virtual const std::vector<std::string> Keys() const OVERRIDE;
-
-  DISALLOW_COPY_AND_ASSIGN(SocketsHandler);
-};
-
-// The parsed form of the "sockets" manifest entry.
-class SocketsManifestData : public Extension::ManifestData {
- public:
-  SocketsManifestData();
-  virtual ~SocketsManifestData();
-
-  // Gets the ExternallyConnectableInfo for |extension|, or NULL if none was
-  // specified.
-  static SocketsManifestData* Get(const Extension* extension);
-
-  static bool CheckRequest(const Extension* extension,
-                           const content::SocketPermissionRequest& request);
-
-  // Tries to construct the info based on |value|, as it would have appeared in
-  // the manifest. Sets |error| and returns an empty scoped_ptr on failure.
-  static scoped_ptr<SocketsManifestData> FromValue(
-      const base::Value& value,
-      std::vector<InstallWarning>* install_warnings,
-      string16* error);
-
- private:
-  typedef std::set<SocketPermissionEntry> PermissionSet;
-
-  static bool ParseHostPattern(
-      SocketsManifestData* manifest_data,
-      content::SocketPermissionRequest::OperationType operation_type,
-      const scoped_ptr<std::string>& value,
-      string16* error);
-
-  void AddPermission(const SocketPermissionEntry& entry);
-
-  bool CheckRequestImpl(const Extension* extension,
-                        const content::SocketPermissionRequest& request);
-
-  PermissionSet permissions_;
-};
-
-}  // namespace extensions
-
-#endif  // CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_HANDLER_H_
diff --git a/chrome/common/extensions/api/sockets/sockets_manifest_data.cc b/chrome/common/extensions/api/sockets/sockets_manifest_data.cc
new file mode 100644
index 0000000..b00c8e0
--- /dev/null
+++ b/chrome/common/extensions/api/sockets/sockets_manifest_data.cc
@@ -0,0 +1,51 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/extensions/api/sockets/sockets_manifest_data.h"
+
+#include "chrome/common/extensions/api/sockets/sockets_manifest_permission.h"
+#include "extensions/common/manifest_constants.h"
+
+namespace extensions {
+
+SocketsManifestData::SocketsManifestData(
+    scoped_ptr<SocketsManifestPermission> permission)
+    : permission_(permission.Pass()) {
+  DCHECK(permission_);
+}
+
+SocketsManifestData::~SocketsManifestData() {}
+
+// static
+SocketsManifestData* SocketsManifestData::Get(
+    const Extension* extension) {
+  return static_cast<SocketsManifestData*>(
+      extension->GetManifestData(manifest_keys::kSockets));
+}
+
+// static
+bool SocketsManifestData::CheckRequest(
+    const Extension* extension,
+    const content::SocketPermissionRequest& request) {
+  const SocketsManifestData* data = SocketsManifestData::Get(extension);
+  if (data)
+    return data->permission()->CheckRequest(extension, request);
+
+  return false;
+}
+
+// static
+scoped_ptr<SocketsManifestData> SocketsManifestData::FromValue(
+    const base::Value& value,
+    string16* error) {
+  scoped_ptr<SocketsManifestPermission> permission =
+      SocketsManifestPermission::FromValue(value, error);
+  if (!permission)
+    return scoped_ptr<SocketsManifestData>();
+
+  return scoped_ptr<SocketsManifestData>(
+      new SocketsManifestData(permission.Pass())).Pass();
+}
+
+}  // namespace extensions
diff --git a/chrome/common/extensions/api/sockets/sockets_manifest_data.h b/chrome/common/extensions/api/sockets/sockets_manifest_data.h
new file mode 100644
index 0000000..b220617
--- /dev/null
+++ b/chrome/common/extensions/api/sockets/sockets_manifest_data.h
@@ -0,0 +1,54 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_MANIFEST_DATA_H_
+#define CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_MANIFEST_DATA_H_
+
+#include <vector>
+
+#include "base/strings/string16.h"
+#include "chrome/common/extensions/extension.h"
+#include "extensions/common/manifest_handler.h"
+
+namespace content {
+struct SocketPermissionRequest;
+}
+
+namespace extensions {
+class SocketsManifestPermission;
+}
+
+namespace extensions {
+
+// The parsed form of the "sockets" manifest entry.
+class SocketsManifestData : public Extension::ManifestData {
+ public:
+  explicit SocketsManifestData(
+      scoped_ptr<SocketsManifestPermission> permission);
+  virtual ~SocketsManifestData();
+
+  // Gets the SocketsManifestData for |extension|, or NULL if none was
+  // specified.
+  static SocketsManifestData* Get(const Extension* extension);
+
+  static bool CheckRequest(const Extension* extension,
+                           const content::SocketPermissionRequest& request);
+
+  // Tries to construct the info based on |value|, as it would have appeared in
+  // the manifest. Sets |error| and returns an empty scoped_ptr on failure.
+  static scoped_ptr<SocketsManifestData> FromValue(
+      const base::Value& value,
+      string16* error);
+
+  const SocketsManifestPermission* permission() const {
+    return permission_.get();
+  }
+
+ private:
+  scoped_ptr<SocketsManifestPermission> permission_;
+};
+
+}  // namespace extensions
+
+#endif  // CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_MANIFEST_DATA_H_
diff --git a/chrome/common/extensions/api/sockets/sockets_manifest_handler.cc b/chrome/common/extensions/api/sockets/sockets_manifest_handler.cc
new file mode 100644
index 0000000..2e57ddc
--- /dev/null
+++ b/chrome/common/extensions/api/sockets/sockets_manifest_handler.cc
@@ -0,0 +1,46 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/extensions/api/sockets/sockets_manifest_handler.h"
+
+#include "chrome/common/extensions/api/sockets/sockets_manifest_data.h"
+#include "chrome/common/extensions/api/sockets/sockets_manifest_permission.h"
+#include "chrome/common/extensions/extension.h"
+#include "extensions/common/manifest_constants.h"
+
+namespace extensions {
+
+SocketsManifestHandler::SocketsManifestHandler() {}
+
+SocketsManifestHandler::~SocketsManifestHandler() {}
+
+bool SocketsManifestHandler::Parse(Extension* extension, string16* error) {
+  const base::Value* sockets = NULL;
+  CHECK(extension->manifest()->Get(manifest_keys::kSockets, &sockets));
+  scoped_ptr<SocketsManifestData> data =
+      SocketsManifestData::FromValue(*sockets, error);
+  if (!data)
+    return false;
+
+  extension->SetManifestData(manifest_keys::kSockets, data.release());
+  return true;
+}
+
+ManifestPermission* SocketsManifestHandler::CreatePermission() {
+  return new SocketsManifestPermission();
+}
+
+ManifestPermission* SocketsManifestHandler::CreateInitialRequiredPermission(
+    const Extension* extension) {
+  SocketsManifestData* data = SocketsManifestData::Get(extension);
+  if (data)
+    return data->permission()->Clone();
+  return NULL;
+}
+
+const std::vector<std::string> SocketsManifestHandler::Keys() const {
+  return SingleKey(manifest_keys::kSockets);
+}
+
+}  // namespace extensions
diff --git a/chrome/common/extensions/api/sockets/sockets_manifest_handler.h b/chrome/common/extensions/api/sockets/sockets_manifest_handler.h
new file mode 100644
index 0000000..17dc401
--- /dev/null
+++ b/chrome/common/extensions/api/sockets/sockets_manifest_handler.h
@@ -0,0 +1,41 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_MANIFEST_HANDLER_H_
+#define CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_MANIFEST_HANDLER_H_
+
+#include <string>
+#include <vector>
+
+#include "extensions/common/manifest_handler.h"
+
+namespace extensions {
+class Extension;
+class ManifestPermission;
+}
+
+namespace extensions {
+
+// Parses the "sockets" manifest key.
+class SocketsManifestHandler : public ManifestHandler {
+ public:
+  SocketsManifestHandler();
+  virtual ~SocketsManifestHandler();
+
+  // ManifestHandler overrides.
+  virtual bool Parse(Extension* extension, string16* error) OVERRIDE;
+  virtual ManifestPermission* CreatePermission() OVERRIDE;
+  virtual ManifestPermission* CreateInitialRequiredPermission(
+    const Extension* extension) OVERRIDE;
+
+ private:
+  // ManifestHandler overrides.
+  virtual const std::vector<std::string> Keys() const OVERRIDE;
+
+  DISALLOW_COPY_AND_ASSIGN(SocketsManifestHandler);
+};
+
+}  // namespace extensions
+
+#endif  // CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_MANIFEST_HANDLER_H_
diff --git a/chrome/common/extensions/api/sockets/sockets_manifest_permission.cc b/chrome/common/extensions/api/sockets/sockets_manifest_permission.cc
new file mode 100644
index 0000000..b654d38
--- /dev/null
+++ b/chrome/common/extensions/api/sockets/sockets_manifest_permission.cc
@@ -0,0 +1,386 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/extensions/api/sockets/sockets_manifest_permission.h"
+
+#include "base/memory/scoped_ptr.h"
+#include "base/strings/utf_string_conversions.h"
+#include "base/values.h"
+#include "chrome/common/extensions/api/manifest_types.h"
+#include "chrome/common/extensions/api/sockets/sockets_manifest_data.h"
+#include "chrome/common/extensions/extension_messages.h"
+#include "extensions/common/error_utils.h"
+#include "extensions/common/manifest_constants.h"
+#include "grit/generated_resources.h"
+#include "ipc/ipc_message.h"
+#include "ui/base/l10n/l10n_util.h"
+
+namespace extensions {
+
+namespace sockets_errors {
+const char kErrorInvalidHostPattern[] = "Invalid host:port pattern '*'";
+}
+
+namespace errors = sockets_errors;
+using api::manifest_types::Sockets;
+using content::SocketPermissionRequest;
+
+SocketsManifestPermission::SocketsManifestPermission()
+    : kinds_(kNone) {
+}
+
+SocketsManifestPermission::~SocketsManifestPermission() {}
+
+// static
+scoped_ptr<SocketsManifestPermission> SocketsManifestPermission::FromValue(
+    const base::Value& value,
+    string16* error) {
+  scoped_ptr<Sockets> sockets = Sockets::FromValue(value, error);
+  if (!sockets)
+    return scoped_ptr<SocketsManifestPermission>();
+
+  scoped_ptr<SocketsManifestPermission> result(new SocketsManifestPermission());
+  if (sockets->udp) {
+    result->kinds_ |= kUdpPermission;
+    if (!ParseHostPattern(result.get(),
+                          SocketPermissionRequest::UDP_BIND,
+                          sockets->udp->bind,
+                          error)) {
+      return scoped_ptr<SocketsManifestPermission>();
+    }
+    if (!ParseHostPattern(result.get(),
+                          SocketPermissionRequest::UDP_SEND_TO,
+                          sockets->udp->send,
+                          error)) {
+      return scoped_ptr<SocketsManifestPermission>();
+    }
+    if (!ParseHostPattern(result.get(),
+                          SocketPermissionRequest::UDP_MULTICAST_MEMBERSHIP,
+                          sockets->udp->multicast_membership,
+                          error)) {
+      return scoped_ptr<SocketsManifestPermission>();
+    }
+  }
+  if (sockets->tcp) {
+    result->kinds_ |= kTcpPermission;
+    if (!ParseHostPattern(result.get(),
+                          SocketPermissionRequest::TCP_CONNECT,
+                          sockets->tcp->connect,
+                          error)) {
+      return scoped_ptr<SocketsManifestPermission>();
+    }
+  }
+  if (sockets->tcp_server) {
+    result->kinds_ |= kTcpServerPermission;
+    if (!ParseHostPattern(result.get(),
+                          SocketPermissionRequest::TCP_LISTEN,
+                          sockets->tcp_server->listen,
+                          error)) {
+      return scoped_ptr<SocketsManifestPermission>();
+    }
+  }
+  return result.Pass();
+}
+
+bool SocketsManifestPermission::CheckRequest(
+    const Extension* extension,
+    const SocketPermissionRequest& request) const {
+  for (SocketPermissionEntrySet::const_iterator it = permissions_.begin();
+       it != permissions_.end(); ++it) {
+    if (it->Check(request))
+      return true;
+  }
+  return false;
+}
+
+std::string SocketsManifestPermission::name() const {
+  return manifest_keys::kSockets;
+}
+
+std::string SocketsManifestPermission::id() const {
+  return name();
+}
+
+bool SocketsManifestPermission::HasMessages() const {
+  bool is_empty = permissions_.empty() && (kinds_ == kNone);
+  return !is_empty;
+}
+
+PermissionMessages SocketsManifestPermission::GetMessages() const {
+  // TODO(rpaquay): This function and callees is (almost) a copy/paste
+  // from extensions::SocketPermissiona.
+  PermissionMessages result;
+  if (!AddAnyHostMessage(result)) {
+    AddSpecificHostMessage(result);
+    AddSubdomainHostMessage(result);
+  }
+  AddNetworkListMessage(result);
+  return result;
+}
+
+bool SocketsManifestPermission::FromValue(const base::Value* value) {
+  if (!value)
+    return false;
+  string16 error;
+  scoped_ptr<SocketsManifestPermission> data(
+      SocketsManifestPermission::FromValue(*value, &error));
+
+  if (!data)
+    return false;
+
+  permissions_ = data->permissions_;
+  kinds_ = data->kinds_;
+  return true;
+}
+
+scoped_ptr<base::Value> SocketsManifestPermission::ToValue() const {
+  Sockets sockets;
+  if (has_udp()) {
+    sockets.udp.reset(new Sockets::Udp());
+    sockets.udp->bind = CreateHostPattern(SocketPermissionRequest::UDP_BIND);
+    sockets.udp->send = CreateHostPattern(SocketPermissionRequest::UDP_SEND_TO);
+    sockets.udp->multicast_membership =
+        CreateHostPattern(SocketPermissionRequest::UDP_MULTICAST_MEMBERSHIP);
+  }
+  if (has_tcp()) {
+    sockets.tcp.reset(new Sockets::Tcp());
+    sockets.tcp->connect =
+        CreateHostPattern(SocketPermissionRequest::TCP_CONNECT);
+  }
+  if (has_tcp_server()) {
+    sockets.tcp_server.reset(new Sockets::TcpServer());
+    sockets.tcp_server->listen =
+        CreateHostPattern(SocketPermissionRequest::TCP_LISTEN);
+  }
+
+  return scoped_ptr<base::Value>(sockets.ToValue().release()).Pass();
+}
+
+ManifestPermission* SocketsManifestPermission::Clone() const {
+  scoped_ptr<SocketsManifestPermission> result(new SocketsManifestPermission());
+  result->permissions_ = permissions_;
+  result->kinds_ = kinds_;
+  return result.release();
+}
+
+ManifestPermission* SocketsManifestPermission::Diff(
+    const ManifestPermission* rhs) const {
+  const SocketsManifestPermission* other =
+      static_cast<const SocketsManifestPermission*>(rhs);
+
+  scoped_ptr<SocketsManifestPermission> data(new SocketsManifestPermission());
+  std::set_difference(
+      permissions_.begin(), permissions_.end(),
+      other->permissions_.begin(), other->permissions_.end(),
+      std::inserter<SocketPermissionEntrySet>(
+          data->permissions_, data->permissions_.begin()));
+
+  data->kinds_ = (kinds_ & (~other->kinds_));
+
+  // Note: We may need to fix up |kinds_| because any permission entry
+  // in a given group (udp, tcp, etc.) implies the corresponding kind bit set.
+  data->kinds_ |= HasOperationType(data->permissions_,
+      SocketPermissionRequest::UDP_BIND, kUdpPermission);
+  data->kinds_ |= HasOperationType(data->permissions_,
+      SocketPermissionRequest::UDP_SEND_TO, kUdpPermission);
+  data->kinds_ |= HasOperationType(data->permissions_,
+      SocketPermissionRequest::UDP_MULTICAST_MEMBERSHIP, kUdpPermission);
+  data->kinds_ |= HasOperationType(data->permissions_,
+      SocketPermissionRequest::TCP_CONNECT, kTcpPermission);
+  data->kinds_ |= HasOperationType(data->permissions_,
+      SocketPermissionRequest::TCP_LISTEN, kTcpServerPermission);
+  return data.release();
+}
+
+ManifestPermission* SocketsManifestPermission::Union(
+    const ManifestPermission* rhs) const {
+  const SocketsManifestPermission* other =
+      static_cast<const SocketsManifestPermission*>(rhs);
+
+  scoped_ptr<SocketsManifestPermission> data(new SocketsManifestPermission());
+  std::set_union(
+      permissions_.begin(), permissions_.end(),
+      other->permissions_.begin(), other->permissions_.end(),
+      std::inserter<SocketPermissionEntrySet>(
+          data->permissions_, data->permissions_.begin()));
+
+  data->kinds_ = (kinds_ | other->kinds_);
+  return data.release();
+}
+
+ManifestPermission* SocketsManifestPermission::Intersect(
+    const ManifestPermission* rhs) const {
+  const SocketsManifestPermission* other =
+      static_cast<const SocketsManifestPermission*>(rhs);
+
+  scoped_ptr<SocketsManifestPermission> data(new SocketsManifestPermission());
+  std::set_intersection(
+      permissions_.begin(), permissions_.end(),
+      other->permissions_.begin(), other->permissions_.end(),
+      std::inserter<SocketPermissionEntrySet>(
+          data->permissions_, data->permissions_.begin()));
+
+  data->kinds_ = (kinds_ & other->kinds_);
+  return data.release();
+}
+
+bool SocketsManifestPermission::Contains(const ManifestPermission* rhs) const {
+  const SocketsManifestPermission* other =
+      static_cast<const SocketsManifestPermission*>(rhs);
+
+  return std::includes(
+      permissions_.begin(), permissions_.end(),
+      other->permissions_.begin(), other->permissions_.end()) &&
+      ((kinds_ | other->kinds_) == kinds_);
+}
+
+bool SocketsManifestPermission::Equal(const ManifestPermission* rhs) const {
+  const SocketsManifestPermission* other =
+      static_cast<const SocketsManifestPermission*>(rhs);
+
+  return (permissions_ == other->permissions_) &&
+      (kinds_ == other->kinds_);
+}
+
+void SocketsManifestPermission::Write(IPC::Message* m) const {
+  IPC::WriteParam(m, permissions_);
+  IPC::WriteParam(m, kinds_);
+}
+
+bool SocketsManifestPermission::Read(const IPC::Message* m,
+                                     PickleIterator* iter) {
+  return IPC::ReadParam(m, iter, &permissions_) &&
+      IPC::ReadParam(m, iter, &kinds_);
+}
+
+void SocketsManifestPermission::Log(std::string* log) const {
+  IPC::LogParam(permissions_, log);
+  IPC::LogParam(kinds_, log);
+}
+
+// static
+bool SocketsManifestPermission::ParseHostPattern(
+    SocketsManifestPermission* manifest_data,
+    SocketPermissionRequest::OperationType operation_type,
+    const scoped_ptr<std::string>& value,
+    string16* error) {
+  if (value) {
+    SocketPermissionEntry entry;
+    if (!SocketPermissionEntry::ParseHostPattern(
+          operation_type, *value, &entry)) {
+      *error = ErrorUtils::FormatErrorMessageUTF16(
+          errors::kErrorInvalidHostPattern, *value);
+      return false;
+    }
+    manifest_data->AddPermission(entry);
+  }
+  return true;
+}
+
+// static
+SocketsManifestPermission::PermissionKind SocketsManifestPermission::
+    HasOperationType(const SocketPermissionEntrySet& set,
+                     SocketPermissionRequest::OperationType operation_type,
+                     PermissionKind kind) {
+  for (SocketPermissionEntrySet::const_iterator it = set.begin();
+      it != set.end() ; ++it) {
+    if (it->pattern().type == operation_type)
+      return kind;
+  }
+  return kNone;
+}
+
+
+scoped_ptr<std::string> SocketsManifestPermission::CreateHostPattern(
+    SocketPermissionRequest::OperationType operation_type) const {
+  scoped_ptr<std::string> result;
+  for (SocketPermissionEntrySet::const_iterator it =
+        entries().begin(); it != entries().end() ; ++it) {
+    if (it->pattern().type == operation_type) {
+      result.reset(new std::string(it->GetHostPatternAsString()));
+      break;
+    }
+  }
+  return result.Pass();
+}
+
+void SocketsManifestPermission::AddPermission(
+    const SocketPermissionEntry& entry) {
+  permissions_.insert(entry);
+}
+
+bool SocketsManifestPermission::AddAnyHostMessage(
+    PermissionMessages& messages) const {
+  for (SocketPermissionEntrySet::const_iterator it = permissions_.begin();
+      it != permissions_.end(); ++it) {
+    if (it->IsAddressBoundType() &&
+        it->GetHostType() == SocketPermissionEntry::ANY_HOST) {
+      messages.push_back(PermissionMessage(
+          PermissionMessage::kSocketAnyHost,
+          l10n_util::GetStringUTF16(
+              IDS_EXTENSION_PROMPT_WARNING_SOCKET_ANY_HOST)));
+      return true;
+    }
+  }
+  return false;
+}
+
+void SocketsManifestPermission::AddSubdomainHostMessage(
+    PermissionMessages& messages) const {
+  std::set<string16> domains;
+  for (SocketPermissionEntrySet::const_iterator it = permissions_.begin();
+      it != permissions_.end(); ++it) {
+    if (it->GetHostType() == SocketPermissionEntry::HOSTS_IN_DOMAINS)
+      domains.insert(UTF8ToUTF16(it->pattern().host));
+  }
+  if (!domains.empty()) {
+    int id = (domains.size() == 1) ?
+             IDS_EXTENSION_PROMPT_WARNING_SOCKET_HOSTS_IN_DOMAIN :
+             IDS_EXTENSION_PROMPT_WARNING_SOCKET_HOSTS_IN_DOMAINS;
+    messages.push_back(PermissionMessage(
+        PermissionMessage::kSocketDomainHosts,
+        l10n_util::GetStringFUTF16(
+            id,
+            JoinString(
+                std::vector<string16>(
+                    domains.begin(), domains.end()), ' '))));
+  }
+}
+
+void SocketsManifestPermission::AddSpecificHostMessage(
+    PermissionMessages& messages) const {
+  std::set<string16> hostnames;
+  for (SocketPermissionEntrySet::const_iterator it = permissions_.begin();
+    it != permissions_.end(); ++it) {
+    if (it->GetHostType() == SocketPermissionEntry::SPECIFIC_HOSTS)
+      hostnames.insert(UTF8ToUTF16(it->pattern().host));
+  }
+  if (!hostnames.empty()) {
+    int id = (hostnames.size() == 1) ?
+             IDS_EXTENSION_PROMPT_WARNING_SOCKET_SPECIFIC_HOST :
+             IDS_EXTENSION_PROMPT_WARNING_SOCKET_SPECIFIC_HOSTS;
+    messages.push_back(PermissionMessage(
+        PermissionMessage::kSocketSpecificHosts,
+        l10n_util::GetStringFUTF16(
+            id,
+            JoinString(
+                std::vector<string16>(
+                    hostnames.begin(), hostnames.end()), ' '))));
+  }
+}
+
+void SocketsManifestPermission::AddNetworkListMessage(
+    PermissionMessages& messages) const {
+  for (SocketPermissionEntrySet::const_iterator it = permissions_.begin();
+      it != permissions_.end(); ++it) {
+    if (it->pattern().type == SocketPermissionRequest::NETWORK_STATE) {
+      messages.push_back(PermissionMessage(
+          PermissionMessage::kNetworkState,
+          l10n_util::GetStringUTF16(
+              IDS_EXTENSION_PROMPT_WARNING_NETWORK_STATE)));
+    }
+  }
+}
+
+}  // namespace extensions
diff --git a/chrome/common/extensions/api/sockets/sockets_manifest_permission.h b/chrome/common/extensions/api/sockets/sockets_manifest_permission.h
new file mode 100644
index 0000000..ca65b0f
--- /dev/null
+++ b/chrome/common/extensions/api/sockets/sockets_manifest_permission.h
@@ -0,0 +1,100 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_MANIFEST_PERMISSION_H_
+#define CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_MANIFEST_PERMISSION_H_
+
+#include <set>
+#include <vector>
+
+#include "chrome/common/extensions/permissions/socket_permission_entry.h"
+#include "extensions/common/install_warning.h"
+#include "extensions/common/permissions/manifest_permission.h"
+
+namespace content {
+struct SocketPermissionRequest;
+}
+
+namespace extensions {
+class Extension;
+}
+
+namespace extensions {
+
+class SocketsManifestPermission : public ManifestPermission {
+ public:
+  typedef std::set<SocketPermissionEntry> SocketPermissionEntrySet;
+  enum PermissionKind {
+    kNone = 0,
+    kTcpPermission = 1 << 0,
+    kUdpPermission = 1 << 1,
+    kTcpServerPermission = 1 << 2
+  };
+
+  SocketsManifestPermission();
+  virtual ~SocketsManifestPermission();
+
+  // Tries to construct the info based on |value|, as it would have appeared in
+  // the manifest. Sets |error| and returns an empty scoped_ptr on failure.
+  static scoped_ptr<SocketsManifestPermission> FromValue(
+      const base::Value& value,
+      string16* error);
+
+  bool CheckRequest(const Extension* extension,
+                    const content::SocketPermissionRequest& request) const;
+
+  // extensions::ManifestPermission overrides.
+  virtual std::string name() const OVERRIDE;
+  virtual std::string id() const OVERRIDE;
+  virtual bool HasMessages() const OVERRIDE;
+  virtual PermissionMessages GetMessages() const OVERRIDE;
+  virtual bool FromValue(const base::Value* value) OVERRIDE;
+  virtual scoped_ptr<base::Value> ToValue() const OVERRIDE;
+  virtual ManifestPermission* Clone() const OVERRIDE;
+  virtual ManifestPermission* Diff(const ManifestPermission* rhs) const
+      OVERRIDE;
+  virtual ManifestPermission* Union(const ManifestPermission* rhs) const
+      OVERRIDE;
+  virtual ManifestPermission* Intersect(const ManifestPermission* rhs) const
+      OVERRIDE;
+  virtual bool Contains(const ManifestPermission* rhs) const OVERRIDE;
+  virtual bool Equal(const ManifestPermission* rhs) const OVERRIDE;
+  virtual void Write(IPC::Message* m) const OVERRIDE;
+  virtual bool Read(const IPC::Message* m, PickleIterator* iter) OVERRIDE;
+  virtual void Log(std::string* log) const OVERRIDE;
+
+  bool has_udp() const { return (kinds_ & kUdpPermission) != 0; }
+  bool has_tcp() const { return (kinds_ & kTcpPermission) != 0; }
+  bool has_tcp_server() const { return (kinds_ & kTcpServerPermission) != 0; }
+  const SocketPermissionEntrySet& entries() const { return permissions_; }
+
+ private:
+  static bool ParseHostPattern(
+      SocketsManifestPermission* manifest_data,
+      content::SocketPermissionRequest::OperationType operation_type,
+      const scoped_ptr<std::string>& value,
+      string16* error);
+
+  static PermissionKind HasOperationType(
+      const SocketPermissionEntrySet& set,
+      content::SocketPermissionRequest::OperationType operation_type,
+      PermissionKind kind);
+
+  scoped_ptr<std::string> CreateHostPattern(
+    content::SocketPermissionRequest::OperationType operation_type) const;
+
+  void AddPermission(const SocketPermissionEntry& entry);
+
+  bool AddAnyHostMessage(PermissionMessages& messages) const;
+  void AddSubdomainHostMessage(PermissionMessages& messages) const;
+  void AddSpecificHostMessage(PermissionMessages& messages) const;
+  void AddNetworkListMessage(PermissionMessages& messages) const;
+
+  SocketPermissionEntrySet permissions_;
+  int kinds_;  // PermissionKind bits
+};
+
+}  // namespace extensions
+
+#endif  // CHROME_COMMON_EXTENSIONS_API_SOCKETS_SOCKETS_MANIFEST_PERMISSION_H_
diff --git a/chrome/common/extensions/api/sockets/sockets_manifest_permission_unittest.cc b/chrome/common/extensions/api/sockets/sockets_manifest_permission_unittest.cc
new file mode 100644
index 0000000..67ece853
--- /dev/null
+++ b/chrome/common/extensions/api/sockets/sockets_manifest_permission_unittest.cc
@@ -0,0 +1,186 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/json/json_reader.h"
+#include "base/pickle.h"
+#include "base/values.h"
+#include "chrome/common/extensions/api/sockets/sockets_manifest_permission.h"
+#include "chrome/common/extensions/extension_messages.h"
+#include "extensions/common/manifest_constants.h"
+#include "ipc/ipc_message.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace extensions {
+
+namespace {
+
+static void AssertEmptyPermission(const SocketsManifestPermission* permission) {
+  EXPECT_TRUE(permission);
+  EXPECT_EQ(std::string(extensions::manifest_keys::kSockets), permission->id());
+  EXPECT_EQ(permission->id(), permission->name());
+  EXPECT_FALSE(permission->HasMessages());
+  EXPECT_EQ(0u, permission->entries().size());
+}
+
+}  // namespace
+
+TEST(SocketsManifestPermissionTest, Empty) {
+  // Construction
+  scoped_ptr<SocketsManifestPermission> permission(
+      new SocketsManifestPermission());
+  AssertEmptyPermission(permission.get());
+
+  // Clone()/Equal()
+  scoped_ptr<SocketsManifestPermission> clone(
+      static_cast<SocketsManifestPermission*>(permission->Clone()));
+  AssertEmptyPermission(clone.get());
+
+  EXPECT_TRUE(permission->Equal(clone.get()));
+
+  // ToValue()/FromValue()
+  scoped_ptr<const base::Value> value(permission->ToValue());
+  EXPECT_TRUE(value.get());
+
+  scoped_ptr<SocketsManifestPermission> permission2(
+      new SocketsManifestPermission());
+  EXPECT_TRUE(permission2->FromValue(value.get()));
+  AssertEmptyPermission(permission2.get());
+
+  // Union/Diff/Intersection
+  scoped_ptr<SocketsManifestPermission> diff_perm(
+      static_cast<SocketsManifestPermission*>(permission->Diff(clone.get())));
+  AssertEmptyPermission(diff_perm.get());
+
+  scoped_ptr<SocketsManifestPermission> union_perm(
+      static_cast<SocketsManifestPermission*>(permission->Union(clone.get())));
+  AssertEmptyPermission(union_perm.get());
+
+  scoped_ptr<SocketsManifestPermission> intersect_perm(
+      static_cast<SocketsManifestPermission*>(
+          permission->Intersect(clone.get())));
+  AssertEmptyPermission(intersect_perm.get());
+
+  // IPC
+  scoped_ptr<SocketsManifestPermission> ipc_perm(
+      new SocketsManifestPermission());
+  scoped_ptr<SocketsManifestPermission> ipc_perm2(
+      new SocketsManifestPermission());
+
+  IPC::Message m;
+  ipc_perm->Write(&m);
+  PickleIterator iter(m);
+  EXPECT_TRUE(ipc_perm2->Read(&m, &iter));
+  AssertEmptyPermission(ipc_perm2.get());
+}
+
+TEST(SocketsManifestPermissionTest, General) {
+  std::string udp_send_string = "{ \"udp\": { \"send\": \"\" } }";
+  scoped_ptr<base::Value> udp_send(base::JSONReader::Read(udp_send_string));
+  EXPECT_TRUE(udp_send);
+
+  std::string udp_bind_string = "{ \"udp\": { \"bind\": \"127.0.0.1:3007\" } }";
+  scoped_ptr<base::Value> udp_bind(base::JSONReader::Read(udp_bind_string));
+  EXPECT_TRUE(udp_bind);
+
+  std::string tcp_connect_string =
+      "{ \"tcp\": { \"connect\": \"127.0.0.1:80\" } }";
+  scoped_ptr<base::Value> tcp_connect(
+      base::JSONReader::Read(tcp_connect_string));
+  EXPECT_TRUE(tcp_connect);
+
+  std::string tcp_server_listen_string =
+      "{ \"tcpServer\": { \"listen\": \"127.0.0.1:80\" } }";
+  scoped_ptr<base::Value> tcp_server_listen(
+      base::JSONReader::Read(tcp_server_listen_string));
+  EXPECT_TRUE(tcp_server_listen);
+
+  // FromValue()
+  scoped_ptr<SocketsManifestPermission> permission1(
+      new SocketsManifestPermission());
+  EXPECT_TRUE(permission1->FromValue(udp_send.get()));
+  EXPECT_EQ(1u, permission1->entries().size());
+
+  scoped_ptr<SocketsManifestPermission> permission2(
+      new SocketsManifestPermission());
+  EXPECT_TRUE(permission2->FromValue(udp_bind.get()));
+  EXPECT_EQ(1u, permission2->entries().size());
+
+  scoped_ptr<SocketsManifestPermission> permission3(
+      new SocketsManifestPermission());
+  EXPECT_TRUE(permission3->FromValue(tcp_connect.get()));
+  EXPECT_EQ(1u, permission3->entries().size());
+
+  scoped_ptr<SocketsManifestPermission> permission4(
+      new SocketsManifestPermission());
+  EXPECT_TRUE(permission4->FromValue(tcp_server_listen.get()));
+  EXPECT_EQ(1u, permission4->entries().size());
+
+  // ToValue()
+  scoped_ptr<base::Value> value1 = permission1->ToValue();
+  EXPECT_TRUE(value1);
+  scoped_ptr<SocketsManifestPermission> permission1_1(
+      new SocketsManifestPermission());
+  EXPECT_TRUE(permission1_1->FromValue(value1.get()));
+  EXPECT_TRUE(permission1->Equal(permission1_1.get()));
+
+  scoped_ptr<base::Value> value2 = permission2->ToValue();
+  EXPECT_TRUE(value2);
+  scoped_ptr<SocketsManifestPermission> permission2_1(
+      new SocketsManifestPermission());
+  EXPECT_TRUE(permission2_1->FromValue(value2.get()));
+  EXPECT_TRUE(permission2->Equal(permission2_1.get()));
+
+  scoped_ptr<base::Value> value3 = permission3->ToValue();
+  EXPECT_TRUE(value3);
+  scoped_ptr<SocketsManifestPermission> permission3_1(
+      new SocketsManifestPermission());
+  EXPECT_TRUE(permission3_1->FromValue(value3.get()));
+  EXPECT_TRUE(permission3->Equal(permission3_1.get()));
+
+  scoped_ptr<base::Value> value4 = permission4->ToValue();
+  EXPECT_TRUE(value4);
+  scoped_ptr<SocketsManifestPermission> permission4_1(
+      new SocketsManifestPermission());
+  EXPECT_TRUE(permission4_1->FromValue(value4.get()));
+  EXPECT_TRUE(permission4->Equal(permission4_1.get()));
+
+  // Union/Diff/Intersection
+  scoped_ptr<SocketsManifestPermission> union_perm(
+      static_cast<SocketsManifestPermission*>(
+          permission1->Union(permission2.get())));
+  EXPECT_TRUE(union_perm);
+  EXPECT_EQ(2u, union_perm->entries().size());
+
+  EXPECT_TRUE(union_perm->Contains(permission1.get()));
+  EXPECT_TRUE(union_perm->Contains(permission2.get()));
+  EXPECT_FALSE(union_perm->Contains(permission3.get()));
+  EXPECT_FALSE(union_perm->Contains(permission4.get()));
+
+  scoped_ptr<SocketsManifestPermission> diff_perm1(
+      static_cast<SocketsManifestPermission*>(
+          permission1->Diff(permission2.get())));
+  EXPECT_TRUE(diff_perm1);
+  EXPECT_EQ(1u, diff_perm1->entries().size());
+
+  EXPECT_TRUE(permission1->Equal(diff_perm1.get()));
+  EXPECT_TRUE(diff_perm1->Equal(permission1.get()));
+
+  scoped_ptr<SocketsManifestPermission> diff_perm2(
+      static_cast<SocketsManifestPermission*>(
+          permission1->Diff(union_perm.get())));
+  EXPECT_TRUE(diff_perm2);
+  AssertEmptyPermission(diff_perm2.get());
+
+  scoped_ptr<SocketsManifestPermission> intersect_perm1(
+      static_cast<SocketsManifestPermission*>(
+          union_perm->Intersect(permission1.get())));
+  EXPECT_TRUE(intersect_perm1);
+  EXPECT_EQ(1u, intersect_perm1->entries().size());
+
+  EXPECT_TRUE(permission1->Equal(intersect_perm1.get()));
+  EXPECT_TRUE(intersect_perm1->Equal(permission1.get()));
+
+}
+
+}  // namespace extensions
diff --git a/chrome/common/extensions/chrome_manifest_handlers.cc b/chrome/common/extensions/chrome_manifest_handlers.cc
index 3363b79..e832639 100644
--- a/chrome/common/extensions/chrome_manifest_handlers.cc
+++ b/chrome/common/extensions/chrome_manifest_handlers.cc
@@ -20,7 +20,7 @@
 #include "chrome/common/extensions/api/media_galleries_private/media_galleries_handler.h"
 #include "chrome/common/extensions/api/omnibox/omnibox_handler.h"
 #include "chrome/common/extensions/api/plugins/plugins_handler.h"
-#include "chrome/common/extensions/api/sockets/sockets_handler.h"
+#include "chrome/common/extensions/api/sockets/sockets_manifest_handler.h"
 #include "chrome/common/extensions/api/speech/tts_engine_manifest_handler.h"
 #include "chrome/common/extensions/api/spellcheck/spellcheck_handler.h"
 #include "chrome/common/extensions/api/system_indicator/system_indicator_handler.h"
@@ -90,7 +90,7 @@ void RegisterChromeManifestHandlers() {
   (new SettingsOverridesHandler)->Register();
   (new ScriptBadgeHandler)->Register();
   (new SharedModuleHandler)->Register();
-  (new SocketsHandler)->Register();
+  (new SocketsManifestHandler)->Register();
   (new SpellcheckHandler)->Register();
   (new StorageSchemaManifestHandler)->Register();
   (new SystemIndicatorHandler)->Register();
diff --git a/chrome/common/extensions/extension.cc b/chrome/common/extensions/extension.cc
index e118bdc..71018cc 100644
--- a/chrome/common/extensions/extension.cc
+++ b/chrome/common/extensions/extension.cc
@@ -557,6 +557,7 @@ bool Extension::InitFromValue(int flags, string16* error) {
 
   finished_parsing_manifest_ = true;
 
+  permissions_data_->InitializeManifestPermissions(this);
   permissions_data_->FinalizePermissions(this);
 
   return true;
diff --git a/chrome/common/extensions/extension.h b/chrome/common/extensions/extension.h
index d88b4da..2bb79eb 100644
--- a/chrome/common/extensions/extension.h
+++ b/chrome/common/extensions/extension.h
@@ -45,6 +45,7 @@ class ImageSkia;
 namespace extensions {
 class PermissionsData;
 class APIPermissionSet;
+class ManifestPermissionSet;
 class PermissionSet;
 
 // Represents a Chrome extension.
diff --git a/chrome/common/extensions/extension_messages.cc b/chrome/common/extensions/extension_messages.cc
index 0e3c5e4..a8acbf8 100644
--- a/chrome/common/extensions/extension_messages.cc
+++ b/chrome/common/extensions/extension_messages.cc
@@ -9,14 +9,17 @@
 #include "chrome/common/extensions/permissions/permissions_data.h"
 #include "content/public/common/common_param_traits.h"
 #include "extensions/common/manifest.h"
+#include "extensions/common/manifest_handler.h"
 #include "extensions/common/permissions/permissions_info.h"
 
 using extensions::APIPermission;
 using extensions::APIPermissionInfo;
-using extensions::APIPermissionMap;
 using extensions::APIPermissionSet;
 using extensions::Extension;
 using extensions::Manifest;
+using extensions::ManifestHandler;
+using extensions::ManifestPermission;
+using extensions::ManifestPermissionSet;
 using extensions::PermissionSet;
 using extensions::URLPatternSet;
 
@@ -32,6 +35,8 @@ ExtensionMsg_Loaded_Params::ExtensionMsg_Loaded_Params(
       location(extension->location()),
       path(extension->path()),
       apis(extension->GetActivePermissions()->apis()),
+      manifest_permissions(
+          extension->GetActivePermissions()->manifest_permissions()),
       explicit_hosts(extension->GetActivePermissions()->explicit_hosts()),
       scriptable_hosts(extension->GetActivePermissions()->scriptable_hosts()),
       id(extension->id()),
@@ -45,7 +50,8 @@ scoped_refptr<Extension> ExtensionMsg_Loaded_Params::ConvertToExtension(
   if (extension.get()) {
     extensions::PermissionsData::SetActivePermissions(
         extension.get(),
-        new PermissionSet(apis, explicit_hosts, scriptable_hosts));
+        new PermissionSet(apis, manifest_permissions,
+                          explicit_hosts, scriptable_hosts));
   }
   return extension;
 }
@@ -183,6 +189,41 @@ void ParamTraits<APIPermissionSet>::Log(
   LogParam(p.map(), l);
 }
 
+void ParamTraits<ManifestPermissionSet>::Write(
+    Message* m, const param_type& p) {
+  ManifestPermissionSet::const_iterator it = p.begin();
+  const ManifestPermissionSet::const_iterator end = p.end();
+  WriteParam(m, p.size());
+  for (; it != end; ++it) {
+    WriteParam(m, it->name());
+    it->Write(m);
+  }
+}
+
+bool ParamTraits<ManifestPermissionSet>::Read(
+    const Message* m, PickleIterator* iter, param_type* r) {
+  size_t size;
+  if (!ReadParam(m, iter, &size))
+    return false;
+  for (size_t i = 0; i < size; ++i) {
+    std::string name;
+    if (!ReadParam(m, iter, &name))
+      return false;
+    scoped_ptr<ManifestPermission> p(ManifestHandler::CreatePermission(name));
+    if (!p)
+      return false;
+    if (!p->Read(m, iter))
+      return false;
+    r->insert(p.release());
+  }
+  return true;
+}
+
+void ParamTraits<ManifestPermissionSet>::Log(
+    const param_type& p, std::string* l) {
+  LogParam(p.map(), l);
+}
+
 void ParamTraits<ExtensionMsg_Loaded_Params>::Write(Message* m,
                                                     const param_type& p) {
   WriteParam(m, p.location);
diff --git a/chrome/common/extensions/extension_messages.h b/chrome/common/extensions/extension_messages.h
index 8e0d843..f7f6a09 100644
--- a/chrome/common/extensions/extension_messages.h
+++ b/chrome/common/extensions/extension_messages.h
@@ -143,6 +143,16 @@ IPC_STRUCT_BEGIN(ExtensionMsg_ExternalConnectionInfo)
   IPC_STRUCT_MEMBER(GURL, source_url)
 IPC_STRUCT_END()
 
+// Parameters structure for ExtensionMsg_UpdatePermissions.
+IPC_STRUCT_BEGIN(ExtensionMsg_UpdatePermissions_Params)
+  IPC_STRUCT_MEMBER(int /* UpdateExtensionPermissionsInfo::REASON */, reason_id)
+  IPC_STRUCT_MEMBER(std::string, extension_id)
+  IPC_STRUCT_MEMBER(extensions::APIPermissionSet, apis)
+  IPC_STRUCT_MEMBER(extensions::ManifestPermissionSet, manifest_permissions)
+  IPC_STRUCT_MEMBER(extensions::URLPatternSet, explicit_hosts)
+  IPC_STRUCT_MEMBER(extensions::URLPatternSet, scriptable_hosts)
+IPC_STRUCT_END()
+
 IPC_STRUCT_TRAITS_BEGIN(WebApplicationInfo::IconInfo)
   IPC_STRUCT_TRAITS_MEMBER(url)
   IPC_STRUCT_TRAITS_MEMBER(width)
@@ -233,6 +243,7 @@ struct ExtensionMsg_Loaded_Params {
 
   // The extension's active permissions.
   extensions::APIPermissionSet apis;
+  extensions::ManifestPermissionSet manifest_permissions;
   extensions::URLPatternSet explicit_hosts;
   extensions::URLPatternSet scriptable_hosts;
 
@@ -284,6 +295,14 @@ struct ParamTraits<extensions::APIPermissionSet> {
 };
 
 template <>
+struct ParamTraits<extensions::ManifestPermissionSet> {
+  typedef extensions::ManifestPermissionSet param_type;
+  static void Write(Message* m, const param_type& p);
+  static bool Read(const Message* m, PickleIterator* iter, param_type* r);
+  static void Log(const param_type& p, std::string* l);
+};
+
+template <>
 struct ParamTraits<ExtensionMsg_Loaded_Params> {
   typedef ExtensionMsg_Loaded_Params param_type;
   static void Write(Message* m, const param_type& p);
@@ -374,12 +393,8 @@ IPC_MESSAGE_ROUTED1(ExtensionMsg_SetTabId,
                     int /* id of tab */)
 
 // Tell the renderer to update an extension's permission set.
-IPC_MESSAGE_CONTROL5(ExtensionMsg_UpdatePermissions,
-                     int /* UpdateExtensionPermissionsInfo::REASON */,
-                     std::string /* extension_id */,
-                     extensions::APIPermissionSet /* permissions */,
-                     extensions::URLPatternSet /* explicit_hosts */,
-                     extensions::URLPatternSet /* scriptable_hosts */)
+IPC_MESSAGE_CONTROL1(ExtensionMsg_UpdatePermissions,
+                     ExtensionMsg_UpdatePermissions_Params)
 
 // Tell the renderer about new tab-specific permissions for an extension.
 IPC_MESSAGE_CONTROL4(ExtensionMsg_UpdateTabSpecificPermissions,
diff --git a/chrome/common/extensions/permissions/chrome_permission_message_provider.cc b/chrome/common/extensions/permissions/chrome_permission_message_provider.cc
index e5105cb..cd04710 100644
--- a/chrome/common/extensions/permissions/chrome_permission_message_provider.cc
+++ b/chrome/common/extensions/permissions/chrome_permission_message_provider.cc
@@ -37,8 +37,12 @@ PermissionMessages ChromePermissionMessageProvider::GetPermissionMessages(
   std::set<PermissionMessage> host_msgs =
       GetHostPermissionMessages(permissions, extension_type);
   std::set<PermissionMessage> api_msgs = GetAPIPermissionMessages(permissions);
+  std::set<PermissionMessage> manifest_permission_msgs =
+      GetManifestPermissionMessages(permissions);
   messages.insert(messages.end(), host_msgs.begin(), host_msgs.end());
   messages.insert(messages.end(), api_msgs.begin(), api_msgs.end());
+  messages.insert(messages.end(), manifest_permission_msgs.begin(),
+                  manifest_permission_msgs.end());
 
   return messages;
 }
@@ -193,6 +197,22 @@ ChromePermissionMessageProvider::GetAPIPermissionMessages(
 }
 
 std::set<PermissionMessage>
+ChromePermissionMessageProvider::GetManifestPermissionMessages(
+    const PermissionSet* permissions) const {
+  std::set<PermissionMessage> messages;
+  for (ManifestPermissionSet::const_iterator permission_it =
+           permissions->manifest_permissions().begin();
+      permission_it != permissions->manifest_permissions().end();
+      ++permission_it) {
+    if (permission_it->HasMessages()) {
+      PermissionMessages new_messages = permission_it->GetMessages();
+      messages.insert(new_messages.begin(), new_messages.end());
+    }
+  }
+  return messages;
+}
+
+std::set<PermissionMessage>
 ChromePermissionMessageProvider::GetHostPermissionMessages(
     const PermissionSet* permissions,
     Manifest::Type extension_type) const {
diff --git a/chrome/common/extensions/permissions/chrome_permission_message_provider.h b/chrome/common/extensions/permissions/chrome_permission_message_provider.h
index 05125f4..44b122c 100644
--- a/chrome/common/extensions/permissions/chrome_permission_message_provider.h
+++ b/chrome/common/extensions/permissions/chrome_permission_message_provider.h
@@ -39,6 +39,10 @@ class ChromePermissionMessageProvider : public PermissionMessageProvider {
   std::set<PermissionMessage> GetAPIPermissionMessages(
       const PermissionSet* permissions) const;
 
+  // Gets the permission messages for the Manifest permissions.
+  std::set<PermissionMessage> GetManifestPermissionMessages(
+      const PermissionSet* permissions) const;
+
   // Gets the permission messages for the host permissions.
   std::set<PermissionMessage> GetHostPermissionMessages(
       const PermissionSet* permissions,
diff --git a/chrome/common/extensions/permissions/permission_set_unittest.cc b/chrome/common/extensions/permissions/permission_set_unittest.cc
index 7ee32eb..302df86 100644
--- a/chrome/common/extensions/permissions/permission_set_unittest.cc
+++ b/chrome/common/extensions/permissions/permission_set_unittest.cc
@@ -202,6 +202,7 @@ TEST(PermissionsTest, EffectiveHostPermissions) {
 
 TEST(PermissionsTest, ExplicitAccessToOrigin) {
   APIPermissionSet apis;
+  ManifestPermissionSet manifest_permissions;
   URLPatternSet explicit_hosts;
   URLPatternSet scriptable_hosts;
 
@@ -210,7 +211,7 @@ TEST(PermissionsTest, ExplicitAccessToOrigin) {
   AddPattern(&explicit_hosts, "http://www.example.com/a/particular/path/*");
 
   scoped_refptr<PermissionSet> perm_set = new PermissionSet(
-      apis, explicit_hosts, scriptable_hosts);
+      apis, manifest_permissions, explicit_hosts, scriptable_hosts);
   ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
       GURL("http://www.google.com/")));
   ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
@@ -226,6 +227,7 @@ TEST(PermissionsTest, ExplicitAccessToOrigin) {
 TEST(PermissionsTest, CreateUnion) {
   APIPermission* permission = NULL;
 
+  ManifestPermissionSet manifest_permissions;
   APIPermissionSet apis1;
   APIPermissionSet apis2;
   APIPermissionSet expected_apis;
@@ -270,8 +272,10 @@ TEST(PermissionsTest, CreateUnion) {
   AddPattern(&expected_explicit_hosts, "http://*.google.com/*");
   AddPattern(&effective_hosts, "http://*.google.com/*");
 
-  set1 = new PermissionSet(apis1, explicit_hosts1, scriptable_hosts1);
-  set2 = new PermissionSet(apis2, explicit_hosts2, scriptable_hosts2);
+  set1 = new PermissionSet(apis1, manifest_permissions,
+                           explicit_hosts1, scriptable_hosts1);
+  set2 = new PermissionSet(apis2, manifest_permissions,
+                           explicit_hosts2, scriptable_hosts2);
   union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
   EXPECT_TRUE(set1->Contains(*set2.get()));
   EXPECT_TRUE(set1->Contains(*union_set.get()));
@@ -332,7 +336,8 @@ TEST(PermissionsTest, CreateUnion) {
   URLPatternSet::CreateUnion(
       explicit_hosts2, scriptable_hosts2, &effective_hosts);
 
-  set2 = new PermissionSet(apis2, explicit_hosts2, scriptable_hosts2);
+  set2 = new PermissionSet(apis2, manifest_permissions,
+                           explicit_hosts2, scriptable_hosts2);
   union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
 
   EXPECT_FALSE(set1->Contains(*set2.get()));
@@ -353,6 +358,7 @@ TEST(PermissionsTest, CreateUnion) {
 TEST(PermissionsTest, CreateIntersection) {
   APIPermission* permission = NULL;
 
+  ManifestPermissionSet manifest_permissions;
   APIPermissionSet apis1;
   APIPermissionSet apis2;
   APIPermissionSet expected_apis;
@@ -393,8 +399,10 @@ TEST(PermissionsTest, CreateIntersection) {
   AddPattern(&explicit_hosts1, "http://*.google.com/*");
   AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
 
-  set1 = new PermissionSet(apis1, explicit_hosts1, scriptable_hosts1);
-  set2 = new PermissionSet(apis2, explicit_hosts2, scriptable_hosts2);
+  set1 = new PermissionSet(apis1, manifest_permissions,
+                           explicit_hosts1, scriptable_hosts1);
+  set2 = new PermissionSet(apis2, manifest_permissions,
+                           explicit_hosts2, scriptable_hosts2);
   new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
   EXPECT_TRUE(set1->Contains(*new_set.get()));
   EXPECT_TRUE(set2->Contains(*new_set.get()));
@@ -447,7 +455,8 @@ TEST(PermissionsTest, CreateIntersection) {
   effective_hosts.ClearPatterns();
   AddPattern(&effective_hosts, "http://*.google.com/*");
 
-  set2 = new PermissionSet(apis2, explicit_hosts2, scriptable_hosts2);
+  set2 = new PermissionSet(apis2, manifest_permissions,
+                           explicit_hosts2, scriptable_hosts2);
   new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
 
   EXPECT_TRUE(set1->Contains(*new_set.get()));
@@ -468,6 +477,7 @@ TEST(PermissionsTest, CreateIntersection) {
 TEST(PermissionsTest, CreateDifference) {
   APIPermission* permission = NULL;
 
+  ManifestPermissionSet manifest_permissions;
   APIPermissionSet apis1;
   APIPermissionSet apis2;
   APIPermissionSet expected_apis;
@@ -508,8 +518,10 @@ TEST(PermissionsTest, CreateDifference) {
   AddPattern(&explicit_hosts1, "http://*.google.com/*");
   AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
 
-  set1 = new PermissionSet(apis1, explicit_hosts1, scriptable_hosts1);
-  set2 = new PermissionSet(apis2, explicit_hosts2, scriptable_hosts2);
+  set1 = new PermissionSet(apis1, manifest_permissions,
+                           explicit_hosts1, scriptable_hosts1);
+  set2 = new PermissionSet(apis2, manifest_permissions,
+                           explicit_hosts2, scriptable_hosts2);
   new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
   EXPECT_EQ(*set1.get(), *new_set.get());
 
@@ -550,7 +562,8 @@ TEST(PermissionsTest, CreateDifference) {
   effective_hosts.ClearPatterns();
   AddPattern(&effective_hosts, "http://www.reddit.com/*");
 
-  set2 = new PermissionSet(apis2, explicit_hosts2, scriptable_hosts2);
+  set2 = new PermissionSet(apis2, manifest_permissions,
+                           explicit_hosts2, scriptable_hosts2);
   new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
 
   EXPECT_TRUE(set1->Contains(*new_set.get()));
@@ -773,7 +786,8 @@ TEST(PermissionsTest, FileSystemPermissionMessages) {
   api_permissions.insert(APIPermission::kFileSystemWrite);
   api_permissions.insert(APIPermission::kFileSystemDirectory);
   scoped_refptr<PermissionSet> permissions(
-      new PermissionSet(api_permissions, URLPatternSet(), URLPatternSet()));
+      new PermissionSet(api_permissions, ManifestPermissionSet(),
+                        URLPatternSet(), URLPatternSet()));
   PermissionMessages messages =
       PermissionMessageProvider::Get()->GetPermissionMessages(
           permissions, Manifest::TYPE_PLATFORM_APP);
@@ -794,7 +808,8 @@ TEST(PermissionsTest, HiddenFileSystemPermissionMessages) {
   api_permissions.insert(APIPermission::kFileSystemDirectory);
   api_permissions.insert(APIPermission::kFileSystemWriteDirectory);
   scoped_refptr<PermissionSet> permissions(
-      new PermissionSet(api_permissions, URLPatternSet(), URLPatternSet()));
+      new PermissionSet(api_permissions, ManifestPermissionSet(),
+                        URLPatternSet(), URLPatternSet()));
   PermissionMessages messages =
       PermissionMessageProvider::Get()->GetPermissionMessages(
           permissions, Manifest::TYPE_PLATFORM_APP);
@@ -805,19 +820,24 @@ TEST(PermissionsTest, HiddenFileSystemPermissionMessages) {
 TEST(PermissionsTest, MergedFileSystemPermissionComparison) {
   APIPermissionSet write_api_permissions;
   write_api_permissions.insert(APIPermission::kFileSystemWrite);
-  scoped_refptr<PermissionSet> write_permissions(new PermissionSet(
-      write_api_permissions, URLPatternSet(), URLPatternSet()));
+  scoped_refptr<PermissionSet> write_permissions(
+      new PermissionSet(write_api_permissions, ManifestPermissionSet(),
+                        URLPatternSet(), URLPatternSet()));
 
   APIPermissionSet directory_api_permissions;
   directory_api_permissions.insert(APIPermission::kFileSystemDirectory);
-  scoped_refptr<PermissionSet> directory_permissions(new PermissionSet(
-      directory_api_permissions, URLPatternSet(), URLPatternSet()));
+  scoped_refptr<PermissionSet> directory_permissions(
+      new PermissionSet(directory_api_permissions, ManifestPermissionSet(),
+                        URLPatternSet(), URLPatternSet()));
 
   APIPermissionSet write_directory_api_permissions;
   write_directory_api_permissions.insert(
       APIPermission::kFileSystemWriteDirectory);
-  scoped_refptr<PermissionSet> write_directory_permissions(new PermissionSet(
-      write_directory_api_permissions, URLPatternSet(), URLPatternSet()));
+  scoped_refptr<PermissionSet> write_directory_permissions(
+      new PermissionSet(write_directory_api_permissions,
+                        ManifestPermissionSet(),
+                        URLPatternSet(),
+                        URLPatternSet()));
 
   const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
   EXPECT_FALSE(provider->IsPrivilegeIncrease(write_directory_permissions,
@@ -1161,7 +1181,8 @@ TEST(PermissionsTest, GetDistinctHosts) {
     expected.insert("*.example.com");
 
     scoped_refptr<PermissionSet> perm_set(new PermissionSet(
-        empty_perms, explicit_hosts, scriptable_hosts));
+        empty_perms, ManifestPermissionSet(),
+        explicit_hosts, scriptable_hosts));
     EXPECT_EQ(expected,
               permission_message_util::GetDistinctHosts(
                   perm_set->effective_hosts(), true, true));
@@ -1268,6 +1289,7 @@ TEST(PermissionsTest, GetDistinctHosts_FirstInListIs4thBestRcd) {
 TEST(PermissionsTest, IsHostPrivilegeIncrease) {
   Manifest::Type type = Manifest::TYPE_EXTENSION;
   const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
+  ManifestPermissionSet empty_manifest_permissions;
   URLPatternSet elist1;
   URLPatternSet elist2;
   URLPatternSet slist1;
@@ -1286,8 +1308,10 @@ TEST(PermissionsTest, IsHostPrivilegeIncrease) {
   elist2.AddPattern(
       URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/path"));
 
-  set1 = new PermissionSet(empty_perms, elist1, slist1);
-  set2 = new PermissionSet(empty_perms, elist2, slist2);
+  set1 = new PermissionSet(empty_perms, empty_manifest_permissions,
+                           elist1, slist1);
+  set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
+                           elist2, slist2);
 
   EXPECT_FALSE(provider->IsPrivilegeIncrease(set1, set2, type));
   EXPECT_FALSE(provider->IsPrivilegeIncrease(set2, set1, type));
@@ -1296,7 +1320,8 @@ TEST(PermissionsTest, IsHostPrivilegeIncrease) {
   elist2.ClearPatterns();
   elist2.AddPattern(
       URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/*"));
-  set2 = new PermissionSet(empty_perms, elist2, slist2);
+  set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
+                           elist2, slist2);
   EXPECT_FALSE(provider->IsPrivilegeIncrease(set1, set2, type));
   EXPECT_FALSE(provider->IsPrivilegeIncrease(set2, set1, type));
 
@@ -1304,7 +1329,8 @@ TEST(PermissionsTest, IsHostPrivilegeIncrease) {
   elist2.ClearPatterns();
   elist2.AddPattern(
       URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/*"));
-  set2 = new PermissionSet(empty_perms, elist2, slist2);
+  set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
+                           elist2, slist2);
   EXPECT_FALSE(provider->IsPrivilegeIncrease(set1, set2, type));
   EXPECT_FALSE(provider->IsPrivilegeIncrease(set2, set1, type));
 
@@ -1312,7 +1338,8 @@ TEST(PermissionsTest, IsHostPrivilegeIncrease) {
   elist2.ClearPatterns();
   elist2.AddPattern(
       URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com.hk/*"));
-  set2 = new PermissionSet(empty_perms, elist2, slist2);
+  set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
+                           elist2, slist2);
   EXPECT_TRUE(provider->IsPrivilegeIncrease(set1, set2, type));
   // TODO(jstritar): Does not match subdomains properly. http://crbug.com/65337
   // EXPECT_FALSE(provider->IsPrivilegeIncrease(set2, set1, type));
@@ -1323,7 +1350,8 @@ TEST(PermissionsTest, IsHostPrivilegeIncrease) {
       URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
   elist2.AddPattern(
       URLPattern(URLPattern::SCHEME_HTTP, "http://www.example.org/path"));
-  set2 = new PermissionSet(empty_perms, elist2, slist2);
+  set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
+                           elist2, slist2);
   EXPECT_TRUE(provider->IsPrivilegeIncrease(set1, set2, type));
   EXPECT_FALSE(provider->IsPrivilegeIncrease(set2, set1, type));
 
@@ -1331,7 +1359,8 @@ TEST(PermissionsTest, IsHostPrivilegeIncrease) {
   elist2.ClearPatterns();
   elist2.AddPattern(
       URLPattern(URLPattern::SCHEME_HTTP, "http://mail.google.com/*"));
-  set2 = new PermissionSet(empty_perms, elist2, slist2);
+  set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
+                           elist2, slist2);
   EXPECT_TRUE(provider->IsPrivilegeIncrease(set1, set2, type));
   EXPECT_TRUE(provider->IsPrivilegeIncrease(set2, set1, type));
 
@@ -1351,7 +1380,7 @@ TEST(PermissionsTest, GetAPIsAsStrings) {
   apis.insert(APIPermission::kTab);
 
   scoped_refptr<PermissionSet> perm_set = new PermissionSet(
-      apis, empty_set, empty_set);
+      apis, ManifestPermissionSet(), empty_set, empty_set);
   std::set<std::string> api_names = perm_set->GetAPIsAsStrings();
 
   // The result is correct if it has the same number of elements
@@ -1369,25 +1398,26 @@ TEST(PermissionsTest, IsEmpty) {
   EXPECT_TRUE(empty->IsEmpty());
   scoped_refptr<PermissionSet> perm_set;
 
-  perm_set = new PermissionSet(empty_apis, empty_extent, empty_extent);
+  perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
+                               empty_extent, empty_extent);
   EXPECT_TRUE(perm_set->IsEmpty());
 
   APIPermissionSet non_empty_apis;
   non_empty_apis.insert(APIPermission::kBackground);
-  perm_set = new PermissionSet(
-      non_empty_apis, empty_extent, empty_extent);
+  perm_set = new PermissionSet(non_empty_apis, ManifestPermissionSet(),
+                               empty_extent, empty_extent);
   EXPECT_FALSE(perm_set->IsEmpty());
 
   // Try non standard host
   URLPatternSet non_empty_extent;
   AddPattern(&non_empty_extent, "http://www.google.com/*");
 
-  perm_set = new PermissionSet(
-      empty_apis, non_empty_extent, empty_extent);
+  perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
+                               non_empty_extent, empty_extent);
   EXPECT_FALSE(perm_set->IsEmpty());
 
-  perm_set = new PermissionSet(
-      empty_apis, empty_extent, non_empty_extent);
+  perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
+                               empty_extent, non_empty_extent);
   EXPECT_FALSE(perm_set->IsEmpty());
 }
 
@@ -1399,7 +1429,8 @@ TEST(PermissionsTest, ImpliedPermissions) {
   EXPECT_EQ(2U, apis.size());
 
   scoped_refptr<PermissionSet> perm_set;
-  perm_set = new PermissionSet(apis, empty_extent, empty_extent);
+  perm_set = new PermissionSet(apis, ManifestPermissionSet(),
+                               empty_extent, empty_extent);
   EXPECT_EQ(4U, perm_set->apis().size());
 }
 
@@ -1429,7 +1460,8 @@ TEST(PermissionsTest, ChromeURLs) {
   allowed_hosts.AddPattern(
       URLPattern(URLPattern::SCHEME_ALL, "chrome://thumb/"));
   scoped_refptr<PermissionSet> permissions(
-      new PermissionSet(APIPermissionSet(), allowed_hosts, URLPatternSet()));
+      new PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
+                        allowed_hosts, URLPatternSet()));
   PermissionMessageProvider::Get()->
       GetPermissionMessages(permissions, Manifest::TYPE_EXTENSION);
 }
diff --git a/chrome/common/extensions/permissions/permissions_data.cc b/chrome/common/extensions/permissions/permissions_data.cc
index 961d719..e023712 100644
--- a/chrome/common/extensions/permissions/permissions_data.cc
+++ b/chrome/common/extensions/permissions/permissions_data.cc
@@ -12,6 +12,7 @@
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "chrome/common/extensions/extension.h"
+#include "chrome/common/extensions/extension_constants.h"
 #include "content/public/common/url_constants.h"
 #include "extensions/common/constants.h"
 #include "extensions/common/error_utils.h"
@@ -20,6 +21,7 @@
 #include "extensions/common/features/feature_provider.h"
 #include "extensions/common/manifest.h"
 #include "extensions/common/manifest_constants.h"
+#include "extensions/common/manifest_handler.h"
 #include "extensions/common/permissions/api_permission_set.h"
 #include "extensions/common/permissions/permission_message_provider.h"
 #include "extensions/common/permissions/permission_set.h"
@@ -244,6 +246,7 @@ bool IsTrustedId(const std::string& extension_id) {
 
 struct PermissionsData::InitialPermissions {
   APIPermissionSet api_permissions;
+  ManifestPermissionSet manifest_permissions;
   URLPatternSet host_permissions;
   URLPatternSet scriptable_hosts;
 };
@@ -593,19 +596,27 @@ bool PermissionsData::ParsePermissions(Extension* extension, string16* error) {
   return true;
 }
 
+void PermissionsData::InitializeManifestPermissions(Extension* extension) {
+  ManifestHandler::AddExtensionInitialRequiredPermissions(
+    extension, &initial_required_permissions_->manifest_permissions);
+}
+
 void PermissionsData::FinalizePermissions(Extension* extension) {
   active_permissions_ = new PermissionSet(
       initial_required_permissions_->api_permissions,
+      initial_required_permissions_->manifest_permissions,
       initial_required_permissions_->host_permissions,
       initial_required_permissions_->scriptable_hosts);
 
   required_permission_set_ = new PermissionSet(
       initial_required_permissions_->api_permissions,
+      initial_required_permissions_->manifest_permissions,
       initial_required_permissions_->host_permissions,
       initial_required_permissions_->scriptable_hosts);
 
   optional_permission_set_ = new PermissionSet(
       initial_optional_permissions_->api_permissions,
+      initial_optional_permissions_->manifest_permissions,
       initial_optional_permissions_->host_permissions,
       URLPatternSet());
 
diff --git a/chrome/common/extensions/permissions/permissions_data.h b/chrome/common/extensions/permissions/permissions_data.h
index 60534ec..d0b6413 100644
--- a/chrome/common/extensions/permissions/permissions_data.h
+++ b/chrome/common/extensions/permissions/permissions_data.h
@@ -22,6 +22,7 @@ namespace extensions {
 class PermissionSet;
 class APIPermissionSet;
 class Extension;
+class ManifestPermissionSet;
 class URLPatternSet;
 class UserScript;
 
@@ -180,6 +181,9 @@ class PermissionsData {
   // Parse the permissions of a given extension in the initialization process.
   bool ParsePermissions(Extension* extension, string16* error);
 
+  // Ensure manifest handlers provide their custom manifest permissions.
+  void InitializeManifestPermissions(Extension* extension);
+
   // Finalize permissions after the initialization process completes.
   void FinalizePermissions(Extension* extension);
 
diff --git a/chrome/common/extensions/permissions/permissions_data_unittest.cc b/chrome/common/extensions/permissions/permissions_data_unittest.cc
index c2bdb07..f4e0d3e 100644
--- a/chrome/common/extensions/permissions/permissions_data_unittest.cc
+++ b/chrome/common/extensions/permissions/permissions_data_unittest.cc
@@ -548,7 +548,8 @@ TEST_F(ExtensionScriptAndCaptureVisibleTest, TabSpecific) {
 
   {
     scoped_refptr<PermissionSet> permissions(
-        new PermissionSet(APIPermissionSet(), allowed_hosts, URLPatternSet()));
+        new PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
+                          allowed_hosts, URLPatternSet()));
     PermissionsData::UpdateTabSpecificPermissions(
         extension.get(), 0, permissions);
     EXPECT_EQ(permissions->explicit_hosts(),
@@ -576,7 +577,8 @@ TEST_F(ExtensionScriptAndCaptureVisibleTest, TabSpecific) {
 
   {
     scoped_refptr<PermissionSet> permissions(
-        new PermissionSet(APIPermissionSet(), allowed_hosts, URLPatternSet()));
+        new PermissionSet(APIPermissionSet(),  ManifestPermissionSet(),
+                          allowed_hosts, URLPatternSet()));
     PermissionsData::UpdateTabSpecificPermissions(
         extension.get(), 0, permissions);
     EXPECT_EQ(permissions->explicit_hosts(),
@@ -584,6 +586,7 @@ TEST_F(ExtensionScriptAndCaptureVisibleTest, TabSpecific) {
                   ->explicit_hosts());
 
     permissions = new PermissionSet(APIPermissionSet(),
+                                    ManifestPermissionSet(),
                                     more_allowed_hosts,
                                     URLPatternSet());
     PermissionsData::UpdateTabSpecificPermissions(
diff --git a/chrome/renderer/extensions/dispatcher.cc b/chrome/renderer/extensions/dispatcher.cc
index ea5ca21..943e97d 100644
--- a/chrome/renderer/extensions/dispatcher.cc
+++ b/chrome/renderer/extensions/dispatcher.cc
@@ -1375,17 +1375,23 @@ void Dispatcher::AddOrRemoveBindings(const std::string& extension_id) {
                  base::Unretained(this)));
 }
 
-void Dispatcher::OnUpdatePermissions(int reason_id,
-                                     const std::string& extension_id,
-                                     const APIPermissionSet& apis,
-                                     const URLPatternSet& explicit_hosts,
-                                     const URLPatternSet& scriptable_hosts) {
+void Dispatcher::OnUpdatePermissions(
+  const ExtensionMsg_UpdatePermissions_Params& params) {
+  int reason_id = params.reason_id;
+  const std::string& extension_id = params.extension_id;
+  const APIPermissionSet& apis = params.apis;
+  const ManifestPermissionSet& manifest_permissions =
+      params.manifest_permissions;
+  const URLPatternSet& explicit_hosts = params.explicit_hosts;
+  const URLPatternSet& scriptable_hosts = params.scriptable_hosts;
+
   const Extension* extension = extensions_.GetByID(extension_id);
   if (!extension)
     return;
 
   scoped_refptr<const PermissionSet> delta =
-      new PermissionSet(apis, explicit_hosts, scriptable_hosts);
+      new PermissionSet(apis, manifest_permissions,
+                        explicit_hosts, scriptable_hosts);
   scoped_refptr<const PermissionSet> old_active =
       extension->GetActivePermissions();
   UpdatedExtensionPermissionsInfo::Reason reason =
@@ -1428,7 +1434,8 @@ void Dispatcher::OnUpdateTabSpecificPermissions(
   PermissionsData::UpdateTabSpecificPermissions(
       extension,
       tab_id,
-      new PermissionSet(APIPermissionSet(), origin_set, URLPatternSet()));
+      new PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
+                        origin_set, URLPatternSet()));
 }
 
 void Dispatcher::OnClearTabSpecificPermissions(
diff --git a/chrome/renderer/extensions/dispatcher.h b/chrome/renderer/extensions/dispatcher.h
index 1501614..209f0e5 100644
--- a/chrome/renderer/extensions/dispatcher.h
+++ b/chrome/renderer/extensions/dispatcher.h
@@ -31,6 +31,7 @@ class ModuleSystem;
 class URLPattern;
 struct ExtensionMsg_ExternalConnectionInfo;
 struct ExtensionMsg_Loaded_Params;
+struct ExtensionMsg_UpdatePermissions_Params;
 
 namespace blink {
 class WebFrame;
@@ -50,6 +51,7 @@ namespace extensions {
 class ContentWatcher;
 class Extension;
 class FilteredEventRouter;
+class ManifestPermissionSet;
 class RequestSender;
 class UserScriptSlave;
 struct Message;
@@ -179,11 +181,7 @@ class Dispatcher : public content::RenderProcessObserver {
   void OnPageActionsUpdated(const std::string& extension_id,
       const std::vector<std::string>& page_actions);
   void OnActivateExtension(const std::string& extension_id);
-  void OnUpdatePermissions(int reason_id,
-                           const std::string& extension_id,
-                           const APIPermissionSet& apis,
-                           const URLPatternSet& explicit_hosts,
-                           const URLPatternSet& scriptable_hosts);
+  void OnUpdatePermissions(const ExtensionMsg_UpdatePermissions_Params& params);
   void OnUpdateTabSpecificPermissions(int page_id,
                                       int tab_id,
                                       const std::string& extension_id,
diff --git a/extensions/DEPS b/extensions/DEPS
index cd158fe..2b0dd51 100644
--- a/extensions/DEPS
+++ b/extensions/DEPS
@@ -14,4 +14,7 @@ specific_include_rules = {
   "^api_permission_set_unittest\.cc$": [
     "+chrome/common/extensions/extension_messages.h",
   ],
+  "^manifest_permission_set_unittest\.cc$": [
+    "+chrome/common/extensions/extension_messages.h",
+  ],
 }
diff --git a/extensions/common/extensions_client.h b/extensions/common/extensions_client.h
index 594e75b..fb6aba8 100644
--- a/extensions/common/extensions_client.h
+++ b/extensions/common/extensions_client.h
@@ -16,6 +16,7 @@ namespace extensions {
 class APIPermissionSet;
 class Extension;
 class FeatureProvider;
+class ManifestPermissionSet;
 class PermissionMessage;
 class PermissionMessageProvider;
 class PermissionsProvider;
diff --git a/extensions/common/manifest_handler.cc b/extensions/common/manifest_handler.cc
index 43e6bd8..944389d 100644
--- a/extensions/common/manifest_handler.cc
+++ b/extensions/common/manifest_handler.cc
@@ -9,6 +9,8 @@
 #include "base/logging.h"
 #include "base/stl_util.h"
 #include "chrome/common/extensions/extension.h"
+#include "extensions/common/permissions/manifest_permission.h"
+#include "extensions/common/permissions/manifest_permission_set.h"
 
 namespace extensions {
 
@@ -57,6 +59,15 @@ void ManifestHandler::Register() {
     GetRegistry()->RegisterManifestHandler(keys[i], this_linked);
 }
 
+ManifestPermission* ManifestHandler::CreatePermission() {
+  return NULL;
+}
+
+ManifestPermission* ManifestHandler::CreateInitialRequiredPermission(
+    const Extension* extension) {
+  return NULL;
+}
+
 // static
 void ManifestHandler::FinalizeRegistration() {
   GetRegistry()->Finalize();
@@ -80,6 +91,18 @@ bool ManifestHandler::ValidateExtension(const Extension* extension,
 }
 
 // static
+ManifestPermission* ManifestHandler::CreatePermission(const std::string& name) {
+  return GetRegistry()->CreatePermission(name);
+}
+
+// static
+void ManifestHandler::AddExtensionInitialRequiredPermissions(
+    const Extension* extension, ManifestPermissionSet* permission_set) {
+  return GetRegistry()->AddExtensionInitialRequiredPermissions(extension,
+                                                               permission_set);
+}
+
+// static
 const std::vector<std::string> ManifestHandler::SingleKey(
     const std::string& key) {
   return std::vector<std::string>(1, key);
@@ -144,6 +167,27 @@ bool ManifestHandlerRegistry::ValidateExtension(
   return true;
 }
 
+ManifestPermission* ManifestHandlerRegistry::CreatePermission(
+    const std::string& name) {
+  ManifestHandlerMap::const_iterator it = handlers_.find(name);
+  if (it == handlers_.end())
+    return NULL;
+
+  return it->second->CreatePermission();
+}
+
+void ManifestHandlerRegistry::AddExtensionInitialRequiredPermissions(
+    const Extension* extension, ManifestPermissionSet* permission_set) {
+  for (ManifestHandlerMap::const_iterator it = handlers_.begin();
+      it != handlers_.end(); ++it) {
+    ManifestPermission* permission =
+        it->second->CreateInitialRequiredPermission(extension);
+    if (permission) {
+      permission_set->insert(permission);
+    }
+  }
+}
+
 // static
 ManifestHandlerRegistry* ManifestHandlerRegistry::SetForTesting(
     ManifestHandlerRegistry* new_registry) {
diff --git a/extensions/common/manifest_handler.h b/extensions/common/manifest_handler.h
index fd7b571..90fbe84 100644
--- a/extensions/common/manifest_handler.h
+++ b/extensions/common/manifest_handler.h
@@ -16,6 +16,8 @@
 
 namespace extensions {
 class Extension;
+class ManifestPermission;
+class ManifestPermissionSet;
 
 // An interface for clients that recognize and parse keys in extension
 // manifests.
@@ -64,6 +66,19 @@ class ManifestHandler {
   // (new MyManifestHandler)->Register();
   void Register();
 
+  // Creates a |ManifestPermission| instance for the given manifest key |name|.
+  // The returned permission does not contain any permission data, so this
+  // method is usually used before calling |FromValue| or |Read|. Returns
+  // |NULL| if the manifest handler does not support custom permissions.
+  virtual ManifestPermission* CreatePermission();
+
+  // Creates a |ManifestPermission| instance containing the initial set of
+  // required manifest permissions for the given |extension|. Returns |NULL| if
+  // the manifest handler does not support custom permissions or if there was
+  // no manifest key in the extension manifest for this handler.
+  virtual ManifestPermission* CreateInitialRequiredPermission(
+      const Extension* extension);
+
   // Calling FinalizeRegistration indicates that there are no more
   // manifest handlers to be registered.
   static void FinalizeRegistration();
@@ -79,6 +94,20 @@ class ManifestHandler {
                                 std::string* error,
                                 std::vector<InstallWarning>* warnings);
 
+  // Calls |CreatePermission| on the manifest handler for |key|. Returns |NULL|
+  // if there is no manifest handler for |key| or if the manifest handler for
+  // |key| does not support custom permissions.
+  static ManifestPermission* CreatePermission(const std::string& key);
+
+  // Calls |CreateInitialRequiredPermission| on all registered manifest handlers
+  // and adds the returned permissions to |permission_set|. Note this should be
+  // called after all manifest data elements have been read, parsed and stored
+  // in the manifest data property of |extension|, as manifest handlers need
+  // access to their manifest data to initialize their required manifest
+  // permission.
+  static void AddExtensionInitialRequiredPermissions(
+      const Extension* extension, ManifestPermissionSet* permission_set);
+
  protected:
   // A convenience method for handlers that only register for 1 key,
   // so that they can define keys() { return SingleKey(kKey); }
@@ -108,6 +137,12 @@ class ManifestHandlerRegistry {
                          std::string* error,
                          std::vector<InstallWarning>* warnings);
 
+  ManifestPermission* CreatePermission(const std::string& key);
+
+  void AddExtensionInitialRequiredPermissions(
+      const Extension* extension,
+      ManifestPermissionSet* permission_set);
+
   // Overrides the current global ManifestHandlerRegistry with
   // |registry|, returning the current one.
   static ManifestHandlerRegistry* SetForTesting(
diff --git a/extensions/common/permissions/api_permission_set.cc b/extensions/common/permissions/api_permission_set.cc
index ebaf8d8..0ed7769 100644
--- a/extensions/common/permissions/api_permission_set.cc
+++ b/extensions/common/permissions/api_permission_set.cc
@@ -109,51 +109,6 @@ bool ParseChildPermissions(const std::string& base_name,
 
 }  // namespace
 
-APIPermissionSet::APIPermissionSet() {
-}
-
-APIPermissionSet::APIPermissionSet(const APIPermissionSet& set) {
-  this->operator=(set);
-}
-
-APIPermissionSet::~APIPermissionSet() {
-}
-
-APIPermissionSet::const_iterator::const_iterator(
-    const APIPermissionMap::const_iterator& it)
-  : it_(it) {
-}
-
-APIPermissionSet::const_iterator::const_iterator(
-    const const_iterator& ids_it)
-  : it_(ids_it.it_) {
-}
-
-APIPermissionSet& APIPermissionSet::operator=(const APIPermissionSet& rhs) {
-  const_iterator it = rhs.begin();
-  const const_iterator end = rhs.end();
-  while (it != end) {
-    insert(it->Clone());
-    ++it;
-  }
-  return *this;
-}
-
-bool APIPermissionSet::operator==(const APIPermissionSet& rhs) const {
-  const_iterator it = begin();
-  const_iterator rhs_it = rhs.begin();
-  const_iterator it_end = end();
-  const_iterator rhs_it_end = rhs.end();
-
-  while (it != it_end && rhs_it != rhs_it_end) {
-    if (!it->Equal(*rhs_it))
-      return false;
-    ++it;
-    ++rhs_it;
-  }
-  return it == it_end && rhs_it == rhs_it_end;
-}
-
 void APIPermissionSet::insert(APIPermission::ID id) {
   const APIPermissionInfo* permission_info =
       PermissionsInfo::GetInstance()->GetByID(id);
@@ -161,130 +116,7 @@ void APIPermissionSet::insert(APIPermission::ID id) {
 }
 
 void APIPermissionSet::insert(APIPermission* permission) {
-  map_[permission->id()].reset(permission);
-}
-
-bool APIPermissionSet::Contains(const APIPermissionSet& rhs) const {
-  APIPermissionSet::const_iterator it1 = begin();
-  APIPermissionSet::const_iterator it2 = rhs.begin();
-  APIPermissionSet::const_iterator end1 = end();
-  APIPermissionSet::const_iterator end2 = rhs.end();
-
-  while (it1 != end1 && it2 != end2) {
-    if (it1->id() > it2->id()) {
-      return false;
-    } else if (it1->id() < it2->id()) {
-      ++it1;
-    } else {
-        if (!it1->Contains(*it2))
-          return false;
-      ++it1;
-      ++it2;
-    }
-  }
-
-  return it2 == end2;
-}
-
-void APIPermissionSet::Difference(
-    const APIPermissionSet& set1,
-    const APIPermissionSet& set2,
-    APIPermissionSet* set3) {
-  CHECK(set3);
-  set3->clear();
-
-  APIPermissionSet::const_iterator it1 = set1.begin();
-  APIPermissionSet::const_iterator it2 = set2.begin();
-  const APIPermissionSet::const_iterator end1 = set1.end();
-  const APIPermissionSet::const_iterator end2 = set2.end();
-
-  while (it1 != end1 && it2 != end2) {
-    if (it1->id() < it2->id()) {
-      set3->insert(it1->Clone());
-      ++it1;
-    } else if (it1->id() > it2->id()) {
-      ++it2;
-    } else {
-      APIPermission* p = it1->Diff(*it2);
-      if (p)
-        set3->insert(p);
-      ++it1;
-      ++it2;
-    }
-  }
-
-  while (it1 != end1) {
-    set3->insert(it1->Clone());
-    ++it1;
-  }
-}
-
-void APIPermissionSet::Intersection(
-    const APIPermissionSet& set1,
-    const APIPermissionSet& set2,
-    APIPermissionSet* set3) {
-  DCHECK(set3);
-  set3->clear();
-
-  APIPermissionSet::const_iterator it1 = set1.begin();
-  APIPermissionSet::const_iterator it2 = set2.begin();
-  const APIPermissionSet::const_iterator end1 = set1.end();
-  const APIPermissionSet::const_iterator end2 = set2.end();
-
-  while (it1 != end1 && it2 != end2) {
-    if (it1->id() < it2->id()) {
-      ++it1;
-    } else if (it1->id() > it2->id()) {
-      ++it2;
-    } else {
-      APIPermission* p = it1->Intersect(*it2);
-      if (p)
-        set3->insert(p);
-      ++it1;
-      ++it2;
-    }
-  }
-}
-
-void APIPermissionSet::Union(
-    const APIPermissionSet& set1,
-    const APIPermissionSet& set2,
-    APIPermissionSet* set3) {
-  DCHECK(set3);
-  set3->clear();
-
-  APIPermissionSet::const_iterator it1 = set1.begin();
-  APIPermissionSet::const_iterator it2 = set2.begin();
-  const APIPermissionSet::const_iterator end1 = set1.end();
-  const APIPermissionSet::const_iterator end2 = set2.end();
-
-  while (true) {
-    if (it1 == end1) {
-      while (it2 != end2) {
-        set3->insert(it2->Clone());
-        ++it2;
-      }
-      break;
-    }
-    if (it2 == end2) {
-      while (it1 != end1) {
-        set3->insert(it1->Clone());
-        ++it1;
-      }
-      break;
-    }
-    if (it1->id() < it2->id()) {
-      set3->insert(it1->Clone());
-      ++it1;
-    } else if (it1->id() > it2->id()) {
-      set3->insert(it2->Clone());
-      ++it2;
-    } else {
-      set3->insert(it1->Union(*it2));
-      ++it1;
-      ++it2;
-    }
-  }
+  BaseSetOperators<APIPermissionSet>::insert(permission);
 }
 
 // static
@@ -334,8 +166,8 @@ void APIPermissionSet::AddImpliedPermissions() {
   // The fileSystem.write and fileSystem.directory permissions imply
   // fileSystem.writeDirectory.
   // TODO(sammc): Remove this. See http://crbug.com/284849.
-  if (ContainsKey(map_, APIPermission::kFileSystemWrite) &&
-      ContainsKey(map_, APIPermission::kFileSystemDirectory)) {
+  if (ContainsKey(map(), APIPermission::kFileSystemWrite) &&
+      ContainsKey(map(), APIPermission::kFileSystemDirectory)) {
     insert(APIPermission::kFileSystemWriteDirectory);
   }
 }
diff --git a/extensions/common/permissions/api_permission_set.h b/extensions/common/permissions/api_permission_set.h
index 9b6f26d..c5dd248 100644
--- a/extensions/common/permissions/api_permission_set.h
+++ b/extensions/common/permissions/api_permission_set.h
@@ -5,11 +5,9 @@
 #ifndef EXTENSIONS_COMMON_PERMISSIONS_API_PERMISSION_SET_H_
 #define EXTENSIONS_COMMON_PERMISSIONS_API_PERMISSION_SET_H_
 
-#include <iterator>
-#include <map>
 
-#include "base/memory/linked_ptr.h"
 #include "extensions/common/permissions/api_permission.h"
+#include "extensions/common/permissions/base_set_operators.h"
 
 namespace base {
 class ListValue;
@@ -18,48 +16,16 @@ class ListValue;
 namespace extensions {
 
 class Extension;
+class APIPermissionSet;
 
-typedef std::map<APIPermission::ID,
-  linked_ptr<APIPermission> > APIPermissionMap;
+template<>
+struct BaseSetOperatorsTraits<APIPermissionSet> {
+  typedef APIPermission ElementType;
+  typedef APIPermission::ID ElementIDType;
+};
 
-class APIPermissionSet {
+class APIPermissionSet : public BaseSetOperators<APIPermissionSet> {
  public:
-  class const_iterator :
-    public std::iterator<std::input_iterator_tag, const APIPermission*> {
-   public:
-    const_iterator(const APIPermissionMap::const_iterator& it);
-    const_iterator(const const_iterator& ids_it);
-
-    const_iterator& operator++() {
-      ++it_;
-      return *this;
-    }
-
-    const_iterator operator++(int) {
-      const_iterator tmp(it_++);
-      return tmp;
-    }
-
-    bool operator==(const const_iterator& rhs) const {
-      return it_ == rhs.it_;
-    }
-
-    bool operator!=(const const_iterator& rhs) const {
-      return it_ != rhs.it_;
-    }
-
-    const APIPermission* operator*() const {
-      return it_->second.get();
-    }
-
-    const APIPermission* operator->() const {
-      return it_->second.get();
-    }
-
-   private:
-    APIPermissionMap::const_iterator it_;
-  };
-
   enum ParseSource {
     // Don't allow internal permissions to be parsed (e.g. entries in the
     // "permissions" list in a manifest).
@@ -70,87 +36,16 @@ class APIPermissionSet {
     kAllowInternalPermissions,
   };
 
-  APIPermissionSet();
-
-  APIPermissionSet(const APIPermissionSet& set);
-
-  ~APIPermissionSet();
-
-  const_iterator begin() const {
-    return const_iterator(map().begin());
-  }
-
-  const_iterator end() const {
-    return map().end();
-  }
-
-  const_iterator find(APIPermission::ID id) const {
-    return map().find(id);
-  }
-
-  const APIPermissionMap& map() const {
-    return map_;
-  }
-
-  APIPermissionMap& map() {
-    return map_;
-  }
-
-  void clear() {
-    map_.clear();
-  }
-
-  size_t count(APIPermission::ID id) const {
-    return map().count(id);
-  }
-
-  bool empty() const {
-    return map().empty();
-  }
-
-  size_t erase(APIPermission::ID id) {
-    return map().erase(id);
-  }
-
-  size_t size() const {
-    return map().size();
-  }
-
-  APIPermissionSet& operator=(const APIPermissionSet& rhs);
-
-  bool operator==(const APIPermissionSet& rhs) const;
-
-  bool operator!=(const APIPermissionSet& rhs) const {
-    return !operator==(rhs);
-  }
-
   void insert(APIPermission::ID id);
 
   // Insert |permission| into the APIPermissionSet. The APIPermissionSet will
   // take the ownership of |permission|,
   void insert(APIPermission* permission);
 
-  bool Contains(const APIPermissionSet& rhs) const;
-
-  static void Difference(
-      const APIPermissionSet& set1,
-      const APIPermissionSet& set2,
-      APIPermissionSet* set3);
-
-  static void Intersection(
-      const APIPermissionSet& set1,
-      const APIPermissionSet& set2,
-      APIPermissionSet* set3);
-
-  static void Union(
-      const APIPermissionSet& set1,
-      const APIPermissionSet& set2,
-      APIPermissionSet* set3);
-
   // Parses permissions from |permissions| and adds the parsed permissions to
   // |api_permissions|. If |source| is kDisallowInternalPermissions, treat
-  // permissions with kFlagInternal as errors. If |unhandled_permissions|
-  // is not NULL, the names of all permissions that couldn't be parsed will be
+  // permissions with kFlagInternal as errors. If |unhandled_permissions| is
+  // not NULL, the names of all permissions that couldn't be parsed will be
   // added to this vector. If |error| is NULL, parsing will continue with the
   // next permission if invalid data is detected. If |error| is not NULL, it
   // will be set to an error message and false is returned when an invalid
@@ -163,9 +58,6 @@ class APIPermissionSet {
       std::vector<std::string>* unhandled_permissions);
 
   void AddImpliedPermissions();
-
- private:
-  APIPermissionMap map_;
 };
 
 }  // namespace extensions
diff --git a/extensions/common/permissions/base_set_operators.h b/extensions/common/permissions/base_set_operators.h
new file mode 100644
index 0000000..38ff091
--- /dev/null
+++ b/extensions/common/permissions/base_set_operators.h
@@ -0,0 +1,288 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef EXTENSIONS_COMMON_PERMISSIONS_BASE_SET_OPERATORS_H_
+#define EXTENSIONS_COMMON_PERMISSIONS_BASE_SET_OPERATORS_H_
+
+#include <iterator>
+#include <map>
+
+#include "base/memory/linked_ptr.h"
+#include "base/template_util.h"
+
+namespace extensions {
+
+// Traits for template paramater of |BaseSetOperators<T>|. Specializations
+// should define |ElementType| for the type of elements to store in the set,
+// and |EmementIDType| for the type of element identifiers.
+template <typename T>
+struct BaseSetOperatorsTraits {};
+
+// Set operations shared by |APIPermissionSet| and |ManifestPermissionSet|.
+//
+// TODO(rpaquay): It would be nice to remove the need for the sub-classes and
+// instead directly use this class where needed.
+template <typename T>
+class BaseSetOperators {
+ public:
+  typedef typename BaseSetOperatorsTraits<T>::ElementType ElementType;
+  typedef typename BaseSetOperatorsTraits<T>::ElementIDType ElementIDType;
+  typedef std::map<ElementIDType, linked_ptr<ElementType> > Map;
+
+  class const_iterator :
+    public std::iterator<std::input_iterator_tag, const ElementType*> {
+   public:
+    const_iterator(const typename Map::const_iterator& it) : it_(it) {}
+    const_iterator(const const_iterator& ids_it) : it_(ids_it.it_) {}
+
+    const_iterator& operator++() {
+      ++it_;
+      return *this;
+    }
+
+    const_iterator operator++(int) {
+      const_iterator tmp(it_++);
+      return tmp;
+    }
+
+    bool operator==(const const_iterator& rhs) const {
+      return it_ == rhs.it_;
+    }
+
+    bool operator!=(const const_iterator& rhs) const {
+      return it_ != rhs.it_;
+    }
+
+    const ElementType* operator*() const {
+      return it_->second.get();
+    }
+
+    const ElementType* operator->() const {
+      return it_->second.get();
+    }
+
+   private:
+    typename Map::const_iterator it_;
+  };
+
+  BaseSetOperators() {
+    // Ensure |T| is convertible to us, so we can safely downcast when calling
+    // methods that must exist in |T|.
+    COMPILE_ASSERT((base::is_convertible<T*, BaseSetOperators<T>*>::value),
+                   U_ptr_must_implicitly_convert_to_T_ptr);
+  }
+
+  BaseSetOperators(const T& set) {
+    this->operator=(set);
+  }
+
+  ~BaseSetOperators() {}
+
+  T& operator=(const T& rhs) {
+    return Assign(rhs);
+  }
+
+  bool operator==(const T& rhs) const {
+    return Equal(rhs);
+  }
+
+  bool operator!=(const T& rhs) const {
+    return !operator==(rhs);
+  }
+
+  T& Assign(const T& rhs) {
+    const_iterator it = rhs.begin();
+    const const_iterator end = rhs.end();
+    while (it != end) {
+      insert(it->Clone());
+      ++it;
+    }
+    return *static_cast<T*>(this);
+  }
+
+  bool Equal(const T& rhs) const {
+    const_iterator it = begin();
+    const_iterator rhs_it = rhs.begin();
+    const_iterator it_end = end();
+    const_iterator rhs_it_end = rhs.end();
+
+    while (it != it_end && rhs_it != rhs_it_end) {
+      if (it->id() > rhs_it->id())
+        return false;
+      else if (it->id() < rhs_it->id())
+        return false;
+      else if (!it->Equal(*rhs_it))
+        return false;
+      ++it;
+      ++rhs_it;
+    }
+    return it == it_end && rhs_it == rhs_it_end;
+  }
+
+  bool Contains(const T& rhs) const {
+    const_iterator it1 = begin();
+    const_iterator it2 = rhs.begin();
+    const_iterator end1 = end();
+    const_iterator end2 = rhs.end();
+
+    while (it1 != end1 && it2 != end2) {
+      if (it1->id() > it2->id()) {
+        return false;
+      } else if (it1->id() < it2->id()) {
+        ++it1;
+      } else {
+          if (!it1->Contains(*it2))
+            return false;
+        ++it1;
+        ++it2;
+      }
+    }
+
+    return it2 == end2;
+  }
+
+  static void Difference(const T& set1, const T& set2, T* set3) {
+    CHECK(set3);
+    set3->clear();
+
+    const_iterator it1 = set1.begin();
+    const_iterator it2 = set2.begin();
+    const const_iterator end1 = set1.end();
+    const const_iterator end2 = set2.end();
+
+    while (it1 != end1 && it2 != end2) {
+      if (it1->id() < it2->id()) {
+        set3->insert(it1->Clone());
+        ++it1;
+      } else if (it1->id() > it2->id()) {
+        ++it2;
+      } else {
+        ElementType* p = it1->Diff(*it2);
+        if (p)
+          set3->insert(p);
+        ++it1;
+        ++it2;
+      }
+    }
+
+    while (it1 != end1) {
+      set3->insert(it1->Clone());
+      ++it1;
+    }
+  }
+
+  static void Intersection(const T& set1, const T& set2, T* set3) {
+    DCHECK(set3);
+    set3->clear();
+
+    const_iterator it1 = set1.begin();
+    const_iterator it2 = set2.begin();
+    const const_iterator end1 = set1.end();
+    const const_iterator end2 = set2.end();
+
+    while (it1 != end1 && it2 != end2) {
+      if (it1->id() < it2->id()) {
+        ++it1;
+      } else if (it1->id() > it2->id()) {
+        ++it2;
+      } else {
+        ElementType* p = it1->Intersect(*it2);
+        if (p)
+          set3->insert(p);
+        ++it1;
+        ++it2;
+      }
+    }
+  }
+
+  static void Union(const T& set1, const T& set2, T* set3) {
+    DCHECK(set3);
+    set3->clear();
+
+    const_iterator it1 = set1.begin();
+    const_iterator it2 = set2.begin();
+    const const_iterator end1 = set1.end();
+    const const_iterator end2 = set2.end();
+
+    while (true) {
+      if (it1 == end1) {
+        while (it2 != end2) {
+          set3->insert(it2->Clone());
+          ++it2;
+        }
+        break;
+      }
+      if (it2 == end2) {
+        while (it1 != end1) {
+          set3->insert(it1->Clone());
+          ++it1;
+        }
+        break;
+      }
+      if (it1->id() < it2->id()) {
+        set3->insert(it1->Clone());
+        ++it1;
+      } else if (it1->id() > it2->id()) {
+        set3->insert(it2->Clone());
+        ++it2;
+      } else {
+        set3->insert(it1->Union(*it2));
+        ++it1;
+        ++it2;
+      }
+    }
+  }
+
+  const_iterator begin() const {
+    return const_iterator(map().begin());
+  }
+
+  const_iterator end() const {
+    return map().end();
+  }
+
+  const_iterator find(ElementIDType id) const {
+    return map().find(id);
+  }
+
+  size_t count(ElementIDType id) const {
+    return map().count(id);
+  }
+
+  bool empty() const {
+    return map().empty();
+  }
+
+  size_t erase(ElementIDType id) {
+    return map().erase(id);
+  }
+
+  // Take ownership and insert |item| into the set.
+  void insert(ElementType* item) {
+    map_[item->id()].reset(item);
+  }
+
+  size_t size() const {
+    return map().size();
+  }
+
+  const Map& map() const {
+    return map_;
+  }
+
+  Map& map() {
+    return map_;
+  }
+
+  void clear() {
+    map_.clear();
+  }
+
+ private:
+  Map map_;
+};
+
+}  // namespace extensions
+
+#endif  // EXTENSIONS_COMMON_PERMISSIONS_BASE_SET_OPERATORS_H_
diff --git a/extensions/common/permissions/manifest_permission.cc b/extensions/common/permissions/manifest_permission.cc
new file mode 100644
index 0000000..b15c541
--- /dev/null
+++ b/extensions/common/permissions/manifest_permission.cc
@@ -0,0 +1,13 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "extensions/common/permissions/manifest_permission.h"
+
+namespace extensions {
+
+ManifestPermission::ManifestPermission() {}
+
+ManifestPermission::~ManifestPermission() { }
+
+}  // namespace extensions
diff --git a/extensions/common/permissions/manifest_permission.h b/extensions/common/permissions/manifest_permission.h
new file mode 100644
index 0000000..af9e035
--- /dev/null
+++ b/extensions/common/permissions/manifest_permission.h
@@ -0,0 +1,88 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef EXTENSIONS_COMMON_PERMISSIONS_MANIFEST_PERMISSION_H_
+#define EXTENSIONS_COMMON_PERMISSIONS_MANIFEST_PERMISSION_H_
+
+#include <string>
+
+#include "base/memory/scoped_ptr.h"
+#include "base/pickle.h"
+#include "extensions/common/permissions/permission_message.h"
+
+class PickleIterator;
+
+namespace base {
+class Value;
+class ListValue;
+}
+
+namespace IPC {
+class Message;
+}
+
+namespace extensions {
+
+// Represent the custom behavior of a top-level manifest entry contributing to
+// permission messages and storage.
+class ManifestPermission {
+ public:
+  ManifestPermission();
+  virtual ~ManifestPermission();
+
+  // The manifest key this permission applies to.
+  virtual std::string name() const = 0;
+
+  // Same as name(), needed for compatibility with APIPermission.
+  virtual std::string id() const = 0;
+
+  // Returns true if this permission has any PermissionMessages.
+  virtual bool HasMessages() const = 0;
+
+  // Returns the localized permission messages of this permission.
+  virtual PermissionMessages GetMessages() const = 0;
+
+  // Parses the ManifestPermission from |value|. Returns false if error happens.
+  virtual bool FromValue(const base::Value* value) = 0;
+
+  // Stores this into a new created Value.
+  virtual scoped_ptr<base::Value> ToValue() const = 0;
+
+  // Clones this.
+  virtual ManifestPermission* Clone() const = 0;
+
+  // Returns a new manifest permission which equals this - |rhs|.
+  virtual ManifestPermission* Diff(const ManifestPermission* rhs) const = 0;
+
+  // Returns a new manifest permission which equals the union of this and |rhs|.
+  virtual ManifestPermission* Union(const ManifestPermission* rhs) const = 0;
+
+  // Returns a new manifest permission which equals the intersect of this and
+  // |rhs|.
+  virtual ManifestPermission* Intersect(const ManifestPermission* rhs)
+      const = 0;
+
+  // Returns true if |rhs| is a subset of this.
+  virtual bool Contains(const ManifestPermission* rhs) const = 0;
+
+  // Returns true if |rhs| is equal to this.
+  virtual bool Equal(const ManifestPermission* rhs) const = 0;
+
+  // IPC functions
+  // Writes this into the given IPC message |m|.
+  virtual void Write(IPC::Message* m) const = 0;
+
+  // Reads from the given IPC message |m|.
+  virtual bool Read(const IPC::Message* m, PickleIterator* iter) = 0;
+
+  // Logs this permission.
+  virtual void Log(std::string* log) const = 0;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(ManifestPermission);
+};
+
+}  // namespace extensions
+
+#endif  // EXTENSIONS_COMMON_PERMISSIONS_MANIFEST_PERMISSION_H_
diff --git a/extensions/common/permissions/manifest_permission_set.cc b/extensions/common/permissions/manifest_permission_set.cc
new file mode 100644
index 0000000..821159f
--- /dev/null
+++ b/extensions/common/permissions/manifest_permission_set.cc
@@ -0,0 +1,93 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "extensions/common/permissions/manifest_permission_set.h"
+
+#include "base/logging.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/values.h"
+#include "extensions/common/error_utils.h"
+#include "extensions/common/manifest_constants.h"
+#include "extensions/common/manifest_handler.h"
+#include "extensions/common/permissions/manifest_permission.h"
+
+namespace {
+
+using extensions::ErrorUtils;
+using extensions::ManifestPermission;
+using extensions::ManifestPermissionSet;
+using extensions::ManifestHandler;
+namespace errors = extensions::manifest_errors;
+
+bool CreateManifestPermission(
+    const std::string& permission_name,
+    const base::Value* permission_value,
+    ManifestPermissionSet* manifest_permissions,
+    string16* error,
+    std::vector<std::string>* unhandled_permissions) {
+
+  scoped_ptr<ManifestPermission> permission(
+      ManifestHandler::CreatePermission(permission_name));
+
+  if (!permission) {
+    if (unhandled_permissions)
+      unhandled_permissions->push_back(permission_name);
+    else
+      LOG(WARNING) << "Unknown permission[" << permission_name << "].";
+    return true;
+  }
+
+  if (!permission->FromValue(permission_value)) {
+    if (error) {
+      *error = ErrorUtils::FormatErrorMessageUTF16(
+          errors::kInvalidPermission, permission_name);
+      return false;
+    }
+    LOG(WARNING) << "Parse permission failed.";
+    return true;
+  } else {
+    manifest_permissions->insert(permission.release());
+    return true;
+  }
+}
+
+}  // namespace
+
+namespace extensions {
+
+// static
+bool ManifestPermissionSet::ParseFromJSON(
+    const base::ListValue* permissions,
+    ManifestPermissionSet* manifest_permissions,
+    string16* error,
+    std::vector<std::string>* unhandled_permissions) {
+  for (size_t i = 0; i < permissions->GetSize(); ++i) {
+    std::string permission_name;
+    const base::Value* permission_value = NULL;
+    if (!permissions->GetString(i, &permission_name)) {
+      const base::DictionaryValue* dict = NULL;
+      // permission should be a string or a single key dict.
+      if (!permissions->GetDictionary(i, &dict) || dict->size() != 1) {
+        if (error) {
+          *error = ErrorUtils::FormatErrorMessageUTF16(
+              errors::kInvalidPermission, base::IntToString(i));
+          return false;
+        }
+        LOG(WARNING) << "Permission is not a string or single key dict.";
+        continue;
+      }
+      base::DictionaryValue::Iterator it(*dict);
+      permission_name = it.key();
+      permission_value = &it.value();
+    }
+
+    if (!CreateManifestPermission(permission_name, permission_value,
+                                  manifest_permissions, error,
+                                  unhandled_permissions))
+      return false;
+  }
+  return true;
+}
+
+}  // namespace extensions
diff --git a/extensions/common/permissions/manifest_permission_set.h b/extensions/common/permissions/manifest_permission_set.h
new file mode 100644
index 0000000..e9683bc
--- /dev/null
+++ b/extensions/common/permissions/manifest_permission_set.h
@@ -0,0 +1,47 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef EXTENSIONS_COMMON_PERMISSIONS_MANIFEST_PERMISSION_SET_H_
+#define EXTENSIONS_COMMON_PERMISSIONS_MANIFEST_PERMISSION_SET_H_
+
+#include <string>
+#include <vector>
+
+#include "base/strings/string16.h"
+#include "extensions/common/permissions/base_set_operators.h"
+
+namespace base {
+class ListValue;
+}  // namespace base
+
+namespace extensions {
+
+class Extension;
+class ManifestPermission;
+class ManifestPermissionSet;
+
+template<>
+struct BaseSetOperatorsTraits<ManifestPermissionSet> {
+  typedef ManifestPermission ElementType;
+  typedef std::string ElementIDType;
+};
+
+class ManifestPermissionSet : public BaseSetOperators<ManifestPermissionSet> {
+ public:
+  // Parses permissions from |permissions| and adds the parsed permissions to
+  // |manifest_permissions|. If |unhandled_permissions| is not NULL, the names
+  // of all permissions that couldn't be parsed will be added to this vector.
+  // If |error| is NULL, parsing will continue with the next permission if
+  // invalid data is detected. If |error| is not NULL, it will be set to an
+  // error message and false is returned when an invalid permission is found.
+  static bool ParseFromJSON(
+      const base::ListValue* permissions,
+      ManifestPermissionSet* manifest_permissions,
+      string16* error,
+      std::vector<std::string>* unhandled_permissions);
+};
+
+}  // namespace extensions
+
+#endif  // EXTENSIONS_COMMON_PERMISSIONS_MANIFEST_PERMISSION_SET_H_
diff --git a/extensions/common/permissions/manifest_permission_set_unittest.cc b/extensions/common/permissions/manifest_permission_set_unittest.cc
new file mode 100644
index 0000000..a0191c3
--- /dev/null
+++ b/extensions/common/permissions/manifest_permission_set_unittest.cc
@@ -0,0 +1,272 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/pickle.h"
+#include "base/values.h"
+#include "chrome/common/extensions/extension_messages.h"
+#include "extensions/common/permissions/manifest_permission.h"
+#include "extensions/common/permissions/manifest_permission_set.h"
+#include "ipc/ipc_message.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace extensions {
+
+class MockManifestPermission : public ManifestPermission {
+ public:
+  MockManifestPermission(const std::string& name)
+      : name_(name) {
+  }
+
+  virtual std::string name() const OVERRIDE {
+    return name_;
+  }
+
+  virtual std::string id() const OVERRIDE {
+    return name();
+  }
+
+  virtual bool HasMessages() const OVERRIDE {
+    return false;
+  }
+
+  virtual PermissionMessages GetMessages() const OVERRIDE {
+    return PermissionMessages();
+  }
+
+  virtual bool FromValue(const base::Value* value) OVERRIDE {
+    return false;
+  }
+
+  virtual scoped_ptr<base::Value> ToValue() const OVERRIDE {
+    return scoped_ptr<base::Value>(base::Value::CreateNullValue());
+  }
+
+  virtual ManifestPermission* Clone() const OVERRIDE {
+    return new MockManifestPermission(name_);
+  }
+
+  virtual ManifestPermission* Diff(const ManifestPermission* rhs)
+      const OVERRIDE {
+    const MockManifestPermission* other =
+        static_cast<const MockManifestPermission*>(rhs);
+    EXPECT_EQ(name_, other->name_);
+    return NULL;
+  }
+
+  virtual ManifestPermission* Union(const ManifestPermission* rhs)
+      const OVERRIDE {
+    const MockManifestPermission* other =
+        static_cast<const MockManifestPermission*>(rhs);
+    EXPECT_EQ(name_, other->name_);
+    return new MockManifestPermission(name_);
+  }
+
+  virtual ManifestPermission* Intersect(const ManifestPermission* rhs)
+      const OVERRIDE {
+    const MockManifestPermission* other =
+        static_cast<const MockManifestPermission*>(rhs);
+    EXPECT_EQ(name_, other->name_);
+    return new MockManifestPermission(name_);
+  }
+
+  virtual bool Contains(const ManifestPermission* rhs) const OVERRIDE {
+    const MockManifestPermission* other =
+        static_cast<const MockManifestPermission*>(rhs);
+    EXPECT_EQ(name_, other->name_);
+    return true;
+  }
+
+  virtual bool Equal(const ManifestPermission* rhs) const OVERRIDE {
+    const MockManifestPermission* other =
+        static_cast<const MockManifestPermission*>(rhs);
+    EXPECT_EQ(name_, other->name_);
+    return true;
+  }
+
+  virtual void Write(IPC::Message* m) const OVERRIDE {
+    IPC::WriteParam(m, name_);
+  }
+
+  virtual bool Read(const IPC::Message* m, PickleIterator* iter) OVERRIDE {
+    std::string read_name;
+    bool result = IPC::ReadParam(m, iter, &read_name);
+    if (!result)
+      return result;
+    EXPECT_EQ(read_name, name_);
+    return true;
+  }
+
+  virtual void Log(std::string* log) const OVERRIDE {
+  }
+
+ private:
+  std::string name_;
+};
+
+TEST(ManifestPermissionSetTest, General) {
+  ManifestPermissionSet set;
+  set.insert(new MockManifestPermission("p1"));
+  set.insert(new MockManifestPermission("p2"));
+  set.insert(new MockManifestPermission("p3"));
+  set.insert(new MockManifestPermission("p4"));
+  set.insert(new MockManifestPermission("p5"));
+
+  EXPECT_EQ(set.find("p1")->id(), "p1");
+  EXPECT_TRUE(set.find("p10") == set.end());
+
+  EXPECT_EQ(set.size(), 5u);
+
+  EXPECT_EQ(set.erase("p1"), 1u);
+  EXPECT_EQ(set.size(), 4u);
+
+  EXPECT_EQ(set.erase("p1"), 0u);
+  EXPECT_EQ(set.size(), 4u);
+}
+
+TEST(ManifestPermissionSetTest, CreateUnion) {
+  ManifestPermissionSet permissions1;
+  ManifestPermissionSet permissions2;
+  ManifestPermissionSet expected_permissions;
+  ManifestPermissionSet result;
+
+  ManifestPermission* permission = new MockManifestPermission("p3");
+
+  // Union with an empty set.
+  permissions1.insert(new MockManifestPermission("p1"));
+  permissions1.insert(new MockManifestPermission("p2"));
+  permissions1.insert(permission->Clone());
+  expected_permissions.insert(new MockManifestPermission("p1"));
+  expected_permissions.insert(new MockManifestPermission("p2"));
+  expected_permissions.insert(permission);
+
+  ManifestPermissionSet::Union(permissions1, permissions2, &result);
+
+  EXPECT_TRUE(permissions1.Contains(permissions2));
+  EXPECT_TRUE(permissions1.Contains(result));
+  EXPECT_FALSE(permissions2.Contains(permissions1));
+  EXPECT_FALSE(permissions2.Contains(result));
+  EXPECT_TRUE(result.Contains(permissions1));
+  EXPECT_TRUE(result.Contains(permissions2));
+
+  EXPECT_EQ(expected_permissions, result);
+
+  // Now use a real second set.
+  permissions2.insert(new MockManifestPermission("p1"));
+  permissions2.insert(new MockManifestPermission("p2"));
+  permissions2.insert(new MockManifestPermission("p33"));
+  permissions2.insert(new MockManifestPermission("p4"));
+  permissions2.insert(new MockManifestPermission("p5"));
+
+  expected_permissions.insert(new MockManifestPermission("p1"));
+  expected_permissions.insert(new MockManifestPermission("p2"));
+  expected_permissions.insert(new MockManifestPermission("p3"));
+  expected_permissions.insert(new MockManifestPermission("p4"));
+  expected_permissions.insert(new MockManifestPermission("p5"));
+  expected_permissions.insert(new MockManifestPermission("p33"));
+
+  ManifestPermissionSet::Union(permissions1, permissions2, &result);
+
+  {
+    ManifestPermissionSet set1;
+    set1.insert(new MockManifestPermission("p1"));
+    set1.insert(new MockManifestPermission("p2"));
+    ManifestPermissionSet set2;
+    set2.insert(new MockManifestPermission("p3"));
+
+    EXPECT_FALSE(set1.Contains(set2));
+    EXPECT_FALSE(set2.Contains(set1));
+  }
+
+  EXPECT_FALSE(permissions1.Contains(permissions2));
+  EXPECT_FALSE(permissions1.Contains(result));
+  EXPECT_FALSE(permissions2.Contains(permissions1));
+  EXPECT_FALSE(permissions2.Contains(result));
+  EXPECT_TRUE(result.Contains(permissions1));
+  EXPECT_TRUE(result.Contains(permissions2));
+
+  EXPECT_EQ(expected_permissions, result);
+}
+
+TEST(ManifestPermissionSetTest, CreateIntersection) {
+  ManifestPermissionSet permissions1;
+  ManifestPermissionSet permissions2;
+  ManifestPermissionSet expected_permissions;
+  ManifestPermissionSet result;
+
+  // Intersection with an empty set.
+  permissions1.insert(new MockManifestPermission("p1"));
+  permissions1.insert(new MockManifestPermission("p2"));
+  permissions1.insert(new MockManifestPermission("p3"));
+
+  ManifestPermissionSet::Intersection(permissions1, permissions2, &result);
+  EXPECT_TRUE(permissions1.Contains(result));
+  EXPECT_TRUE(permissions2.Contains(result));
+  EXPECT_TRUE(permissions1.Contains(permissions2));
+  EXPECT_FALSE(permissions2.Contains(permissions1));
+  EXPECT_FALSE(result.Contains(permissions1));
+  EXPECT_TRUE(result.Contains(permissions2));
+
+  EXPECT_TRUE(result.empty());
+  EXPECT_EQ(expected_permissions, result);
+
+  // Now use a real second set.
+  permissions2.insert(new MockManifestPermission("p1"));
+  permissions2.insert(new MockManifestPermission("p3"));
+  permissions2.insert(new MockManifestPermission("p4"));
+  permissions2.insert(new MockManifestPermission("p5"));
+
+  expected_permissions.insert(new MockManifestPermission("p1"));
+  expected_permissions.insert(new MockManifestPermission("p3"));
+
+  ManifestPermissionSet::Intersection(permissions1, permissions2, &result);
+
+  EXPECT_TRUE(permissions1.Contains(result));
+  EXPECT_TRUE(permissions2.Contains(result));
+  EXPECT_FALSE(permissions1.Contains(permissions2));
+  EXPECT_FALSE(permissions2.Contains(permissions1));
+  EXPECT_FALSE(result.Contains(permissions1));
+  EXPECT_FALSE(result.Contains(permissions2));
+
+  EXPECT_EQ(expected_permissions, result);
+}
+
+TEST(ManifestPermissionSetTest, CreateDifference) {
+  ManifestPermissionSet permissions1;
+  ManifestPermissionSet permissions2;
+  ManifestPermissionSet expected_permissions;
+  ManifestPermissionSet result;
+
+  // Difference with an empty set.
+  permissions1.insert(new MockManifestPermission("p1"));
+  permissions1.insert(new MockManifestPermission("p2"));
+  permissions1.insert(new MockManifestPermission("p3"));
+
+  ManifestPermissionSet::Difference(permissions1, permissions2, &result);
+
+  EXPECT_EQ(permissions1, result);
+
+  // Now use a real second set.
+  permissions2.insert(new MockManifestPermission("p1"));
+  permissions2.insert(new MockManifestPermission("p2"));
+  permissions2.insert(new MockManifestPermission("p4"));
+  permissions2.insert(new MockManifestPermission("p5"));
+  permissions2.insert(new MockManifestPermission("p6"));
+
+  expected_permissions.insert(new MockManifestPermission("p3"));
+
+  ManifestPermissionSet::Difference(permissions1, permissions2, &result);
+
+  EXPECT_TRUE(permissions1.Contains(result));
+  EXPECT_FALSE(permissions2.Contains(result));
+
+  EXPECT_EQ(expected_permissions, result);
+
+  // |result| = |permissions1| - |permissions2| -->
+  //   |result| intersect |permissions2| == empty_set
+  ManifestPermissionSet result2;
+  ManifestPermissionSet::Intersection(result, permissions2, &result2);
+  EXPECT_TRUE(result2.empty());
+}
+
+}  // namespace extensions
diff --git a/extensions/common/permissions/permission_set.cc b/extensions/common/permissions/permission_set.cc
index d3f46fc..8ec1cbe 100644
--- a/extensions/common/permissions/permission_set.cc
+++ b/extensions/common/permissions/permission_set.cc
@@ -38,9 +38,11 @@ PermissionSet::PermissionSet() {}
 
 PermissionSet::PermissionSet(
     const APIPermissionSet& apis,
+    const ManifestPermissionSet& manifest_permissions,
     const URLPatternSet& explicit_hosts,
     const URLPatternSet& scriptable_hosts)
     : apis_(apis),
+      manifest_permissions_(manifest_permissions),
       scriptable_hosts_(scriptable_hosts) {
   AddPatternsAndRemovePaths(explicit_hosts, &explicit_hosts_);
   InitImplicitPermissions();
@@ -58,6 +60,11 @@ PermissionSet* PermissionSet::CreateDifference(
   APIPermissionSet apis;
   APIPermissionSet::Difference(set1_safe->apis(), set2_safe->apis(), &apis);
 
+  ManifestPermissionSet manifest_permissions;
+  ManifestPermissionSet::Difference(set1_safe->manifest_permissions(),
+                                    set2_safe->manifest_permissions(),
+                                    &manifest_permissions);
+
   URLPatternSet explicit_hosts;
   URLPatternSet::CreateDifference(set1_safe->explicit_hosts(),
                                   set2_safe->explicit_hosts(),
@@ -68,7 +75,8 @@ PermissionSet* PermissionSet::CreateDifference(
                                   set2_safe->scriptable_hosts(),
                                   &scriptable_hosts);
 
-  return new PermissionSet(apis, explicit_hosts, scriptable_hosts);
+  return new PermissionSet(apis, manifest_permissions,
+                           explicit_hosts, scriptable_hosts);
 }
 
 // static
@@ -82,6 +90,11 @@ PermissionSet* PermissionSet::CreateIntersection(
   APIPermissionSet apis;
   APIPermissionSet::Intersection(set1_safe->apis(), set2_safe->apis(), &apis);
 
+  ManifestPermissionSet manifest_permissions;
+  ManifestPermissionSet::Intersection(set1_safe->manifest_permissions(),
+                                      set2_safe->manifest_permissions(),
+                                      &manifest_permissions);
+
   URLPatternSet explicit_hosts;
   URLPatternSet::CreateIntersection(set1_safe->explicit_hosts(),
                                     set2_safe->explicit_hosts(),
@@ -92,7 +105,8 @@ PermissionSet* PermissionSet::CreateIntersection(
                                     set2_safe->scriptable_hosts(),
                                     &scriptable_hosts);
 
-  return new PermissionSet(apis, explicit_hosts, scriptable_hosts);
+  return new PermissionSet(apis, manifest_permissions,
+                           explicit_hosts, scriptable_hosts);
 }
 
 // static
@@ -106,6 +120,11 @@ PermissionSet* PermissionSet::CreateUnion(
   APIPermissionSet apis;
   APIPermissionSet::Union(set1_safe->apis(), set2_safe->apis(), &apis);
 
+  ManifestPermissionSet manifest_permissions;
+  ManifestPermissionSet::Union(set1_safe->manifest_permissions(),
+                               set2_safe->manifest_permissions(),
+                               &manifest_permissions);
+
   URLPatternSet explicit_hosts;
   URLPatternSet::CreateUnion(set1_safe->explicit_hosts(),
                              set2_safe->explicit_hosts(),
@@ -116,18 +135,21 @@ PermissionSet* PermissionSet::CreateUnion(
                              set2_safe->scriptable_hosts(),
                              &scriptable_hosts);
 
-  return new PermissionSet(apis, explicit_hosts, scriptable_hosts);
+  return new PermissionSet(apis, manifest_permissions,
+                           explicit_hosts, scriptable_hosts);
 }
 
 bool PermissionSet::operator==(
     const PermissionSet& rhs) const {
   return apis_ == rhs.apis_ &&
+      manifest_permissions_ == rhs.manifest_permissions_ &&
       scriptable_hosts_ == rhs.scriptable_hosts_ &&
       explicit_hosts_ == rhs.explicit_hosts_;
 }
 
 bool PermissionSet::Contains(const PermissionSet& set) const {
   return apis_.Contains(set.apis()) &&
+         manifest_permissions_.Contains(set.manifest_permissions()) &&
          explicit_hosts().Contains(set.explicit_hosts()) &&
          scriptable_hosts().Contains(set.scriptable_hosts());
 }
@@ -147,7 +169,7 @@ bool PermissionSet::IsEmpty() const {
     return false;
 
   // Or if it has no api permissions.
-  return apis().empty();
+  return apis().empty() && manifest_permissions().empty();
 }
 
 bool PermissionSet::HasAPIPermission(
diff --git a/extensions/common/permissions/permission_set.h b/extensions/common/permissions/permission_set.h
index a0e4b34..9e6a7b9 100644
--- a/extensions/common/permissions/permission_set.h
+++ b/extensions/common/permissions/permission_set.h
@@ -17,6 +17,8 @@
 #include "extensions/common/manifest.h"
 #include "extensions/common/permissions/api_permission.h"
 #include "extensions/common/permissions/api_permission_set.h"
+#include "extensions/common/permissions/manifest_permission.h"
+#include "extensions/common/permissions/manifest_permission_set.h"
 #include "extensions/common/url_pattern_set.h"
 
 namespace extensions {
@@ -32,10 +34,11 @@ class PermissionSet
   PermissionSet();
 
   // Creates a new permission set based on the specified data: the API
-  // permissions, host permissions, and scriptable hosts. The effective hosts
-  // of the newly created permission set will be inferred from the given
-  // host permissions.
+  // permissions, manifest key permissions, host permissions, and scriptable
+  // hosts. The effective hosts of the newly created permission set will be
+  // inferred from the given host permissions.
   PermissionSet(const APIPermissionSet& apis,
+                const ManifestPermissionSet& manifest_permissions,
                 const URLPatternSet& explicit_hosts,
                 const URLPatternSet& scriptable_hosts);
 
@@ -102,6 +105,10 @@ class PermissionSet
 
   const APIPermissionSet& apis() const { return apis_; }
 
+  const ManifestPermissionSet& manifest_permissions() const {
+      return manifest_permissions_;
+  }
+
   const URLPatternSet& effective_hosts() const { return effective_hosts_; }
 
   const URLPatternSet& explicit_hosts() const { return explicit_hosts_; }
@@ -126,6 +133,10 @@ class PermissionSet
   // extension APIs and features.
   APIPermissionSet apis_;
 
+  // The manifest key permission list is used when deciding if an extension
+  // can access certain extension APIs and features.
+  ManifestPermissionSet manifest_permissions_;
+
   // The list of hosts that can be accessed directly from the extension.
   // TODO(jstritar): Rename to "hosts_"?
   URLPatternSet explicit_hosts_;
diff --git a/extensions/extensions.gyp b/extensions/extensions.gyp
index 5053b9b..d673ac1 100644
--- a/extensions/extensions.gyp
+++ b/extensions/extensions.gyp
@@ -89,6 +89,11 @@
         'common/permissions/api_permission.h',
         'common/permissions/api_permission_set.cc',
         'common/permissions/api_permission_set.h',
+        'common/permissions/base_set_operators.h',
+        'common/permissions/manifest_permission.cc',
+        'common/permissions/manifest_permission.h',
+        'common/permissions/manifest_permission_set.cc',
+        'common/permissions/manifest_permission_set.h',
         'common/permissions/permission_message.cc',
         'common/permissions/permission_message.h',
         'common/permissions/permission_message_provider.cc',