Prevent webRequest modification to webstore addresses.

Extensions can modify the results returned from webRequests to the webstore; prevent this so that an extension can't spoof the metadata (including permissions) for, e.g., an inline install. BUG=336841 BUG=83765 Review URL: https://codereview.chromium.org/145853004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@249309 0039d316-1c4b-4281-b951-d872f2087c98
author: rdevlin.cronin@chromium.org <rdevlin.cronin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-02-06 09:25:30 +0000
committer: rdevlin.cronin@chromium.org <rdevlin.cronin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-02-06 09:25:30 +0000
commit: 006420c7ef35469ffeeaae5f3363f68ef2b996c5 (patch)
tree: 6b6f7ebc5e2d3bc8dfb6005348aa470a40d20f6c /chrome/browser/extensions/api/web_request
parent: e959b8dc83df8c79b0560d79dd17dc29131ab1e2 (diff)
download: chromium_src-006420c7ef35469ffeeaae5f3363f68ef2b996c5.zip
chromium_src-006420c7ef35469ffeeaae5f3363f68ef2b996c5.tar.gz
chromium_src-006420c7ef35469ffeeaae5f3363f68ef2b996c5.tar.bz2
2 files changed, 7 insertions, 2 deletions
diff --git a/chrome/browser/extensions/api/web_request/web_request_permissions.cc b/chrome/browser/extensions/api/web_request/web_request_permissions.cc
index ced88cc..c8014d7 100644
--- a/chrome/browser/extensions/api/web_request/web_request_permissions.cc
+++ b/chrome/browser/extensions/api/web_request/web_request_permissions.cc
@@ -51,7 +51,9 @@ bool IsSensitiveURL(const GURL& url) {
     // others.
     sensitive_chrome_url = sensitive_chrome_url ||
         EndsWith(url.host(), ".clients.google.com", true) ||
-        url.host() == "sb-ssl.google.com";
+        url.host() == "sb-ssl.google.com" ||
+        (url.host() ==  "chrome.google.com" &&
+             StartsWithASCII(url.path(), "/webstore", true));
   }
   GURL::Replacements replacements;
   replacements.ClearQuery();
diff --git a/chrome/browser/extensions/api/web_request/web_request_permissions_unittest.cc b/chrome/browser/extensions/api/web_request/web_request_permissions_unittest.cc
index 2b905949..9d7de4c 100644
--- a/chrome/browser/extensions/api/web_request/web_request_permissions_unittest.cc
+++ b/chrome/browser/extensions/api/web_request/web_request_permissions_unittest.cc
@@ -85,7 +85,10 @@ TEST_F(ExtensionWebRequestHelpersTestWithThreadsTest, TestHideRequestForURL) {
       "https://clients2.google.com/service/update2/crx",
       "http://www.gstatic.com/chrome/extensions/blacklist",
       "https://www.gstatic.com/chrome/extensions/blacklist",
-      "notregisteredscheme://www.foobar.com"
+      "notregisteredscheme://www.foobar.com",
+      "https://chrome.google.com/webstore/",
+      "https://chrome.google.com/webstore/"
+          "inlineinstall/detail/kcnhkahnjcbndmmehfkdnkjomaanaooo"
   };
   const char* non_sensitive_urls[] = {
       "http://www.google.com/"
author	rdevlin.cronin@chromium.org <rdevlin.cronin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-02-06 09:25:30 +0000
committer	rdevlin.cronin@chromium.org <rdevlin.cronin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-02-06 09:25:30 +0000
commit	006420c7ef35469ffeeaae5f3363f68ef2b996c5 (patch)
tree	6b6f7ebc5e2d3bc8dfb6005348aa470a40d20f6c /chrome/browser/extensions/api/web_request
parent	e959b8dc83df8c79b0560d79dd17dc29131ab1e2 (diff)
download	chromium_src-006420c7ef35469ffeeaae5f3363f68ef2b996c5.zip chromium_src-006420c7ef35469ffeeaae5f3363f68ef2b996c5.tar.gz chromium_src-006420c7ef35469ffeeaae5f3363f68ef2b996c5.tar.bz2