diff options
| author | erikkay@chromium.org <erikkay@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-08 22:30:47 +0000 |
|---|---|---|
| committer | erikkay@chromium.org <erikkay@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-08 22:30:47 +0000 |
| commit | c08931b03b69d69ebe8698a13e8217611c460558 (patch) | |
| tree | def8c40e3bf48d098bc0b0fc6b70658f4cb5113d /chrome/browser/extensions/crx_installer.cc | |
| parent | dec66f3a2b12d33fe27055c741a31870c3ebe36d (diff) | |
| download | chromium_src-c08931b03b69d69ebe8698a13e8217611c460558.zip chromium_src-c08931b03b69d69ebe8698a13e8217611c460558.tar.gz chromium_src-c08931b03b69d69ebe8698a13e8217611c460558.tar.bz2 | |
fix to allow internal installation (sync, default) to bypass origin checks
also move gallery origin check ahead of hosted origin check for correctness
BUG=45542
TEST=sync an app
Review URL: http://codereview.chromium.org/3592018
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@62033 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/extensions/crx_installer.cc')
| -rw-r--r-- | chrome/browser/extensions/crx_installer.cc | 37 |
1 files changed, 20 insertions, 17 deletions
diff --git a/chrome/browser/extensions/crx_installer.cc b/chrome/browser/extensions/crx_installer.cc index 40d8cd2..28f873b 100644 --- a/chrome/browser/extensions/crx_installer.cc +++ b/chrome/browser/extensions/crx_installer.cc @@ -187,10 +187,26 @@ bool CrxInstaller::AllowInstall(Extension* extension, std::string* error) { return false; } - // For self-hosted apps, verify that the entire extent is on the same - // host (or a subdomain of the host) the download happened from. There's - // no way for us to verify that the app controls any other hosts. - if (!is_gallery_install_) { + // If the client_ is NULL, then the app is either being installed via + // an internal mechanism like sync, external_extensions, or default apps. + // In that case, we don't want to enforce things like the install origin. + if (!is_gallery_install_ && client_) { + // For apps with a gallery update URL, require that they be installed + // from the gallery. + // TODO(erikkay) Apply this rule for paid extensions and themes as well. + if ((extension->update_url() == + GURL(extension_urls::kGalleryUpdateHttpsUrl)) || + (extension->update_url() == + GURL(extension_urls::kGalleryUpdateHttpUrl))) { + *error = l10n_util::GetStringFUTF8( + IDS_EXTENSION_DISALLOW_NON_DOWNLOADED_GALLERY_INSTALLS, + l10n_util::GetStringUTF16(IDS_EXTENSION_WEB_STORE_TITLE)); + return false; + } + + // For self-hosted apps, verify that the entire extent is on the same + // host (or a subdomain of the host) the download happened from. There's + // no way for us to verify that the app controls any other hosts. URLPattern pattern(UserScript::kValidUserScriptSchemes); pattern.set_host(original_url_.host()); pattern.set_match_subdomains(true); @@ -204,19 +220,6 @@ bool CrxInstaller::AllowInstall(Extension* extension, std::string* error) { return false; } } - - // For apps with a gallery update URL, require that they be installed - // from the gallery. - // TODO(erikkay) Apply this rule for paid extensions and themes as well. - if ((extension->update_url() == - GURL(extension_urls::kGalleryUpdateHttpsUrl)) || - (extension->update_url() == - GURL(extension_urls::kGalleryUpdateHttpUrl))) { - *error = l10n_util::GetStringFUTF8( - IDS_EXTENSION_DISALLOW_NON_DOWNLOADED_GALLERY_INSTALLS, - l10n_util::GetStringUTF16(IDS_EXTENSION_WEB_STORE_TITLE)); - return false; - } } } |