diff options
| author | aa@chromium.org <aa@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-11-22 02:25:04 +0000 |
|---|---|---|
| committer | aa@chromium.org <aa@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-11-22 02:25:04 +0000 |
| commit | 62771440ed73d5f6f8b322ad5f7a2fa1837e8da9 (patch) | |
| tree | 79e5441b6b2674afe18778fb42ba35a8166cae1b /chrome/browser/extensions/extension_install_ui.cc | |
| parent | 98586a039c29ac0e4cfac919e5071c371563c770 (diff) | |
| download | chromium_src-62771440ed73d5f6f8b322ad5f7a2fa1837e8da9.zip chromium_src-62771440ed73d5f6f8b322ad5f7a2fa1837e8da9.tar.gz chromium_src-62771440ed73d5f6f8b322ad5f7a2fa1837e8da9.tar.bz2 | |
Revert change that disallowed content scripts access to
file:// URLs. It turns out teams were already depending on
this and we didn't want to break them.
Instead, group file:// access with NPAPI in the extension
install prompt.
Note: this is a pure revert of r402029 and r402069 (sorry
Finnur!) except the changes in extension_install_ui.cc,
which are new.
BUG=28456
Review URL: http://codereview.chromium.org/430003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32770 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/extensions/extension_install_ui.cc')
| -rw-r--r-- | chrome/browser/extensions/extension_install_ui.cc | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/chrome/browser/extensions/extension_install_ui.cc b/chrome/browser/extensions/extension_install_ui.cc index c89a9fa..72a7c1e 100644 --- a/chrome/browser/extensions/extension_install_ui.cc +++ b/chrome/browser/extensions/extension_install_ui.cc @@ -21,6 +21,7 @@ #endif // TOOLKIT_VIEWS #include "chrome/common/extensions/extension.h" #include "chrome/common/notification_service.h" +#include "chrome/common/url_constants.h" #include "grit/browser_resources.h" #include "grit/chromium_strings.h" #include "grit/generated_resources.h" @@ -39,6 +40,25 @@ static std::wstring GetInstallWarning(Extension* extension) { if (!extension->plugins().empty()) return l10n_util::GetString(IDS_EXTENSION_PROMPT_WARNING_NEW_FULL_ACCESS); + // We also show the severe warning if the extension has access to any file:// + // URLs. They aren't *quite* as dangerous as full access to the system via + // NPAPI, but pretty dang close. Content scripts are currently the only way + // that extension can get access to file:// URLs. + for (UserScriptList::const_iterator script = + extension->content_scripts().begin(); + script != extension->content_scripts().end(); + ++script) { + for (UserScript::PatternList::const_iterator pattern = + script->url_patterns().begin(); + pattern != script->url_patterns().end(); + ++pattern) { + if (pattern->scheme() == chrome::kFileScheme) { + return l10n_util::GetString( + IDS_EXTENSION_PROMPT_WARNING_NEW_FULL_ACCESS); + } + } + } + // Otherwise, we go in descending order of severity: all hosts, several hosts, // a single host, no hosts. For each of these, we also have a variation of the // message for when api permissions are also requested. |