Revert "Allow silent extension installations from the extensions gallery - Part 1."

Original CL: http://codereview.chromium.org/400018/show

Looks like we're no longer hoping to get this approach into mstone4 release, so I'm unwinding this.

BUG=27431
TBR=aa

Review URL: http://codereview.chromium.org/467042

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@34025 0039d316-1c4b-4281-b951-d872f2087c98

10 files changed, 19 insertions, 81 deletions

diff --git a/chrome/browser/renderer_host/browser_render_process_host.cc b/chrome/browser/renderer_host/browser_render_process_host.cc
index 2ac3299..c7325ad 100644
--- a/chrome/browser/renderer_host/browser_render_process_host.cc
+++ b/chrome/browser/renderer_host/browser_render_process_host.cc
@@ -362,10 +362,6 @@ void BrowserRenderProcessHost::ReceivedBadMessage(uint32 msg_type) {
   BadMessageTerminateProcess(msg_type, GetHandle());
 }
 
-void BrowserRenderProcessHost::PolicyViolated(const std::string& policy_name) {
-  PolicyViolationTerminateProcess(policy_name, GetHandle());
-}
-
 void BrowserRenderProcessHost::ViewCreated() {
   visited_link_updater_->ReceiverReady(this);
 }
@@ -804,19 +800,6 @@ void BrowserRenderProcessHost::BadMessageTerminateProcess(
   base::KillProcess(process, ResultCodes::KILLED_BAD_MESSAGE, false);
 }
 
-// Static. This function can be called from any thread.
-void BrowserRenderProcessHost::PolicyViolationTerminateProcess(
-    const std::string& policy_name, base::ProcessHandle process) {
-  LOG(ERROR) << "child process policy " << policy_name << " violated. "
-             << "terminating renderer.";
-  if (run_renderer_in_process()) {
-    // In single process mode it is better if we don't suicide but just crash.
-    CHECK(false);
-  }
-  NOTREACHED();
-  base::KillProcess(process, ResultCodes::KILLED_POLICY_VIOLATION, false);
-}
-
 void BrowserRenderProcessHost::OnChannelError() {
   // Our child process has died.  If we didn't expect it, it's a crash.
   // In any case, we need to let everyone know it's gone.
diff --git a/chrome/browser/renderer_host/browser_render_process_host.h b/chrome/browser/renderer_host/browser_render_process_host.h
index 89e4d82..cd94bf5 100644
--- a/chrome/browser/renderer_host/browser_render_process_host.h
+++ b/chrome/browser/renderer_host/browser_render_process_host.h
@@ -67,7 +67,6 @@ class BrowserRenderProcessHost : public RenderProcessHost,
                                const base::TimeDelta& max_delay,
                                IPC::Message* msg);
   virtual void ReceivedBadMessage(uint32 msg_type);
-  virtual void PolicyViolated(const std::string& policy_name);
   virtual void WidgetRestored();
   virtual void WidgetHidden();
   virtual void ViewCreated();
@@ -93,13 +92,6 @@ class BrowserRenderProcessHost : public RenderProcessHost,
   static void BadMessageTerminateProcess(uint32 msg_type,
                                          base::ProcessHandle renderer);
 
-  // Called to terminate a renderer which has violated the conditions of a
-  // security policy privilege. This function can be safely called from any
-  // thread.
-  static void PolicyViolationTerminateProcess(const std::string& policy_name,
-                                              base::ProcessHandle renderer);
-  
-
   // NotificationObserver implementation.
   virtual void Observe(NotificationType type,
                        const NotificationSource& source,
diff --git a/chrome/browser/renderer_host/mock_render_process_host.cc b/chrome/browser/renderer_host/mock_render_process_host.cc
index 96df560..8be0416 100644
--- a/chrome/browser/renderer_host/mock_render_process_host.cc
+++ b/chrome/browser/renderer_host/mock_render_process_host.cc
@@ -41,10 +41,6 @@ void MockRenderProcessHost::ReceivedBadMessage(uint32 msg_type) {
   ++bad_msg_count_;
 }
 
-void MockRenderProcessHost::PolicyViolated(const std::string& policy_name) {
-  NOTIMPLEMENTED();
-}
-
 void MockRenderProcessHost::WidgetRestored() {
 }
 
diff --git a/chrome/browser/renderer_host/mock_render_process_host.h b/chrome/browser/renderer_host/mock_render_process_host.h
index 1ee1905..aa04651 100644
--- a/chrome/browser/renderer_host/mock_render_process_host.h
+++ b/chrome/browser/renderer_host/mock_render_process_host.h
@@ -39,7 +39,6 @@ class MockRenderProcessHost : public RenderProcessHost {
                                const base::TimeDelta& max_delay,
                                IPC::Message* msg);
   virtual void ReceivedBadMessage(uint32 msg_type);
-  virtual void PolicyViolated(const std::string& policy_name);
   virtual void WidgetRestored();
   virtual void WidgetHidden();
   virtual void ViewCreated();
diff --git a/chrome/browser/renderer_host/render_process_host.cc b/chrome/browser/renderer_host/render_process_host.cc
index 7418a8b..5f9363e 100644
--- a/chrome/browser/renderer_host/render_process_host.cc
+++ b/chrome/browser/renderer_host/render_process_host.cc
@@ -59,20 +59,11 @@ static bool IsSuitableHost(RenderProcessHost* host, Profile* profile,
   if (host->profile() != profile)
     return false;
 
-  // We classify renderers according to their highest privilege, and try
-  // to group pages into renderers with similar privileges.
-  // Note: it may be possible for a renderer to have both DOMUI and EXTENSION
-  // privileges, in which case we call it an "extension" renderer.
-  // TYPE_EXTENSION_GALLERY should never be TYPE_DOMUI and/or TYPE_EXTENSION
-  // as well.
   RenderProcessHost::Type host_type = RenderProcessHost::TYPE_NORMAL;
-  if (ChildProcessSecurityPolicy::GetInstance()->
-          CanInstallExtensionsSilently(host->id()))
-    host_type = RenderProcessHost::TYPE_EXTENSION_GALLERY;
   if (ChildProcessSecurityPolicy::GetInstance()->HasDOMUIBindings(host->id()))
     host_type = RenderProcessHost::TYPE_DOMUI;
   if (ChildProcessSecurityPolicy::GetInstance()->
-          HasExtensionBindings(host->id()))
+        HasExtensionBindings(host->id()))
     host_type = RenderProcessHost::TYPE_EXTENSION;
 
   return host_type == type;
diff --git a/chrome/browser/renderer_host/render_process_host.h b/chrome/browser/renderer_host/render_process_host.h
index 0949ffb..aad1f83 100644
--- a/chrome/browser/renderer_host/render_process_host.h
+++ b/chrome/browser/renderer_host/render_process_host.h
@@ -38,16 +38,12 @@ class RenderProcessHost : public IPC::Channel::Sender,
 
   // We classify renderers according to their highest privilege, and try
   // to group pages into renderers with similar privileges.
-  // Note: it may be possible for a renderer to have both DOMUI and EXTENSION
-  // privileges, in which case we call it an "extension" renderer.
-  // TYPE_EXTENSION_GALLERY should never be TYPE_DOMUI and/or TYPE_EXTENSION
-  // as well.
+  // Note: it may be possible for a renderer to have multiple privileges,
+  // in which case we call it an "extension" renderer.
   enum Type {
-    TYPE_NORMAL,           // Normal renderer, no extra privileges.
-    TYPE_EXTENSION_GALLERY, // Renderer with silent extension installation
-                           // privileges.
-    TYPE_DOMUI,            // Renderer with DOMUI privileges, like New Tab.
-    TYPE_EXTENSION         // Renderer with extension privileges.
+    TYPE_NORMAL,     // Normal renderer, no extra privileges.
+    TYPE_DOMUI,      // Renderer with DOMUI privileges, like New Tab.
+    TYPE_EXTENSION,  // Renderer with extension privileges.
   };
 
   // Details for RENDERER_PROCESS_CLOSED notifications.
@@ -179,9 +175,6 @@ class RenderProcessHost : public IPC::Channel::Sender,
   // Called when a received message cannot be decoded.
   virtual void ReceivedBadMessage(uint32 msg_type) = 0;
 
-  // Called when a renderer security policy is violated.
-  virtual void PolicyViolated(const std::string& policy_name) = 0;
-
   // Track the count of visible widgets. Called by listeners to register and
   // unregister visibility.
   virtual void WidgetRestored() = 0;
diff --git a/chrome/browser/renderer_host/render_view_host.cc b/chrome/browser/renderer_host/render_view_host.cc
index 070e317..b414aea 100644
--- a/chrome/browser/renderer_host/render_view_host.cc
+++ b/chrome/browser/renderer_host/render_view_host.cc
@@ -30,7 +30,6 @@
 #include "chrome/browser/renderer_host/render_widget_host_view.h"
 #include "chrome/browser/renderer_host/site_instance.h"
 #include "chrome/common/bindings_policy.h"
-#include "chrome/common/extensions/extension.h"
 #include "chrome/common/notification_details.h"
 #include "chrome/common/notification_service.h"
 #include "chrome/common/notification_type.h"
@@ -967,14 +966,6 @@ void RenderViewHost::OnMsgNavigate(const IPC::Message& msg) {
   const int renderer_id = process()->id();
   ChildProcessSecurityPolicy* policy =
       ChildProcessSecurityPolicy::GetInstance();
-  // Gallery URLs are granted CanInstallExtensionsSilently. RenderView delegates
-  // navigations to & from gallery URLs to the browser process so it can swap
-  // processes and ensure that non-gallery URLs do not acquire this privilege.
-  // This is an extra-paranoid check on a privileged renderer navigating away.
-  if (policy->CanInstallExtensionsSilently(renderer_id) &&
-      !Extension::IsGalleryURL(validated_params.url)) {
-    process()->PolicyViolated("can_silently_install_extensions");
-  }
   // Without this check, an evil renderer can trick the browser into creating
   // a navigation entry for a banned URL.  If the user clicks the back button
   // followed by the forward button (or clicks reload, or round-trips through
diff --git a/chrome/browser/renderer_host/site_instance.cc b/chrome/browser/renderer_host/site_instance.cc
index 115845f..337ce3d 100644
--- a/chrome/browser/renderer_host/site_instance.cc
+++ b/chrome/browser/renderer_host/site_instance.cc
@@ -7,8 +7,6 @@
 #include "chrome/browser/browsing_instance.h"
 #include "chrome/browser/dom_ui/dom_ui_factory.h"
 #include "chrome/browser/renderer_host/browser_render_process_host.h"
-#include "chrome/common/extensions/extension.h"
-#include "chrome/common/extensions/extension_constants.h"
 #include "chrome/common/url_constants.h"
 #include "chrome/common/notification_service.h"
 #include "net/base/registry_controlled_domain.h"
@@ -117,16 +115,6 @@ GURL SiteInstance::GetSiteForURL(const GURL& url) {
   // URLs with no host should have an empty site.
   GURL site;
 
-  // Hack warning: Extension gallery URLs are special-cased here. Extension
-  // gallery pages are granted special privileges to install extensions without
-  // a warning dialog. It is important that no other URLs share the render
-  // with these privileges. However, since the gallery is a sub-domain of
-  // google.com, the SiteInstance is specially treated to avoid having other
-  // google.com subdomains be grouped with it. Generalizing this kind of special
-  // case in the future seems desirable if we come upon another similar need.
-  if (Extension::IsGalleryURL(url))
-    return GURL(extension_urls::kGalleryBrowsePrefix);
-
   // TODO(creis): For many protocols, we should just treat the scheme as the
   // site, since there is no host.  e.g., file:, about:, chrome:
 
@@ -176,10 +164,6 @@ bool SiteInstance::IsSameWebSite(const GURL& url1, const GURL& url2) {
   if (url1.scheme() != url2.scheme())
     return false;
 
-  // Hack. Special case Extension gallery URLs. See note in GetSiteForURL().
-  if (Extension::IsGalleryURL(url1) || Extension::IsGalleryURL(url2))
-    return Extension::IsGalleryURL(url1) && Extension::IsGalleryURL(url2);
-
   return net::RegistryControlledDomainService::SameDomainOrHost(url1, url2);
 }
 
@@ -195,9 +179,6 @@ RenderProcessHost::Type SiteInstance::GetRendererType() {
   if (DOMUIFactory::HasDOMUIScheme(site_))
     return RenderProcessHost::TYPE_DOMUI;
 
-  if (Extension::IsGalleryURL(site_))
-    return RenderProcessHost::TYPE_EXTENSION_GALLERY;
-
   return RenderProcessHost::TYPE_NORMAL;
 }
 
diff --git a/chrome/browser/renderer_host/test/test_render_view_host.cc b/chrome/browser/renderer_host/test/test_render_view_host.cc
index 85de55a..e9e848f 100644
--- a/chrome/browser/renderer_host/test/test_render_view_host.cc
+++ b/chrome/browser/renderer_host/test/test_render_view_host.cc
@@ -15,11 +15,15 @@ TestRenderViewHost::TestRenderViewHost(SiteInstance* instance,
                                        RenderViewHostDelegate* delegate,
                                        int routing_id)
     : RenderViewHost(instance, delegate, routing_id),
-      render_view_created_(false) {
+      render_view_created_(false),
+      delete_counter_(NULL) {
   set_view(new TestRenderWidgetHostView(this));
 }
 
 TestRenderViewHost::~TestRenderViewHost() {
+  if (delete_counter_)
+    ++*delete_counter_;
+
   // Since this isn't a traditional view, we have to delete it.
   delete view();
 }
diff --git a/chrome/browser/renderer_host/test/test_render_view_host.h b/chrome/browser/renderer_host/test/test_render_view_host.h
index 9d3b4f4..b1458a1 100644
--- a/chrome/browser/renderer_host/test/test_render_view_host.h
+++ b/chrome/browser/renderer_host/test/test_render_view_host.h
@@ -117,6 +117,11 @@ class TestRenderViewHost : public RenderViewHost {
   // This is a helper function for simulating the most common types of loads.
   void SendNavigate(int page_id, const GURL& url);
 
+  // If set, *delete_counter is incremented when this object destructs.
+  void set_delete_counter(int* delete_counter) {
+    delete_counter_ = delete_counter;
+  }
+
   // Sets whether the RenderView currently exists or not. This controls the
   // return value from IsRenderViewLive, which the rest of the system uses to
   // check whether the RenderView has crashed or not.
@@ -136,6 +141,9 @@ class TestRenderViewHost : public RenderViewHost {
   // respond to IsRenderViewLive appropriately.
   bool render_view_created_;
 
+  // See set_delete_counter() above. May be NULL.
+  int* delete_counter_;
+
   DISALLOW_COPY_AND_ASSIGN(TestRenderViewHost);
 };