Non-web-accessible extension URLs should not load in non-extension processes

This is a slightly modified version of my previous CL: https://codereview.chromium.org/12218064/.
The only difference is that we allow any resource request to succeed, if the extension has any web_acessible_resources. The reason for that we have been lax and allowed subresource loads, even if they are not explicitly added to the manifest (see crbug.com/179127 for details). This should be tightened up with a v3 manifest requirement to explicitly list all subresources.

BUG=173688


Review URL: https://chromiumcodereview.appspot.com/12457042

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@192121 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 33 insertions, 0 deletions

diff --git a/chrome/test/data/chrome_extension_resource.html b/chrome/test/data/chrome_extension_resource.html
new file mode 100644
index 0000000..34c996c
--- /dev/null
+++ b/chrome/test/data/chrome_extension_resource.html
@@ -0,0 +1,33 @@
+<html>
+<head>
+<script>
+var xhrStatus = -1;
+var imgUrl = 'chrome-extension://eemcgdkfndhakfknompkggombfjjjeno/images/bookmark_manager_recent.png';
+
+window.onload = function() {
+  // The call to pushState with chrome-extension:// URL will succeed, since the
+  // test uses --disable-web-security.
+  history.pushState('', '',
+      'chrome-extension://eemcgdkfndhakfknompkggombfjjjeno/main.html');
+  var xhr = new XMLHttpRequest();
+  xhr.onreadystatechange = function() {
+    if (xhr.readyState == 4) {
+      xhrStatus = xhr.status;    
+      if (xhrStatus == 200) {
+        document.getElementById('star').src =
+            window.URL.createObjectURL(this.response);
+      }
+      domAutomationController.setAutomationId(0);
+      domAutomationController.send(xhr.status);
+    }
+  }
+  xhr.open('GET', imgUrl);
+  xhr.responseType = 'blob';
+  xhr.send();
+}
+</script>
+</head>
+<body>
+<img id='star'>
+</body>
+</html>