[Extensions] Hook the webRequest API into tab permissions with click-to-script

With click-to-script turned on, webRequest needs to respect tab-specific permissions so that when the user grants access to a tab, the extension can operate on it. In order to do this, we also need access to the tab id on the IO thread. Add the tab id to the ExtensionApiFrameIdMap, and check for it in the webRequest api. For now, don't do anything if the frame isn't cached - that'll come later. This also doesn't hook webRequest into requesting permissions - that's next. BUG=460306 Review URL: https://codereview.chromium.org/1687913002 Cr-Commit-Position: refs/heads/master@{#375036}
author: rdevlin.cronin <rdevlin.cronin@chromium.org> 2016-02-11 15:25:58 -0800
committer: Commit bot <commit-bot@chromium.org> 2016-02-11 23:26:59 +0000
commit: 9a62870fce8cd82a7dc43ea4786313c1b199e674 (patch)
tree: 5a6c4e2a87ffa349fc99bf5f9e60dc7be1488cc8 /extensions/browser/api
parent: 308e3ee0c13d0c31ebdddaeb147d53b7d702026b (diff)
download: chromium_src-9a62870fce8cd82a7dc43ea4786313c1b199e674.zip
chromium_src-9a62870fce8cd82a7dc43ea4786313c1b199e674.tar.gz
chromium_src-9a62870fce8cd82a7dc43ea4786313c1b199e674.tar.bz2
6 files changed, 34 insertions, 13 deletions
diff --git a/extensions/browser/api/declarative_webrequest/webrequest_action.cc b/extensions/browser/api/declarative_webrequest/webrequest_action.cc
index e3cf9a8..c5dad854 100644
--- a/extensions/browser/api/declarative_webrequest/webrequest_action.cc
+++ b/extensions/browser/api/declarative_webrequest/webrequest_action.cc
@@ -507,8 +507,9 @@ bool WebRequestAction::HasPermission(const InfoMap* extension_info_map,
       permission_check = WebRequestPermissions::REQUIRE_HOST_PERMISSION;
       break;
   }
+  // TODO(devlin): Pass in the real tab id here.
   return WebRequestPermissions::CanExtensionAccessURL(
-      extension_info_map, extension_id, request->url(), crosses_incognito,
+      extension_info_map, extension_id, request->url(), -1, crosses_incognito,
       permission_check);
 }
 
diff --git a/extensions/browser/api/web_request/web_request_api.cc b/extensions/browser/api/web_request/web_request_api.cc
index 532e43d..ddec87c5 100644
--- a/extensions/browser/api/web_request/web_request_api.cc
+++ b/extensions/browser/api/web_request/web_request_api.cc
@@ -1340,9 +1340,22 @@ void ExtensionWebRequestEventRouter::GetMatchingListenersImpl(
       continue;
     }
 
+    int tab_id = -1;
+    int render_process_id = -1;
+    int render_frame_id = -1;
+    ExtensionApiFrameIdMap::FrameData frame_data;
+    // TODO(devlin): Figure out when one/both of these can fail, and if we
+    // need to address it.
+    if (content::ResourceRequestInfo::GetRenderFrameForRequest(
+            request, &render_process_id, &render_frame_id) &&
+        ExtensionApiFrameIdMap::Get()->GetCachedFrameDataOnIO(
+            render_process_id, render_frame_id, &frame_data)) {
+      tab_id = frame_data.tab_id;
+    }
     if (!is_web_view_guest &&
         !WebRequestPermissions::CanExtensionAccessURL(
-            extension_info_map, listener.extension_id, url, crosses_incognito,
+            extension_info_map, listener.extension_id, url, tab_id,
+            crosses_incognito,
             WebRequestPermissions::REQUIRE_HOST_PERMISSION)) {
       continue;
     }
@@ -2051,9 +2064,13 @@ bool WebRequestInternalAddEventListenerFunction::RunSync() {
     // while having host permissions for http://www.example.com/foo/* and
     // http://www.example.com/bar/*.
     // For this reason we do only a coarse check here to warn the extension
-    // developer if he does something obviously wrong.
+    // developer if they do something obviously wrong.
     if (extension->permissions_data()
             ->GetEffectiveHostPermissions()
+            .is_empty() &&
+        extension->permissions_data()
+            ->withheld_permissions()
+            .explicit_hosts()
             .is_empty()) {
       error_ = keys::kHostPermissionsRequired;
       return false;
diff --git a/extensions/browser/api/web_request/web_request_event_details.cc b/extensions/browser/api/web_request/web_request_event_details.cc
index 2382dcd..04fa9fb 100644
--- a/extensions/browser/api/web_request/web_request_event_details.cc
+++ b/extensions/browser/api/web_request/web_request_event_details.cc
@@ -13,7 +13,6 @@
 #include "extensions/browser/api/web_request/upload_data_presenter.h"
 #include "extensions/browser/api/web_request/web_request_api_constants.h"
 #include "extensions/browser/api/web_request/web_request_api_helpers.h"
-#include "extensions/browser/extension_api_frame_id_map.h"
 #include "ipc/ipc_message.h"
 #include "net/base/auth.h"
 #include "net/base/upload_data_stream.h"
@@ -162,7 +161,7 @@ void WebRequestEventDetails::DetermineFrameIdOnUI() {
 void WebRequestEventDetails::DetermineFrameIdOnIO(
     const DeterminedFrameIdCallback& callback) {
   scoped_ptr<WebRequestEventDetails> self(this);
-  ExtensionApiFrameIdMap::Get()->GetFrameIdOnIO(
+  ExtensionApiFrameIdMap::Get()->GetFrameDataOnIO(
       render_process_id_, render_frame_id_,
       base::Bind(&WebRequestEventDetails::OnDeterminedFrameId,
                  base::Unretained(this), base::Passed(&self), callback));
@@ -189,10 +188,9 @@ scoped_ptr<base::DictionaryValue> WebRequestEventDetails::GetAndClearDict() {
 void WebRequestEventDetails::OnDeterminedFrameId(
     scoped_ptr<WebRequestEventDetails> self,
     const DeterminedFrameIdCallback& callback,
-    int extension_api_frame_id,
-    int extension_api_parent_frame_id) {
-  dict_.SetInteger(keys::kFrameIdKey, extension_api_frame_id);
-  dict_.SetInteger(keys::kParentFrameIdKey, extension_api_parent_frame_id);
+    const ExtensionApiFrameIdMap::FrameData& frame_data) {
+  dict_.SetInteger(keys::kFrameIdKey, frame_data.frame_id);
+  dict_.SetInteger(keys::kParentFrameIdKey, frame_data.parent_frame_id);
   callback.Run(std::move(self));
 }
 
diff --git a/extensions/browser/api/web_request/web_request_event_details.h b/extensions/browser/api/web_request/web_request_event_details.h
index 91e29bf..7bb3644 100644
--- a/extensions/browser/api/web_request/web_request_event_details.h
+++ b/extensions/browser/api/web_request/web_request_event_details.h
@@ -11,6 +11,7 @@
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/values.h"
+#include "extensions/browser/extension_api_frame_id_map.h"
 
 namespace net {
 class AuthChallengeInfo;
@@ -119,8 +120,7 @@ class WebRequestEventDetails {
  private:
   void OnDeterminedFrameId(scoped_ptr<WebRequestEventDetails> self,
                            const DeterminedFrameIdCallback& callback,
-                           int extension_api_frame_id,
-                           int extension_api_parent_frame_id);
+                           const ExtensionApiFrameIdMap::FrameData& frame_data);
 
   // The details that are always included in a webRequest event object.
   base::DictionaryValue dict_;
diff --git a/extensions/browser/api/web_request/web_request_permissions.cc b/extensions/browser/api/web_request/web_request_permissions.cc
index ec0aa17..78ab323 100644
--- a/extensions/browser/api/web_request/web_request_permissions.cc
+++ b/extensions/browser/api/web_request/web_request_permissions.cc
@@ -108,6 +108,7 @@ bool WebRequestPermissions::CanExtensionAccessURL(
     const extensions::InfoMap* extension_info_map,
     const std::string& extension_id,
     const GURL& url,
+    int tab_id,
     bool crosses_incognito,
     HostPermissionsCheck host_permissions_check) {
   // extension_info_map can be NULL in testing.
@@ -130,9 +131,12 @@ bool WebRequestPermissions::CanExtensionAccessURL(
       // about: URLs are not covered in host permissions, but are allowed
       // anyway.
       if (!url.SchemeIs(url::kAboutScheme) &&
-          !extension->permissions_data()->HasHostPermission(url) &&
           !url::IsSameOriginWith(url, extension->url())) {
-        return false;
+        extensions::PermissionsData::AccessType access =
+            extension->permissions_data()->GetPageAccess(extension, url, tab_id,
+                                                         nullptr);
+        if (access != extensions::PermissionsData::ACCESS_ALLOWED)
+          return false;
       }
       break;
     case REQUIRE_ALL_URLS:
diff --git a/extensions/browser/api/web_request/web_request_permissions.h b/extensions/browser/api/web_request/web_request_permissions.h
index a710cee..2153183 100644
--- a/extensions/browser/api/web_request/web_request_permissions.h
+++ b/extensions/browser/api/web_request/web_request_permissions.h
@@ -40,6 +40,7 @@ class WebRequestPermissions {
       const extensions::InfoMap* extension_info_map,
       const std::string& extension_id,
       const GURL& url,
+      int tab_id,
       bool crosses_incognito,
       HostPermissionsCheck host_permissions_check);
author	rdevlin.cronin <rdevlin.cronin@chromium.org>	2016-02-11 15:25:58 -0800
committer	Commit bot <commit-bot@chromium.org>	2016-02-11 23:26:59 +0000
commit	9a62870fce8cd82a7dc43ea4786313c1b199e674 (patch)
tree	5a6c4e2a87ffa349fc99bf5f9e60dc7be1488cc8 /extensions/browser/api
parent	308e3ee0c13d0c31ebdddaeb147d53b7d702026b (diff)
download	chromium_src-9a62870fce8cd82a7dc43ea4786313c1b199e674.zip chromium_src-9a62870fce8cd82a7dc43ea4786313c1b199e674.tar.gz chromium_src-9a62870fce8cd82a7dc43ea4786313c1b199e674.tar.bz2