[Extensions] Wire in the ActiveScriptController with WebRequest

Finish the process of wiring up webRequest with the rest of the blocked actions
by notifying the ActiveScriptController of a webRequest that was withheld.

BUG=460306

Review URL: https://codereview.chromium.org/1694973002

Cr-Commit-Position: refs/heads/master@{#375968}

5 files changed, 41 insertions, 23 deletions

diff --git a/extensions/browser/api/declarative_webrequest/webrequest_action.cc b/extensions/browser/api/declarative_webrequest/webrequest_action.cc
index c5dad854..6cf0dbb 100644
--- a/extensions/browser/api/declarative_webrequest/webrequest_action.cc
+++ b/extensions/browser/api/declarative_webrequest/webrequest_action.cc
@@ -509,8 +509,9 @@ bool WebRequestAction::HasPermission(const InfoMap* extension_info_map,
   }
   // TODO(devlin): Pass in the real tab id here.
   return WebRequestPermissions::CanExtensionAccessURL(
-      extension_info_map, extension_id, request->url(), -1, crosses_incognito,
-      permission_check);
+             extension_info_map, extension_id, request->url(), -1,
+             crosses_incognito,
+             permission_check) == PermissionsData::ACCESS_ALLOWED;
 }
 
 // static
diff --git a/extensions/browser/api/web_request/web_request_api.cc b/extensions/browser/api/web_request/web_request_api.cc
index ddec87c5..a43d14a 100644
--- a/extensions/browser/api/web_request/web_request_api.cc
+++ b/extensions/browser/api/web_request/web_request_api.cc
@@ -1352,12 +1352,19 @@ void ExtensionWebRequestEventRouter::GetMatchingListenersImpl(
             render_process_id, render_frame_id, &frame_data)) {
       tab_id = frame_data.tab_id;
     }
-    if (!is_web_view_guest &&
-        !WebRequestPermissions::CanExtensionAccessURL(
-            extension_info_map, listener.extension_id, url, tab_id,
-            crosses_incognito,
-            WebRequestPermissions::REQUIRE_HOST_PERMISSION)) {
-      continue;
+    if (!is_web_view_guest) {
+      PermissionsData::AccessType access =
+          WebRequestPermissions::CanExtensionAccessURL(
+              extension_info_map, listener.extension_id, url, tab_id,
+              crosses_incognito,
+              WebRequestPermissions::REQUIRE_HOST_PERMISSION);
+      if (access != PermissionsData::ACCESS_ALLOWED) {
+        if (access == PermissionsData::ACCESS_WITHHELD) {
+          web_request_event_router_delegate_->NotifyWebRequestWithheld(
+              render_process_id, render_frame_id, listener.extension_id);
+        }
+        continue;
+      }
     }
 
     bool blocking_listener =
diff --git a/extensions/browser/api/web_request/web_request_event_router_delegate.h b/extensions/browser/api/web_request/web_request_event_router_delegate.h
index 35f3dbb..212f0b7 100644
--- a/extensions/browser/api/web_request/web_request_event_router_delegate.h
+++ b/extensions/browser/api/web_request/web_request_event_router_delegate.h
@@ -54,6 +54,12 @@ class WebRequestEventRouterDelegate {
                                     scoped_ptr<base::DictionaryValue> details) {
   }
 
+  // Notifies that a webRequest event that normally would be forwarded to a
+  // listener was instead blocked because of withheld permissions.
+  virtual void NotifyWebRequestWithheld(int render_process_id,
+                                        int render_frame_id,
+                                        const std::string& extension_id) {}
+
  private:
   DISALLOW_COPY_AND_ASSIGN(WebRequestEventRouterDelegate);
 };
diff --git a/extensions/browser/api/web_request/web_request_permissions.cc b/extensions/browser/api/web_request/web_request_permissions.cc
index 78ab323..f213890 100644
--- a/extensions/browser/api/web_request/web_request_permissions.cc
+++ b/extensions/browser/api/web_request/web_request_permissions.cc
@@ -18,6 +18,7 @@
 #include "url/origin.h"
 
 using content::ResourceRequestInfo;
+using extensions::PermissionsData;
 
 namespace {
 
@@ -104,7 +105,7 @@ bool WebRequestPermissions::HideRequest(
 }
 
 // static
-bool WebRequestPermissions::CanExtensionAccessURL(
+PermissionsData::AccessType WebRequestPermissions::CanExtensionAccessURL(
     const extensions::InfoMap* extension_info_map,
     const std::string& extension_id,
     const GURL& url,
@@ -113,37 +114,39 @@ bool WebRequestPermissions::CanExtensionAccessURL(
     HostPermissionsCheck host_permissions_check) {
   // extension_info_map can be NULL in testing.
   if (!extension_info_map)
-    return true;
+    return PermissionsData::ACCESS_ALLOWED;
 
   const extensions::Extension* extension =
       extension_info_map->extensions().GetByID(extension_id);
   if (!extension)
-    return false;
+    return PermissionsData::ACCESS_DENIED;
 
   // Check if this event crosses incognito boundaries when it shouldn't.
   if (crosses_incognito && !extension_info_map->CanCrossIncognito(extension))
-    return false;
+    return PermissionsData::ACCESS_DENIED;
 
+  PermissionsData::AccessType access = PermissionsData::ACCESS_DENIED;
   switch (host_permissions_check) {
     case DO_NOT_CHECK_HOST:
+      access = PermissionsData::ACCESS_ALLOWED;
       break;
     case REQUIRE_HOST_PERMISSION:
       // about: URLs are not covered in host permissions, but are allowed
       // anyway.
-      if (!url.SchemeIs(url::kAboutScheme) &&
-          !url::IsSameOriginWith(url, extension->url())) {
-        extensions::PermissionsData::AccessType access =
-            extension->permissions_data()->GetPageAccess(extension, url, tab_id,
-                                                         nullptr);
-        if (access != extensions::PermissionsData::ACCESS_ALLOWED)
-          return false;
+      if (url.SchemeIs(url::kAboutScheme) ||
+          url::IsSameOriginWith(url, extension->url())) {
+        access = PermissionsData::ACCESS_ALLOWED;
+        break;
       }
+      access = extension->permissions_data()->GetPageAccess(extension, url,
+                                                            tab_id, nullptr);
       break;
     case REQUIRE_ALL_URLS:
-      if (!extension->permissions_data()->HasEffectiveAccessToAllHosts())
-        return false;
+      if (extension->permissions_data()->HasEffectiveAccessToAllHosts())
+        access = PermissionsData::ACCESS_ALLOWED;
+      // else ACCESS_DENIED
       break;
   }
 
-  return true;
+  return access;
 }
diff --git a/extensions/browser/api/web_request/web_request_permissions.h b/extensions/browser/api/web_request/web_request_permissions.h
index 2153183..f24b019 100644
--- a/extensions/browser/api/web_request/web_request_permissions.h
+++ b/extensions/browser/api/web_request/web_request_permissions.h
@@ -9,6 +9,7 @@
 #include <string>
 
 #include "base/macros.h"
+#include "extensions/common/permissions/permissions_data.h"
 
 class GURL;
 
@@ -36,7 +37,7 @@ class WebRequestPermissions {
 
   // |host_permission_check| controls how permissions are checked with regard to
   // |url|.
-  static bool CanExtensionAccessURL(
+  static extensions::PermissionsData::AccessType CanExtensionAccessURL(
       const extensions::InfoMap* extension_info_map,
       const std::string& extension_id,
       const GURL& url,