Webview should only allow resources loading from the extension that embedded it.

This fixes an issue where Webview would allow cross renderer resource loads without checking if the URL referenced the same App that embedded the Webview.

BUG=470890

Review URL: https://codereview.chromium.org/1030323004

Cr-Commit-Position: refs/heads/master@{#323139}

2 files changed, 16 insertions, 26 deletions

diff --git a/extensions/common/manifest_handlers/webview_info.cc b/extensions/common/manifest_handlers/webview_info.cc
index 3b30bbe..99e9d40 100644
--- a/extensions/common/manifest_handlers/webview_info.cc
+++ b/extensions/common/manifest_handlers/webview_info.cc
@@ -18,16 +18,6 @@ namespace extensions {
 namespace keys = extensions::manifest_keys;
 namespace errors = extensions::manifest_errors;
 
-namespace {
-
-const WebviewInfo* GetResourcesInfo(
-    const Extension& extension) {
-  return static_cast<WebviewInfo*>(
-      extension.GetManifestData(keys::kWebviewAccessibleResources));
-}
-
-}  // namespace
-
 // A PartitionItem represents a set of accessible resources given a partition
 // ID pattern.
 class PartitionItem {
@@ -60,27 +50,25 @@ class PartitionItem {
   URLPatternSet accessible_resources_;
 };
 
-
-WebviewInfo::WebviewInfo() {
+WebviewInfo::WebviewInfo(const std::string& extension_id)
+    : extension_id_(extension_id) {
 }
 
 WebviewInfo::~WebviewInfo() {
 }
 
-// static
 bool WebviewInfo::IsResourceWebviewAccessible(
     const Extension* extension,
     const std::string& partition_id,
-    const std::string& relative_path) {
-  if (!extension)
+    const std::string& relative_path) const {
+  if (!extension || extension->id() != extension_id_)
     return false;
 
-  const WebviewInfo* info = GetResourcesInfo(*extension);
-  if (!info)
-    return false;
+  DCHECK_EQ(this,
+            extension->GetManifestData(keys::kWebviewAccessibleResources));
 
-  for (size_t i = 0; i < info->partition_items_.size(); ++i) {
-    const PartitionItem* const item = info->partition_items_[i];
+  for (size_t i = 0; i < partition_items_.size(); ++i) {
+    const PartitionItem* const item = partition_items_[i];
     if (item->Matches(partition_id) &&
         extension->ResourceMatches(item->accessible_resources(),
                                    relative_path)) {
@@ -102,7 +90,7 @@ WebviewHandler::~WebviewHandler() {
 }
 
 bool WebviewHandler::Parse(Extension* extension, base::string16* error) {
-  scoped_ptr<WebviewInfo> info(new WebviewInfo());
+  scoped_ptr<WebviewInfo> info(new WebviewInfo(extension->id()));
 
   const base::DictionaryValue* dict_value = NULL;
   if (!extension->manifest()->GetDictionary(keys::kWebview,
diff --git a/extensions/common/manifest_handlers/webview_info.h b/extensions/common/manifest_handlers/webview_info.h
index 2cd501e..968e5fd 100644
--- a/extensions/common/manifest_handlers/webview_info.h
+++ b/extensions/common/manifest_handlers/webview_info.h
@@ -21,17 +21,19 @@ class PartitionItem;
 class WebviewInfo : public Extension::ManifestData {
  public:
   // Define out of line constructor/destructor to please Clang.
-  WebviewInfo();
+  WebviewInfo(const std::string& extension_id);
   ~WebviewInfo() override;
 
-  // Returns true if the specified resource is web accessible.
-  static bool IsResourceWebviewAccessible(const Extension* extension,
-                                          const std::string& partition_id,
-                                          const std::string& relative_path);
+  // Returns true if the specified resource is web accessible and the extension
+  // matches the manifest's extension.
+  bool IsResourceWebviewAccessible(const Extension* extension,
+                                   const std::string& partition_id,
+                                   const std::string& relative_path) const;
 
   void AddPartitionItem(scoped_ptr<PartitionItem> item);
 
  private:
+  std::string extension_id_;
   ScopedVector<PartitionItem> partition_items_;
 };