Refactor guest view availability to be API based not permission based.

This is a step towards allowing WebUI to directly embed guest views. 

BUG=386838
R=fsamuel@chromium.org

Review URL: https://codereview.chromium.org/426593007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@288407 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 28 insertions, 14 deletions

diff --git a/extensions/browser/event_router.cc b/extensions/browser/event_router.cc
index 1feb1ca..d006d1e 100644
--- a/extensions/browser/event_router.cc
+++ b/extensions/browser/event_router.cc
@@ -539,7 +539,8 @@ void EventRouter::DispatchEventToProcess(const std::string& extension_id,
   BrowserContext* listener_context = process->GetBrowserContext();
   ProcessMap* process_map = ProcessMap::Get(listener_context);
 
-  // TODO(kalman): Convert this method to use ProcessMap::GuessContextType.
+  // TODO(kalman): Convert this method to use
+  // ProcessMap::GetMostLikelyContextType.
 
   const Extension* extension =
       ExtensionRegistry::Get(browser_context_)->enabled_extensions().GetByID(
diff --git a/extensions/browser/extension_function_dispatcher.cc b/extensions/browser/extension_function_dispatcher.cc
index b26ef2d..4dfb7fe 100644
--- a/extensions/browser/extension_function_dispatcher.cc
+++ b/extensions/browser/extension_function_dispatcher.cc
@@ -455,7 +455,7 @@ ExtensionFunction* ExtensionFunctionDispatcher::CreateExtensionFunction(
   function->set_response_callback(callback);
   function->set_source_tab_id(params.source_tab_id);
   function->set_source_context_type(
-      process_map.GuessContextType(extension, requesting_process_id));
+      process_map.GetMostLikelyContextType(extension, requesting_process_id));
 
   return function;
 }
diff --git a/extensions/browser/process_map.cc b/extensions/browser/process_map.cc
index 12fb538..0850bc6 100644
--- a/extensions/browser/process_map.cc
+++ b/extensions/browser/process_map.cc
@@ -123,8 +123,9 @@ std::set<std::string> ProcessMap::GetExtensionsInProcess(int process_id) const {
   return result;
 }
 
-Feature::Context ProcessMap::GuessContextType(const Extension* extension,
-                                              int process_id) const {
+Feature::Context ProcessMap::GetMostLikelyContextType(
+    const Extension* extension,
+    int process_id) const {
   // WARNING: This logic must match Dispatcher::ClassifyJavaScriptContext, as
   // much as possible.
 
diff --git a/extensions/browser/process_map.h b/extensions/browser/process_map.h
index d7ae8b3..731bf4f8 100644
--- a/extensions/browser/process_map.h
+++ b/extensions/browser/process_map.h
@@ -95,24 +95,36 @@ class ProcessMap : public KeyedService {
 
   std::set<std::string> GetExtensionsInProcess(int process_id) const;
 
-  // Guesses the most permissive context type for the process with ID
-  // |process_id|. Context types are renderer (JavaScript) concepts but the
-  // browser can do a decent job in guessing what the process hosts.
+  // Gets the most likely context type for the process with ID |process_id|
+  // which hosts Extension |extension|, if any (may be NULL). Context types are
+  // renderer (JavaScript) concepts but the browser can do a decent job in
+  // guessing what the process hosts.
   //
+  // |extension| is the funky part - unfortunately we need to trust the
+  // caller of this method to be correct that indeed the context does feature
+  // an extension. This matters for iframes, where an extension could be
+  // hosted in another extension's process (privilege level needs to be
+  // downgraded) or in a web page's process (privilege level needs to be
+  // upgraded).
+  //
+  // The latter of these is slightly problematic from a security perspective;
+  // if a web page renderer gets owned it could try to pretend it's an
+  // extension and get access to some unprivileged APIs. Luckly, when OOP
+  // iframes lauch, it won't be an issue.
+  //
+  // Anyhow, the expected behaviour is:
   //   - For hosted app processes, this will be blessed_web_page.
   //   - For other extension processes, this will be blessed_extension.
   //   - For WebUI processes, this will be a webui.
-  //   - For anything else we have the choice of unblessed_extension or
+  //   - For any other extension we have the choice of unblessed_extension or
   //     content_script. Since content scripts are more common, guess that.
   //     We *could* in theory track which web processes have extension frames
   //     in them, and those would be unblessed_extension, but we don't at the
   //     moment, and once OOP iframes exist then there won't even be such a
   //     thing as an unblessed_extension context.
-  //
-  // |extension| isn't used to upgrade the process trust level, but rather used
-  // as a tiebreaker if a process is found to contain multiple extensions.
-  Feature::Context GuessContextType(const Extension* extension,
-                                    int process_id) const;
+  //   - For anything else, web_page.
+  Feature::Context GetMostLikelyContextType(const Extension* extension,
+                                            int process_id) const;
 
  private:
   struct Item;
diff --git a/extensions/renderer/dispatcher.cc b/extensions/renderer/dispatcher.cc
index 130f585..f09d5fd 100644
--- a/extensions/renderer/dispatcher.cc
+++ b/extensions/renderer/dispatcher.cc
@@ -1174,7 +1174,7 @@ Feature::Context Dispatcher::ClassifyJavaScriptContext(
     int extension_group,
     const GURL& url,
     const blink::WebSecurityOrigin& origin) {
-  // WARNING: This logic must match ProcessMap::GuessContextType, as much as
+  // WARNING: This logic must match ProcessMap::GetContextType, as much as
   // possible.
 
   DCHECK_GE(extension_group, 0);