From c1abb3237596e83cc12639d5b9e7607b67ae77f2 Mon Sep 17 00:00:00 2001 From: "kalman@chromium.org" Date: Wed, 30 Jul 2014 18:28:39 +0000 Subject: Allow restricting WebUI-enabled extension APIs to URL patterns. BUG=391944 R=rockot@chromium.org, jschuh@chromium.org Review URL: https://codereview.chromium.org/422433005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@286564 0039d316-1c4b-4281-b951-d872f2087c98 --- extensions/common/features/simple_feature.cc | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'extensions/common/features') diff --git a/extensions/common/features/simple_feature.cc b/extensions/common/features/simple_feature.cc index bdf8fae..e623bcf 100644 --- a/extensions/common/features/simple_feature.cc +++ b/extensions/common/features/simple_feature.cc @@ -291,8 +291,8 @@ std::string SimpleFeature::Parse(const base::DictionaryValue* value) { &component_extensions_auto_granted_); // NOTE: ideally we'd sanity check that "matches" can be specified if and - // only if there's a "web_page" context, but without (Simple)Features being - // aware of their own heirarchy this is impossible. + // only if there's a "web_page" or "webui" context, but without + // (Simple)Features being aware of their own heirarchy this is impossible. // // For example, we might have feature "foo" available to "web_page" context // and "matches" google.com/*. Then a sub-feature "foo.bar" might override @@ -402,8 +402,13 @@ Feature::Availability SimpleFeature::IsAvailableToContext( if (!contexts_.empty() && contexts_.find(context) == contexts_.end()) return CreateAvailability(INVALID_CONTEXT, context); - if (context == WEB_PAGE_CONTEXT && !matches_.MatchesURL(url)) + // TODO(kalman): Consider checking |matches_| regardless of context type. + // Fewer surprises, and if the feature configuration wants to isolate + // "matches" from say "blessed_extension" then they can use complex features. + if ((context == WEB_PAGE_CONTEXT || context == WEBUI_CONTEXT) && + !matches_.MatchesURL(url)) { return CreateAvailability(INVALID_URL, url); + } for (FilterList::const_iterator filter_iter = filters_.begin(); filter_iter != filters_.end(); @@ -414,6 +419,8 @@ Feature::Availability SimpleFeature::IsAvailableToContext( return availability; } + // TODO(kalman): Assert that if the context was a webpage or WebUI context + // then at some point a "matches" restriction was checked. return CheckDependencies(base::Bind( &IsAvailableToContextForBind, extension, context, url, platform)); } -- cgit v1.1