From b32f2173f2b0bd1276e4c91b8cdddd494ce4742d Mon Sep 17 00:00:00 2001 From: "lazyboy@chromium.org" Date: Wed, 16 Apr 2014 18:25:16 +0000 Subject: Use default CSP for resource loading in webview (instead of platform app's CSP) loads page in an isolated context inside platform app and hosts drive-by web. Platform app's CSP is too restrictive for , we stop using that CSP and use the default instead in this CL. BUG=363437 Test=Load an chrome app. Load a webview html from accessible resources. Make the webview page contain inline JS. Check that the JS loads. It didn't use to load w/o this CL. Review URL: https://codereview.chromium.org/237793003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@264253 0039d316-1c4b-4281-b951-d872f2087c98 --- extensions/browser/extension_protocols.cc | 15 +++++++++++---- extensions/browser/extensions_browser_client.h | 4 ++++ extensions/browser/test_extensions_browser_client.cc | 5 +++++ extensions/browser/test_extensions_browser_client.h | 1 + 4 files changed, 21 insertions(+), 4 deletions(-) (limited to 'extensions') diff --git a/extensions/browser/extension_protocols.cc b/extensions/browser/extension_protocols.cc index 53315cb..bb61b25 100644 --- a/extensions/browser/extension_protocols.cc +++ b/extensions/browser/extension_protocols.cc @@ -411,17 +411,24 @@ ExtensionProtocolHandler::MaybeCreateJob( std::string content_security_policy; bool send_cors_header = false; bool follow_symlinks_anywhere = false; + if (extension) { std::string resource_path = request->url().path(); - content_security_policy = - extensions::CSPInfo::GetResourceContentSecurityPolicy(extension, - resource_path); + + // Use default CSP for . + if (!ExtensionsBrowserClient::Get()->IsWebViewRequest(request)) { + content_security_policy = + extensions::CSPInfo::GetResourceContentSecurityPolicy(extension, + resource_path); + } + if ((extension->manifest_version() >= 2 || extensions::WebAccessibleResourcesInfo::HasWebAccessibleResources( extension)) && extensions::WebAccessibleResourcesInfo::IsResourceWebAccessible( - extension, resource_path)) + extension, resource_path)) { send_cors_header = true; + } follow_symlinks_anywhere = (extension->creation_flags() & Extension::FOLLOW_SYMLINKS_ANYWHERE) diff --git a/extensions/browser/extensions_browser_client.h b/extensions/browser/extensions_browser_client.h index d7c02d9..e3b91b2 100644 --- a/extensions/browser/extensions_browser_client.h +++ b/extensions/browser/extensions_browser_client.h @@ -96,6 +96,10 @@ class ExtensionsBrowserClient { const extensions::Extension* extension, content::BrowserContext* context) const = 0; + // Returns true if |request| corresponds to a resource request from a + // . + virtual bool IsWebViewRequest(net::URLRequest* request) const = 0; + // Returns an URLRequestJob to load an extension resource from the embedder's // resource bundle (.pak) files. Returns NULL if the request is not for a // resource bundle resource or if the embedder does not support this feature. diff --git a/extensions/browser/test_extensions_browser_client.cc b/extensions/browser/test_extensions_browser_client.cc index 132ac19..6e919ea 100644 --- a/extensions/browser/test_extensions_browser_client.cc +++ b/extensions/browser/test_extensions_browser_client.cc @@ -83,6 +83,11 @@ bool TestExtensionsBrowserClient::CanExtensionCrossIncognito( return false; } +bool TestExtensionsBrowserClient::IsWebViewRequest( + net::URLRequest* request) const { + return false; +} + net::URLRequestJob* TestExtensionsBrowserClient::MaybeCreateResourceBundleRequestJob( net::URLRequest* request, diff --git a/extensions/browser/test_extensions_browser_client.h b/extensions/browser/test_extensions_browser_client.h index ee3a625..f7401fe 100644 --- a/extensions/browser/test_extensions_browser_client.h +++ b/extensions/browser/test_extensions_browser_client.h @@ -42,6 +42,7 @@ class TestExtensionsBrowserClient : public ExtensionsBrowserClient { virtual bool CanExtensionCrossIncognito( const extensions::Extension* extension, content::BrowserContext* context) const OVERRIDE; + virtual bool IsWebViewRequest(net::URLRequest* request) const OVERRIDE; virtual net::URLRequestJob* MaybeCreateResourceBundleRequestJob( net::URLRequest* request, net::NetworkDelegate* network_delegate, -- cgit v1.1