Extension resources should only load in contexts the extension has permission to access.

chrome/renderer/extensions/extension_resource_request_policy.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/renderer/extensions/extension_resource_request_policy.h"
 
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/stringprintf.h"
 #include "chrome/common/chrome_switches.h"
@@ skipping 29 matching lines @@
   // launchers.
   std::string resource_root_relative_path =
       resource_url.path().empty() ? "" : resource_url.path().substr(1);
   if (extension->is_hosted_app() &&
       !extension->icons().ContainsPath(resource_root_relative_path)) {
     LOG(ERROR) << "Denying load of " << resource_url.spec() << " from "
                << "hosted app.";
     return false;
   }
 
-  // Disallow loading of extension resources which are not explicitely listed
-  // as web accessible if the manifest version is 2 or greater.
-  if (!extension->IsResourceWebAccessible(resource_url.path()) &&
-      !CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kDisableExtensionsResourceWhitelist)) {
-    GURL frame_url = frame->document().url();
-    GURL page_url = frame->top()->document().url();
+  GURL frame_url = frame->document().url();
+  GURL page_url = frame->top()->document().url();
 
-    // Exceptions are:
-    // - empty origin (needed for some edge cases when we have empty origins)
-    bool is_empty_origin = frame_url.is_empty();
-    // - extensions requesting their own resources (frame_url check is for
-    //     images, page_url check is for iframes)
-    bool is_own_resource = frame_url.GetOrigin() == extension->url() ||
-        page_url.GetOrigin() == extension->url();
-    // - devtools (chrome-extension:// URLs are loaded into frames of devtools
-    //     to support the devtools extension APIs)
-    bool is_dev_tools = page_url.SchemeIs(chrome::kChromeDevToolsScheme) &&
-        !extension->devtools_url().is_empty();
+  // Disallow loading of extension resources when one of the following
+  // conditions holds:
+  //
+  // 1.  The resource is not explicitly listed as a web accessible resource (and
+  //     the extension is manifest version 2+, and this check isn't disabled via
+  //     a command-line flag).
+  bool is_resource_web_accessible =
+      extension->IsResourceWebAccessible(resource_url.path()) ||

[Aaron Boodman, 2012/07/30 14:28:26]

The parenthetical comment about manifest v2+ is handled internally by
IsResourceWebAccessible, so you could simplify this:

The resource is not web accessible (and this check isn't disabled...)

[Mike West, 2012/07/31 09:25:06]

Done.

+      CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableExtensionsResourceWhitelist);
 
-    if (!is_empty_origin && !is_own_resource && !is_dev_tools) {
+  // 2.  The resource is loaded into a context for which the extension has no
+  //     permission (e.g. resources from an extension with host permissions for
+  //     `evil.com` shouldn't be loaded into `example.com`).
+  bool is_access_permitted =
+      extension->GetEffectiveHostPermissions().MatchesURL(frame_url) ||
+      extension->GetEffectiveHostPermissions().MatchesURL(page_url);

[Aaron Boodman, 2012/07/30 14:28:26]

I don't think you should check page_url here.

[Aaron Boodman, 2012/07/30 14:28:26]

Can you test whether this seems to work with declared content scripts? That was
why it looks like we reverted the original CL.

[Mike West, 2012/07/31 09:25:06]

I think this is covered by the existing content_script API tests. It's probably
a good idea to have an explicit test here as well, though.

+
+  // Exceptions are made for the following cases for both of the above:
+  //
+  // 1.  Empty origins (needed for some edge cases when we have empty origins).
+  bool is_empty_origin = frame_url.is_empty();
+
+  // 2.  Extensions requesting their own resources (frame_url check is for
+  //     images, page_url check is for iframes).
+  bool is_own_resource = frame_url.GetOrigin() == extension->url() ||

[Aaron Boodman, 2012/07/30 14:28:26]

This looks wrong, but you didn't add it. Imagine the following:

root: a.com
frame: b.com
img: a.com

This code will decide that the request for a.com is_own_resource (because of of
the page_url check), but that doesn't seem right.

[Mike West, 2012/07/31 09:25:06]

As discussed, I've changed this logic to the following:

If `frame_url` is `about:blank`, and `frame` has a `parent()`, then we use the
parent instead of the frame for all the checks. This covers the case in which an
`iframe` (which starts it's life as `about:blank`) loads an extension resource.
In that case, we want to check that it's containing frame could load the
extension resource.

+      page_url.GetOrigin() == extension->url();
+
+  // 3.  Devtools (chrome-extension:// URLs are loaded into frames of devtools
+  //     to support the devtools extension APIs).
+  bool is_dev_tools = page_url.SchemeIs(chrome::kChromeDevToolsScheme) &&
+      !extension->devtools_url().is_empty();
+
+  // Exceptions are made to the host permission restriction for the following
+  // cases.
+  //
+  // 4.  `data:` origins.
+  bool is_data_origin = frame_url.SchemeIs(chrome::kDataScheme) ||
+      page_url.SchemeIs(chrome::kDataScheme);

[Aaron Boodman, 2012/07/30 14:28:26]

Again, don't think we should be checking page_url. Elsewhere in this file too.

[Mike West, 2012/07/31 09:25:06]

Done.

+
+  // 5.  `chrome-extension:` origins.
+  bool is_extension_origin = frame_url.SchemeIs(chrome::kExtensionScheme) ||
+      page_url.SchemeIs(chrome::kExtensionScheme);
+
+  if (!is_empty_origin && !is_own_resource && !is_dev_tools) {
+    if (!is_resource_web_accessible) {
       std::string message = base::StringPrintf(
           "Denying load of %s. Resources must be listed in the "
           "web_accessible_resources manifest key in order to be loaded by "
           "pages outside the extension.",
           resource_url.spec().c_str());
       frame->addMessageToConsole(
           WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError,
                                     WebKit::WebString::fromUTF8(message)));
       return false;
     }
+
+    if (!is_access_permitted && !is_extension_origin && !is_data_origin) {
+      std::string message = base::StringPrintf(
+          "Denying load of %s. An extension's resources can only be loaded "
+          "into a page for which the extension has explicit host permissions.",
+          resource_url.spec().c_str(),
+          frame_url.spec().c_str(),
+          page_url.spec().c_str());
+      frame->addMessageToConsole(
+          WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError,
+                                    WebKit::WebString::fromUTF8(message)));
+      return false;
+    }
   }
 
   return true;
 }
 
 // static
 bool ExtensionResourceRequestPolicy::CanRequestExtensionResourceScheme(
     const GURL& resource_url,
     WebKit::WebFrame* frame) {
   CHECK(resource_url.SchemeIs(chrome::kExtensionResourceScheme));
 
   GURL frame_url = frame->document().url();
   if (!frame_url.is_empty() &&
       !frame_url.SchemeIs(chrome::kExtensionScheme)) {
     std::string message = base::StringPrintf(
         "Denying load of %s. chrome-extension-resources:// can only be "
         "loaded from extensions.",
       resource_url.spec().c_str());
     frame->addMessageToConsole(
         WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError,
                                   WebKit::WebString::fromUTF8(message)));
     return false;
   }
 
   return true;
 }
 
 ExtensionResourceRequestPolicy::ExtensionResourceRequestPolicy() {
 }