Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(13)

Side by Side Diff: chrome/common/extensions/extension.cc

Issue 10863002: Added check to prevent extensions from injecting scrips into other extensions (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: added test cases for self injection... and failed injection attempt Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/common/extensions/extension.h" 5 #include "chrome/common/extensions/extension.h"
6 6
7 #include <ostream> 7 #include <ostream>
8 8
9 #include "base/base64.h" 9 #include "base/base64.h"
10 #include "base/basictypes.h" 10 #include "base/basictypes.h"
(...skipping 3557 matching lines...) Expand 10 before | Expand all | Expand 10 after
3568 if (browser_action()) 3568 if (browser_action())
3569 ++num_surfaces; 3569 ++num_surfaces;
3570 3570
3571 if (is_app()) 3571 if (is_app())
3572 ++num_surfaces; 3572 ++num_surfaces;
3573 3573
3574 return num_surfaces > 1; 3574 return num_surfaces > 1;
3575 } 3575 }
3576 3576
3577 bool Extension::CanExecuteScriptOnPage(const GURL& page_url, 3577 bool Extension::CanExecuteScriptOnPage(const GURL& page_url,
3578 const GURL& top_frame_url,
3578 int tab_id, 3579 int tab_id,
3579 const UserScript* script, 3580 const UserScript* script,
3580 std::string* error) const { 3581 std::string* error) const {
3581 base::AutoLock auto_lock(runtime_data_lock_); 3582 base::AutoLock auto_lock(runtime_data_lock_);
3582 // The gallery is special-cased as a restricted URL for scripting to prevent 3583 // The gallery is special-cased as a restricted URL for scripting to prevent
3583 // access to special JS bindings we expose to the gallery (and avoid things 3584 // access to special JS bindings we expose to the gallery (and avoid things
3584 // like extensions removing the "report abuse" link). 3585 // like extensions removing the "report abuse" link).
3585 // TODO(erikkay): This seems like the wrong test. Shouldn't we we testing 3586 // TODO(erikkay): This seems like the wrong test. Shouldn't we we testing
3586 // against the store app extent? 3587 // against the store app extent?
3587 GURL store_url(extension_urls::GetWebstoreLaunchURL()); 3588 GURL store_url(extension_urls::GetWebstoreLaunchURL());
3588 if ((page_url.host() == store_url.host()) && 3589 if ((page_url.host() == store_url.host()) &&
3589 !CanExecuteScriptEverywhere() && 3590 !CanExecuteScriptEverywhere() &&
3590 !CommandLine::ForCurrentProcess()->HasSwitch( 3591 !CommandLine::ForCurrentProcess()->HasSwitch(
3591 switches::kAllowScriptingGallery)) { 3592 switches::kAllowScriptingGallery)) {
3592 if (error) 3593 if (error)
3593 *error = errors::kCannotScriptGallery; 3594 *error = errors::kCannotScriptGallery;
3594 return false; 3595 return false;
3595 } 3596 }
3596 3597
3597 if (page_url.SchemeIs(chrome::kChromeUIScheme) && 3598 if (page_url.SchemeIs(chrome::kChromeUIScheme) &&
3598 !CanExecuteScriptEverywhere()) 3599 !CanExecuteScriptEverywhere())
3599 return false; 3600 return false;
3600 3601
3602 if (top_frame_url.SchemeIs(chrome::kExtensionScheme) &&
3603 top_frame_url.GetOrigin() !=
3604 GetBaseURLFromExtensionId(id()).GetOrigin() &&
3605 !CanExecuteScriptEverywhere())
3606 return false;
3607
3601 // If a tab ID is specified, try the tab-specific permissions. 3608 // If a tab ID is specified, try the tab-specific permissions.
3602 if (tab_id >= 0) { 3609 if (tab_id >= 0) {
3603 scoped_refptr<const PermissionSet> tab_permissions = 3610 scoped_refptr<const PermissionSet> tab_permissions =
3604 runtime_data_.GetTabSpecificPermissions(tab_id); 3611 runtime_data_.GetTabSpecificPermissions(tab_id);
3605 if (tab_permissions.get() && 3612 if (tab_permissions.get() &&
3606 tab_permissions->explicit_hosts().MatchesSecurityOrigin(page_url)) { 3613 tab_permissions->explicit_hosts().MatchesSecurityOrigin(page_url)) {
3607 return true; 3614 return true;
3608 } 3615 }
3609 } 3616 }
3610 3617
(...skipping 315 matching lines...) Expand 10 before | Expand all | Expand 10 after
3926 3933
3927 UpdatedExtensionPermissionsInfo::UpdatedExtensionPermissionsInfo( 3934 UpdatedExtensionPermissionsInfo::UpdatedExtensionPermissionsInfo(
3928 const Extension* extension, 3935 const Extension* extension,
3929 const PermissionSet* permissions, 3936 const PermissionSet* permissions,
3930 Reason reason) 3937 Reason reason)
3931 : reason(reason), 3938 : reason(reason),
3932 extension(extension), 3939 extension(extension),
3933 permissions(permissions) {} 3940 permissions(permissions) {}
3934 3941
3935 } // namespace extensions 3942 } // namespace extensions
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698