Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1044)

Unified Diff: chrome/common/extensions/extension.cc

Issue 10863002: Added check to prevent extensions from injecting scrips into other extensions (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: added test cases for self injection... and failed injection attempt Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: chrome/common/extensions/extension.cc
diff --git a/chrome/common/extensions/extension.cc b/chrome/common/extensions/extension.cc
index aeda254063492cb5906fdddb529f9eca4ec454d4..daea76620e7be1352d4bf2558cc73580ab25b853 100644
--- a/chrome/common/extensions/extension.cc
+++ b/chrome/common/extensions/extension.cc
@@ -3575,6 +3575,7 @@ bool Extension::HasMultipleUISurfaces() const {
}
bool Extension::CanExecuteScriptOnPage(const GURL& page_url,
+ const GURL& top_frame_url,
int tab_id,
const UserScript* script,
std::string* error) const {
@@ -3598,6 +3599,12 @@ bool Extension::CanExecuteScriptOnPage(const GURL& page_url,
!CanExecuteScriptEverywhere())
return false;
+ if (top_frame_url.SchemeIs(chrome::kExtensionScheme) &&
+ top_frame_url.GetOrigin() !=
+ GetBaseURLFromExtensionId(id()).GetOrigin() &&
+ !CanExecuteScriptEverywhere())
+ return false;
+
// If a tab ID is specified, try the tab-specific permissions.
if (tab_id >= 0) {
scoped_refptr<const PermissionSet> tab_permissions =

Powered by Google App Engine
This is Rietveld 408576698