1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/renderer/extension_injection_host.h"
7 #include "content/public/renderer/render_frame.h"
8 #include "extensions/common/constants.h"
9 #include "extensions/common/manifest_handlers/csp_info.h"
10 #include "extensions/renderer/renderer_extension_registry.h"
11 #include "third_party/WebKit/public/platform/WebSecurityOrigin.h"
12 #include "third_party/WebKit/public/web/WebLocalFrame.h"
14 namespace extensions
{
16 ExtensionInjectionHost::ExtensionInjectionHost(
17 const Extension
* extension
)
18 : InjectionHost(HostID(HostID::EXTENSIONS
, extension
->id())),
19 extension_(extension
) {
22 ExtensionInjectionHost::~ExtensionInjectionHost() {
26 scoped_ptr
<const InjectionHost
> ExtensionInjectionHost::Create(
27 const std::string
& extension_id
) {
28 const Extension
* extension
=
29 RendererExtensionRegistry::Get()->GetByID(extension_id
);
31 return scoped_ptr
<const ExtensionInjectionHost
>();
32 return scoped_ptr
<const ExtensionInjectionHost
>(
33 new ExtensionInjectionHost(extension
));
36 std::string
ExtensionInjectionHost::GetContentSecurityPolicy() const {
37 return CSPInfo::GetContentSecurityPolicy(extension_
);
40 const GURL
& ExtensionInjectionHost::url() const {
41 return extension_
->url();
44 const std::string
& ExtensionInjectionHost::name() const {
45 return extension_
->name();
48 PermissionsData::AccessType
ExtensionInjectionHost::CanExecuteOnFrame(
49 const GURL
& document_url
,
50 content::RenderFrame
* render_frame
,
52 bool is_declarative
) const {
53 blink::WebSecurityOrigin top_frame_security_origin
=
54 render_frame
->GetWebFrame()->top()->securityOrigin();
55 // Only whitelisted extensions may run scripts on another extension's page.
56 if (top_frame_security_origin
.protocol().utf8() == kExtensionScheme
&&
57 top_frame_security_origin
.host().utf8() != extension_
->id() &&
58 !PermissionsData::CanExecuteScriptEverywhere(extension_
))
59 return PermissionsData::ACCESS_DENIED
;
61 // Declarative user scripts use "page access" (from "permissions" section in
62 // manifest) whereas non-declarative user scripts use custom
63 // "content script access" logic.
64 PermissionsData::AccessType access
= PermissionsData::ACCESS_ALLOWED
;
66 access
= extension_
->permissions_data()->GetPageAccess(
71 nullptr /* ignore error */);
73 access
= extension_
->permissions_data()->GetContentScriptAccess(
78 nullptr /* ignore error */);
80 if (access
== PermissionsData::ACCESS_WITHHELD
&&
81 (tab_id
== -1 || render_frame
->GetWebFrame()->parent())) {
82 // Note: we don't consider ACCESS_WITHHELD for child frames or for frames
83 // outside of tabs because there is nowhere to surface a request.
84 // TODO(devlin): We should ask for permission somehow. crbug.com/491402.
85 access
= PermissionsData::ACCESS_DENIED
;
90 bool ExtensionInjectionHost::ShouldNotifyBrowserOfInjection() const {
91 // We notify the browser of any injection if the extension has no withheld
92 // permissions (i.e., the permissions weren't restricted), but would have
93 // otherwise been affected by the scripts-require-action feature.
94 return extension_
->permissions_data()->withheld_permissions()->IsEmpty() &&
95 PermissionsData::ScriptsMayRequireActionForExtension(
97 extension_
->permissions_data()->active_permissions().get());
100 } // namespace extensions
