extensions/renderer/extension_injection_host.cc

   1 // Copyright 2015 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "extensions/renderer/extension_injection_host.h"
   6
   7 #include "content/public/renderer/render_frame.h"
   8 #include "extensions/common/constants.h"
   9 #include "extensions/common/manifest_handlers/csp_info.h"
  10 #include "extensions/renderer/renderer_extension_registry.h"
  11 #include "third_party/WebKit/public/platform/WebSecurityOrigin.h"
  12 #include "third_party/WebKit/public/web/WebLocalFrame.h"
  13
  14 namespace extensions {
  15
  16 ExtensionInjectionHost::ExtensionInjectionHost(
  17     const Extension* extension)
  18     : InjectionHost(HostID(HostID::EXTENSIONS, extension->id())),
  19       extension_(extension) {
  20 }
  21
  22 ExtensionInjectionHost::~ExtensionInjectionHost() {
  23 }
  24
  25 // static
  26 scoped_ptr<const InjectionHost> ExtensionInjectionHost::Create(
  27     const std::string& extension_id) {
  28   const Extension* extension =
  29       RendererExtensionRegistry::Get()->GetByID(extension_id);
  30   if (!extension)
  31     return scoped_ptr<const ExtensionInjectionHost>();
  32   return scoped_ptr<const ExtensionInjectionHost>(
  33       new ExtensionInjectionHost(extension));
  34 }
  35
  36 std::string ExtensionInjectionHost::GetContentSecurityPolicy() const {
  37   return CSPInfo::GetContentSecurityPolicy(extension_);
  38 }
  39
  40 const GURL& ExtensionInjectionHost::url() const {
  41   return extension_->url();
  42 }
  43
  44 const std::string& ExtensionInjectionHost::name() const {
  45   return extension_->name();
  46 }
  47
  48 PermissionsData::AccessType ExtensionInjectionHost::CanExecuteOnFrame(
  49     const GURL& document_url,
  50     content::RenderFrame* render_frame,
  51     int tab_id,
  52     bool is_declarative) const {
  53   // If we don't have a tab id, we have no UI surface to ask for user consent.
  54   // For now, we treat this as an automatic allow.
  55   if (tab_id == -1)
  56     return PermissionsData::ACCESS_ALLOWED;
  57
  58   blink::WebSecurityOrigin top_frame_security_origin =
  59       render_frame->GetWebFrame()->top()->securityOrigin();
  60   // Only whitelisted extensions may run scripts on another extension's page.
  61   if (top_frame_security_origin.protocol().utf8() == kExtensionScheme &&
  62       top_frame_security_origin.host().utf8() != extension_->id() &&
  63       !PermissionsData::CanExecuteScriptEverywhere(extension_))
  64     return PermissionsData::ACCESS_DENIED;
  65
  66   // Declarative user scripts use "page access" (from "permissions" section in
  67   // manifest) whereas non-declarative user scripts use custom
  68   // "content script access" logic.
  69   if (is_declarative) {
  70     return extension_->permissions_data()->GetPageAccess(
  71         extension_,
  72         document_url,
  73         tab_id,
  74         -1,  // no process id
  75         nullptr /* ignore error */);
  76   } else {
  77     return extension_->permissions_data()->GetContentScriptAccess(
  78         extension_,
  79         document_url,
  80         tab_id,
  81         -1,  // no process id
  82         nullptr /* ignore error */);
  83   }
  84 }
  85
  86 bool ExtensionInjectionHost::ShouldNotifyBrowserOfInjection() const {
  87   // We notify the browser of any injection if the extension has no withheld
  88   // permissions (i.e., the permissions weren't restricted), but would have
  89   // otherwise been affected by the scripts-require-action feature.
  90   return extension_->permissions_data()->withheld_permissions()->IsEmpty() &&
  91          PermissionsData::ScriptsMayRequireActionForExtension(
  92              extension_,
  93              extension_->permissions_data()->active_permissions().get());
  94 }
  95
  96 }  // namespace extensions