search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Only grant permissions to new extensions from sync if they have the expected version
[chromium-blink-merge.git] / extensions / renderer / script_context.cc
blob71a9d182608cc7803f9904367ebed453a728a7ba
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "extensions/renderer/script_context.h"
6
7 #include "base/logging.h"
8 #include "base/memory/scoped_ptr.h"
9 #include "base/strings/string_split.h"
10 #include "base/strings/string_util.h"
11 #include "base/strings/stringprintf.h"
12 #include "base/values.h"
13 #include "content/public/child/v8_value_converter.h"
14 #include "content/public/common/url_constants.h"
15 #include "content/public/renderer/render_frame.h"
16 #include "extensions/common/constants.h"
17 #include "extensions/common/extension.h"
18 #include "extensions/common/extension_api.h"
19 #include "extensions/common/extension_urls.h"
20 #include "extensions/common/features/base_feature_provider.h"
21 #include "extensions/common/manifest_handlers/sandboxed_page_info.h"
22 #include "extensions/common/permissions/permissions_data.h"
23 #include "extensions/renderer/renderer_extension_registry.h"
24 #include "extensions/renderer/v8_helpers.h"
25 #include "gin/per_context_data.h"
26 #include "third_party/WebKit/public/web/WebDataSource.h"
27 #include "third_party/WebKit/public/web/WebDocument.h"
28 #include "third_party/WebKit/public/web/WebFrame.h"
29 #include "third_party/WebKit/public/web/WebLocalFrame.h"
30 #include "third_party/WebKit/public/web/WebScopedMicrotaskSuppression.h"
31 #include "third_party/WebKit/public/web/WebSecurityOrigin.h"
32 #include "third_party/WebKit/public/web/WebView.h"
33 #include "v8/include/v8.h"
34
35 using content::V8ValueConverter;
36
37 namespace extensions {
38
39 namespace {
40
41 std::string GetContextTypeDescriptionString(Feature::Context context_type) {
42 switch (context_type) {
43 case Feature::UNSPECIFIED_CONTEXT:
44 return "UNSPECIFIED";
45 case Feature::BLESSED_EXTENSION_CONTEXT:
46 return "BLESSED_EXTENSION";
47 case Feature::UNBLESSED_EXTENSION_CONTEXT:
48 return "UNBLESSED_EXTENSION";
49 case Feature::CONTENT_SCRIPT_CONTEXT:
50 return "CONTENT_SCRIPT";
51 case Feature::WEB_PAGE_CONTEXT:
52 return "WEB_PAGE";
53 case Feature::BLESSED_WEB_PAGE_CONTEXT:
54 return "BLESSED_WEB_PAGE";
55 case Feature::WEBUI_CONTEXT:
56 return "WEBUI";
57 case Feature::SERVICE_WORKER_CONTEXT:
58 return "SERVICE_WORKER";
59 }
60 NOTREACHED();
61 return std::string();
62 }
63
64 static std::string ToStringOrDefault(
65 const v8::Local<v8::String>& v8_string,
66 const std::string& dflt) {
67 if (v8_string.IsEmpty())
68 return dflt;
69 std::string ascii_value = *v8::String::Utf8Value(v8_string);
70 return ascii_value.empty() ? dflt : ascii_value;
71 }
72
73 } // namespace
74
75 // A gin::Runner that delegates to its ScriptContext.
76 class ScriptContext::Runner : public gin::Runner {
77 public:
78 explicit Runner(ScriptContext* context);
79
80 // gin::Runner overrides.
81 void Run(const std::string& source,
82 const std::string& resource_name) override;
83 v8::Local<v8::Value> Call(v8::Local<v8::Function> function,
84 v8::Local<v8::Value> receiver,
85 int argc,
86 v8::Local<v8::Value> argv[]) override;
87 gin::ContextHolder* GetContextHolder() override;
88
89 private:
90 ScriptContext* context_;
91 };
92
93 ScriptContext::ScriptContext(const v8::Local<v8::Context>& v8_context,
94 blink::WebLocalFrame* web_frame,
95 const Extension* extension,
96 Feature::Context context_type,
97 const Extension* effective_extension,
98 Feature::Context effective_context_type)
99 : is_valid_(true),
100 v8_context_(v8_context->GetIsolate(), v8_context),
101 web_frame_(web_frame),
102 extension_(extension),
103 context_type_(context_type),
104 effective_extension_(effective_extension),
105 effective_context_type_(effective_context_type),
106 safe_builtins_(this),
107 isolate_(v8_context->GetIsolate()),
108 url_(web_frame_ ? GetDataSourceURLForFrame(web_frame_) : GURL()),
109 runner_(new Runner(this)) {
110 VLOG(1) << "Created context:\n" << GetDebugString();
111 gin::PerContextData* gin_data = gin::PerContextData::From(v8_context);
112 CHECK(gin_data);
113 gin_data->set_runner(runner_.get());
114 }
115
116 ScriptContext::~ScriptContext() {
117 VLOG(1) << "Destroyed context for extension\n"
118 << " extension id: " << GetExtensionID() << "\n"
119 << " effective extension id: "
120 << (effective_extension_.get() ? effective_extension_->id() : "");
121 CHECK(!is_valid_) << "ScriptContexts must be invalidated before destruction";
122 }
123
124 // static
125 bool ScriptContext::IsSandboxedPage(const GURL& url) {
126 // TODO(kalman): This is checking the wrong thing. See comment in
127 // HasAccessOrThrowError.
128 if (url.SchemeIs(kExtensionScheme)) {
129 const Extension* extension =
130 RendererExtensionRegistry::Get()->GetByID(url.host());
131 if (extension) {
132 return SandboxedPageInfo::IsSandboxedPage(extension, url.path());
133 }
134 }
135 return false;
136 }
137
138 void ScriptContext::Invalidate() {
139 CHECK(is_valid_);
140 is_valid_ = false;
141
142 // TODO(kalman): Make ModuleSystem use AddInvalidationObserver.
143 // Ownership graph is a bit weird here.
144 if (module_system_)
145 module_system_->Invalidate();
146
147 // Swap |invalidate_observers_| to a local variable to clear it, and to make
148 // sure it's not mutated as we iterate.
149 std::vector<base::Closure> observers;
150 observers.swap(invalidate_observers_);
151 for (const base::Closure& observer : observers) {
152 observer.Run();
153 }
154 DCHECK(invalidate_observers_.empty())
155 << "Invalidation observers cannot be added during invalidation";
156
157 runner_.reset();
158 v8_context_.Reset();
159 }
160
161 void ScriptContext::AddInvalidationObserver(const base::Closure& observer) {
162 invalidate_observers_.push_back(observer);
163 }
164
165 const std::string& ScriptContext::GetExtensionID() const {
166 return extension_.get() ? extension_->id() : base::EmptyString();
167 }
168
169 content::RenderFrame* ScriptContext::GetRenderFrame() const {
170 if (web_frame_)
171 return content::RenderFrame::FromWebFrame(web_frame_);
172 return NULL;
173 }
174
175 v8::Local<v8::Value> ScriptContext::CallFunction(
176 const v8::Local<v8::Function>& function,
177 int argc,
178 v8::Local<v8::Value> argv[]) const {
179 v8::EscapableHandleScope handle_scope(isolate());
180 v8::Context::Scope scope(v8_context());
181
182 blink::WebScopedMicrotaskSuppression suppression;
183 if (!is_valid_) {
184 return handle_scope.Escape(
185 v8::Local<v8::Primitive>(v8::Undefined(isolate())));
186 }
187
188 v8::Local<v8::Object> global = v8_context()->Global();
189 if (!web_frame_)
190 return handle_scope.Escape(function->Call(global, argc, argv));
191 return handle_scope.Escape(
192 v8::Local<v8::Value>(web_frame_->callFunctionEvenIfScriptDisabled(
193 function, global, argc, argv)));
194 }
195
196 v8::Local<v8::Value> ScriptContext::CallFunction(
197 const v8::Local<v8::Function>& function) const {
198 return CallFunction(function, 0, nullptr);
199 }
200
201 Feature::Availability ScriptContext::GetAvailability(
202 const std::string& api_name) {
203 // Hack: Hosted apps should have the availability of messaging APIs based on
204 // the URL of the page (which might have access depending on some extension
205 // with externally_connectable), not whether the app has access to messaging
206 // (which it won't).
207 const Extension* extension = extension_.get();
208 if (extension && extension->is_hosted_app() &&
209 (api_name == "runtime.connect" || api_name == "runtime.sendMessage")) {
210 extension = NULL;
211 }
212 return ExtensionAPI::GetSharedInstance()->IsAvailable(
213 api_name, extension, context_type_, GetURL());
214 }
215
216 void ScriptContext::DispatchEvent(const char* event_name,
217 v8::Local<v8::Array> args) const {
218 v8::HandleScope handle_scope(isolate());
219 v8::Context::Scope context_scope(v8_context());
220
221 v8::Local<v8::Value> argv[] = {v8::String::NewFromUtf8(isolate(), event_name),
222 args};
223 module_system_->CallModuleMethod(
224 kEventBindings, "dispatchEvent", arraysize(argv), argv);
225 }
226
227 void ScriptContext::DispatchOnUnloadEvent() {
228 v8::HandleScope handle_scope(isolate());
229 v8::Context::Scope context_scope(v8_context());
230 module_system_->CallModuleMethod("unload_event", "dispatch");
231 }
232
233 std::string ScriptContext::GetContextTypeDescription() const {
234 return GetContextTypeDescriptionString(context_type_);
235 }
236
237 std::string ScriptContext::GetEffectiveContextTypeDescription() const {
238 return GetContextTypeDescriptionString(effective_context_type_);
239 }
240
241 GURL ScriptContext::GetURL() const {
242 return url_;
243 }
244
245 bool ScriptContext::IsAnyFeatureAvailableToContext(const Feature& api) {
246 return ExtensionAPI::GetSharedInstance()->IsAnyFeatureAvailableToContext(
247 api, extension(), context_type(), GetDataSourceURLForFrame(web_frame()));
248 }
249
250 // static
251 GURL ScriptContext::GetDataSourceURLForFrame(const blink::WebFrame* frame) {
252 // Normally we would use frame->document().url() to determine the document's
253 // URL, but to decide whether to inject a content script, we use the URL from
254 // the data source. This "quirk" helps prevents content scripts from
255 // inadvertently adding DOM elements to the compose iframe in Gmail because
256 // the compose iframe's dataSource URL is about:blank, but the document URL
257 // changes to match the parent document after Gmail document.writes into
258 // it to create the editor.
259 // http://code.google.com/p/chromium/issues/detail?id=86742
260 blink::WebDataSource* data_source = frame->provisionalDataSource()
261 ? frame->provisionalDataSource()
262 : frame->dataSource();
263 return data_source ? GURL(data_source->request().url()) : GURL();
264 }
265
266 // static
267 GURL ScriptContext::GetEffectiveDocumentURL(const blink::WebFrame* frame,
268 const GURL& document_url,
269 bool match_about_blank) {
270 // Common scenario. If |match_about_blank| is false (as is the case in most
271 // extensions), or if the frame is not an about:-page, just return
272 // |document_url| (supposedly the URL of the frame).
273 if (!match_about_blank || !document_url.SchemeIs(url::kAboutScheme))
274 return document_url;
275
276 // Non-sandboxed about:blank and about:srcdoc pages inherit their security
277 // origin from their parent frame/window. So, traverse the frame/window
278 // hierarchy to find the closest non-about:-page and return its URL.
279 const blink::WebFrame* parent = frame;
280 do {
281 parent = parent->parent() ? parent->parent() : parent->opener();
282 } while (parent != NULL && !parent->document().isNull() &&
283 GURL(parent->document().url()).SchemeIs(url::kAboutScheme));
284
285 if (parent && !parent->document().isNull()) {
286 // Only return the parent URL if the frame can access it.
287 const blink::WebDocument& parent_document = parent->document();
288 if (frame->document().securityOrigin().canAccess(
289 parent_document.securityOrigin()))
290 return parent_document.url();
291 }
292 return document_url;
293 }
294
295 ScriptContext* ScriptContext::GetContext() { return this; }
296
297 void ScriptContext::OnResponseReceived(const std::string& name,
298 int request_id,
299 bool success,
300 const base::ListValue& response,
301 const std::string& error) {
302 v8::HandleScope handle_scope(isolate());
303
304 scoped_ptr<V8ValueConverter> converter(V8ValueConverter::create());
305 v8::Local<v8::Value> argv[] = {
306 v8::Integer::New(isolate(), request_id),
307 v8::String::NewFromUtf8(isolate(), name.c_str()),
308 v8::Boolean::New(isolate(), success),
309 converter->ToV8Value(&response,
310 v8::Local<v8::Context>::New(isolate(), v8_context_)),
311 v8::String::NewFromUtf8(isolate(), error.c_str())};
312
313 v8::Local<v8::Value> retval = module_system()->CallModuleMethod(
314 "sendRequest", "handleResponse", arraysize(argv), argv);
315
316 // In debug, the js will validate the callback parameters and return a
317 // string if a validation error has occured.
318 DCHECK(retval.IsEmpty() || retval->IsUndefined())
319 << *v8::String::Utf8Value(retval);
320 }
321
322 void ScriptContext::SetContentCapabilities(
323 const APIPermissionSet& permissions) {
324 content_capabilities_ = permissions;
325 }
326
327 bool ScriptContext::HasAPIPermission(APIPermission::ID permission) const {
328 if (effective_extension_.get()) {
329 return effective_extension_->permissions_data()->HasAPIPermission(
330 permission);
331 } else if (context_type() == Feature::WEB_PAGE_CONTEXT) {
332 // Only web page contexts may be granted content capabilities. Other
333 // contexts are either privileged WebUI or extensions with their own set of
334 // permissions.
335 if (content_capabilities_.find(permission) != content_capabilities_.end())
336 return true;
337 }
338 return false;
339 }
340
341 bool ScriptContext::HasAccessOrThrowError(const std::string& name) {
342 // Theoretically[1] we could end up with bindings being injected into
343 // sandboxed frames, for example content scripts. Don't let them execute API
344 // functions.
345 //
346 // In any case, this check is silly. The frame's document's security origin
347 // already tells us if it's sandboxed. The only problem is that until
348 // crbug.com/466373 is fixed, we don't know the security origin up-front and
349 // may not know it here, either.
350 //
351 // [1] citation needed. This ScriptContext should already be in a state that
352 // doesn't allow this, from ScriptContextSet::ClassifyJavaScriptContext.
353 if (extension() &&
354 SandboxedPageInfo::IsSandboxedPage(extension(), url_.path())) {
355 static const char kMessage[] =
356 "%s cannot be used within a sandboxed frame.";
357 std::string error_msg = base::StringPrintf(kMessage, name.c_str());
358 isolate()->ThrowException(v8::Exception::Error(
359 v8::String::NewFromUtf8(isolate(), error_msg.c_str())));
360 return false;
361 }
362
363 Feature::Availability availability = GetAvailability(name);
364 if (!availability.is_available()) {
365 isolate()->ThrowException(v8::Exception::Error(
366 v8::String::NewFromUtf8(isolate(), availability.message().c_str())));
367 return false;
368 }
369
370 return true;
371 }
372
373 std::string ScriptContext::GetDebugString() const {
374 return base::StringPrintf(
375 " extension id: %s\n"
376 " frame: %p\n"
377 " URL: %s\n"
378 " context_type: %s\n"
379 " effective extension id: %s\n"
380 " effective context type: %s",
381 extension_.get() ? extension_->id().c_str() : "(none)", web_frame_,
382 GetURL().spec().c_str(), GetContextTypeDescription().c_str(),
383 effective_extension_.get() ? effective_extension_->id().c_str()
384 : "(none)",
385 GetEffectiveContextTypeDescription().c_str());
386 }
387
388 std::string ScriptContext::GetStackTraceAsString() const {
389 v8::Local<v8::StackTrace> stack_trace =
390 v8::StackTrace::CurrentStackTrace(isolate(), 10);
391 if (stack_trace.IsEmpty() || stack_trace->GetFrameCount() <= 0) {
392 return " <no stack trace>";
393 } else {
394 std::string result;
395 for (int i = 0; i < stack_trace->GetFrameCount(); ++i) {
396 v8::Local<v8::StackFrame> frame = stack_trace->GetFrame(i);
397 CHECK(!frame.IsEmpty());
398 result += base::StringPrintf(
399 "\n at %s (%s:%d:%d)",
400 ToStringOrDefault(frame->GetFunctionName(), "<anonymous>").c_str(),
401 ToStringOrDefault(frame->GetScriptName(), "<anonymous>").c_str(),
402 frame->GetLineNumber(),
403 frame->GetColumn());
404 }
405 return result;
406 }
407 }
408
409 v8::Local<v8::Value> ScriptContext::RunScript(
410 v8::Local<v8::String> name,
411 v8::Local<v8::String> code,
412 const RunScriptExceptionHandler& exception_handler) {
413 v8::EscapableHandleScope handle_scope(isolate());
414 v8::Context::Scope context_scope(v8_context());
415
416 // Prepend extensions:: to |name| so that internal code can be differentiated
417 // from external code in stack traces. This has no effect on behaviour.
418 std::string internal_name =
419 base::StringPrintf("extensions::%s", *v8::String::Utf8Value(name));
420
421 if (internal_name.size() >= v8::String::kMaxLength) {
422 NOTREACHED() << "internal_name is too long.";
423 return v8::Undefined(isolate());
424 }
425
426 blink::WebScopedMicrotaskSuppression suppression;
427 v8::TryCatch try_catch(isolate());
428 try_catch.SetCaptureMessage(true);
429 v8::ScriptOrigin origin(
430 v8_helpers::ToV8StringUnsafe(isolate(), internal_name.c_str()));
431 v8::Local<v8::Script> script;
432 if (!v8::Script::Compile(v8_context(), code, &origin).ToLocal(&script)) {
433 exception_handler.Run(try_catch);
434 return v8::Undefined(isolate());
435 }
436
437 v8::Local<v8::Value> result;
438 if (!script->Run(v8_context()).ToLocal(&result)) {
439 exception_handler.Run(try_catch);
440 return v8::Undefined(isolate());
441 }
442
443 return handle_scope.Escape(result);
444 }
445
446 ScriptContext::Runner::Runner(ScriptContext* context) : context_(context) {
447 }
448
449 void ScriptContext::Runner::Run(const std::string& source,
450 const std::string& resource_name) {
451 context_->module_system()->RunString(source, resource_name);
452 }
453
454 v8::Local<v8::Value> ScriptContext::Runner::Call(
455 v8::Local<v8::Function> function,
456 v8::Local<v8::Value> receiver,
457 int argc,
458 v8::Local<v8::Value> argv[]) {
459 return context_->CallFunction(function, argc, argv);
460 }
461
462 gin::ContextHolder* ScriptContext::Runner::GetContextHolder() {
463 v8::HandleScope handle_scope(context_->isolate());
464 return gin::PerContextData::From(context_->v8_context())->context_holder();
465 }
466
467 } // namespace extensions