Extension resources should only load in contexts the extension has permission to access.

See http://codereview.chromium.org/10792008/ for background.

BUG=139592

Review URL: https://chromiumcodereview.appspot.com/10828067

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149610 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/extensions/extension_resource_request_policy_apitest.cc

@@ -54,6 +54,15 @@ IN_PROC_BROWSER_TEST_F(ExtensionResourceRequestPolicyTest, OriginPrivileges) {
     &result));
   EXPECT_EQ(result, "Loaded");
 
+  // A web host that does not have permission.
+  ui_test_utils::NavigateToURL(
+      browser(), web_resource.ReplaceComponents(make_host_b_com));
+  ASSERT_TRUE(content::ExecuteJavaScriptAndExtractString(
+    chrome::GetActiveWebContents(browser())->GetRenderViewHost(), L"",
+      L"window.domAutomationController.send(document.title)",
+    &result));
+  EXPECT_EQ(result, "Image failed to load");
+
   // A web host that loads a non-existent extension.
   GURL non_existent_extension(
       test_server()->GetURL(

chrome/common/extensions/extension.cc

@@ -535,10 +535,27 @@ bool Extension::HasWebAccessibleResources() const {
   return false;
 }
 
+bool Extension::HasNaClModules() const {
+  if (nacl_modules_.size())
+    return true;
+
+  return false;
+}
+
 bool Extension::IsSandboxedPage(const std::string& relative_path) const {
   return ResourceMatches(sandboxed_pages_, relative_path);
 }
 
+bool Extension::IsResourceNaClManifest(const std::string& resource) const {
+  GURL url = extension_url_.Resolve(resource);
+  for (std::vector<NaClModuleInfo>::const_iterator it = nacl_modules_.begin();
+       it != nacl_modules_.end(); it++) {
+    if (it->url == url)
+      return true;
+  }
+  return false;
+}
+
 
 std::string Extension::GetResourceContentSecurityPolicy(
     const std::string& relative_path) const {

chrome/common/extensions/extension.h

@@ -354,6 +354,9 @@ class Extension : public base::RefCountedThreadSafe<Extension> {
   // Returns true if the specified resource is web accessible.
   bool IsResourceWebAccessible(const std::string& relative_path) const;
 
+  // Returns true if the specified resource is a NaCl manifest.
+  bool IsResourceNaClManifest(const std::string& resource) const;
+
   // Returns true if the specified page is sandboxed (served in a unique
   // origin).
   bool IsSandboxedPage(const std::string& relative_path) const;
@@ -366,6 +369,9 @@ class Extension : public base::RefCountedThreadSafe<Extension> {
   // Returns true when 'web_accessible_resources' are defined for the extension.
   bool HasWebAccessibleResources() const;
 
+  // Returns true when 'nacl_modules' are defined for the extension.
+  bool HasNaClModules() const;
+
   // Returns an extension resource object. |relative_path| should be UTF8
   // encoded.
   ExtensionResource GetResource(const std::string& relative_path) const;

chrome/renderer/extensions/extension_resource_request_policy.cc

@@ -7,6 +7,7 @@
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/stringprintf.h"
+#include "base/string_util.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/url_constants.h"
 #include "chrome/common/extensions/extension.h"
@@ -47,27 +48,44 @@ bool ExtensionResourceRequestPolicy::CanRequestResource(
     return false;
   }
 
-  // Disallow loading of extension resources which are not explicitely listed
-  // as web accessible if the manifest version is 2 or greater.
-  if (!extension->IsResourceWebAccessible(resource_url.path()) &&
-      !CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kDisableExtensionsResourceWhitelist)) {
-    GURL frame_url = frame->document().url();
-    GURL page_url = frame->top()->document().url();
-
-    // Exceptions are:
-    // - empty origin (needed for some edge cases when we have empty origins)
-    bool is_empty_origin = frame_url.is_empty();
-    // - extensions requesting their own resources (frame_url check is for
-    //     images, page_url check is for iframes)
-    bool is_own_resource = frame_url.GetOrigin() == extension->url() ||
-        page_url.GetOrigin() == extension->url();
-    // - devtools (chrome-extension:// URLs are loaded into frames of devtools
-    //     to support the devtools extension APIs)
-    bool is_dev_tools = page_url.SchemeIs(chrome::kChromeDevToolsScheme) &&
-        !extension->devtools_url().is_empty();
-
-    if (!is_empty_origin && !is_own_resource && !is_dev_tools) {
+  GURL frame_url = frame->document().url();
+
+  // In the case of loading a frame, frame* points to the frame being loaded,
+  // not the containing frame. This means that frame->document().url() ends up
+  // not being useful to us.
+  //
+  // WebKit doesn't currently pass us enough information to know when we're a
+  // frame, so we hack it by checking for 'about:blank', which should only
+  // happen in this situation.
+  //
+  // TODO(aa): Fix WebKit to pass the context of the load: crbug.com/139788.
+  if (frame_url == GURL(chrome::kAboutBlankURL) && frame->parent())
+      frame_url = frame->parent()->document().url();
+
+  bool extension_has_access_to_frame =
+      extension->GetEffectiveHostPermissions().MatchesURL(frame_url);
+  bool frame_has_empty_origin = frame_url.is_empty();
+  bool frame_is_data_url = frame_url.SchemeIs(chrome::kDataScheme);
+  bool frame_is_devtools = frame_url.SchemeIs(chrome::kChromeDevToolsScheme) &&
+      !extension->devtools_url().is_empty();
+  bool frame_is_extension = frame_url.SchemeIs(chrome::kExtensionScheme);
+  bool is_own_resource = frame_url.GetOrigin() == extension->url();
+  bool is_resource_nacl_manifest =
+      extension->IsResourceNaClManifest(resource_url.path());
+  bool is_resource_web_accessible =
+      extension->IsResourceWebAccessible(resource_url.path()) ||
+      CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableExtensionsResourceWhitelist);
+
+  // Given that the goal here is to prevent malicious injection of a benign
+  // extension's content into a context where it might be damaging, allowing
+  // unvalidated "nexe" resources is low-risk. If a mechanism for synchronously
+  // validating that the "nexe" is a NaCl executable appears, we should use it.
+  bool is_resource_nexe = extension->HasNaClModules() &&
+      EndsWith(resource_url.path(), ".nexe", true);
+
+  if (!frame_has_empty_origin && !frame_is_devtools && !is_own_resource) {
+    if (!is_resource_web_accessible) {
       std::string message = base::StringPrintf(
           "Denying load of %s. Resources must be listed in the "
           "web_accessible_resources manifest key in order to be loaded by "
@@ -78,6 +96,18 @@ bool ExtensionResourceRequestPolicy::CanRequestResource(
                                     WebKit::WebString::fromUTF8(message)));
       return false;
     }
+
+    if (!extension_has_access_to_frame && !frame_is_extension &&
+        !frame_is_data_url && !is_resource_nacl_manifest && !is_resource_nexe) {
+      std::string message = base::StringPrintf(
+          "Denying load of %s. An extension's resources can only be loaded "
+          "into a page for which the extension has explicit host permissions.",
+          resource_url.spec().c_str());
+      frame->addMessageToConsole(
+          WebKit::WebConsoleMessage(WebKit::WebConsoleMessage::LevelError,
+                                    WebKit::WebString::fromUTF8(message)));
+      return false;
+    }
   }
 
   return true;

chrome/test/data/extensions/api_test/extension_resource_request_policy/extension/manifest.json

@@ -2,6 +2,6 @@
    "description": "Extension 1",
    "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOziAf8MbTjdUo6DysZ4nAU/2f/kwYnftyKkxI1GyTlbStprGy+Y2ek4/59QbE3xEE+dIIuYeObM4QTptpcFMg956ZLFoeDg41Pg3tzUrbltgG8hXTbBxN852FJx2kdaqa/MKUUsJKGSD5hkUmvZRADGGWhMWzvz64ao1h02xJQIDAQAB",
    "name": "test",
-   "permissions": [ "http://a.com/*" ],
+   "permissions": [ "http://a.com/*", "http://127.0.0.1/*" ],
    "version": "0.1"
 }

chrome/test/data/extensions/api_test/extension_resource_request_policy/extension2/manifest.json

@@ -2,5 +2,6 @@
    "description": "Extension 2",
    "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOziAf8MbTjdUo6DysZ4nAU/2f/kwYnftyKkxI1GyTlbStprGy+Y2ek4/59QbE3xEE+dIIuYeObM4QTptpcFMg956ZLFoeDg41Pg3tzUrbltgG8hXTbBxN852FJx2kdaqa/MKUUsJKGSD5hkUmvZRADGGWhMWzvz64ao1h02xJQIDAQAC",
    "name": "test",
-   "version": "0.1"
+   "version": "0.1",
+   "permissions": [ "http://a.com/*", "http://127.0.0.1/*" ]
 }

chrome/test/data/extensions/api_test/extension_resource_request_policy/web_accessible/manifest.json

-{
-   "manifest_version": 2,
-   "name": "web_accessible",
-   "version": "0.1",
-   "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOziAf8MbTjdUo6DysZ4nAU/2f/kwYnftyKkxI1GyTlbStprGy+Y2ek4/59QbE3xEE+dIIuYeObM4QTptpcFMg956ZLFoeDg41Pg3tzUrbltgG8hXTbBxN852FJx2kdaqa/MKUUsJKGSD5hkUmvZRADGGWhMWzvz64ao1h02xJQIDAQAD",
-   "web_accessible_resources": [
-     "test.png",
-     "nonexistent.png"
-   ]
-}
+{
+   "manifest_version": 2,
+   "name": "web_accessible",
+   "version": "0.1",
+   "permissions": [ "http://a.com/*", "http://127.0.0.1/*" ],
+   "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOziAf8MbTjdUo6DysZ4nAU/2f/kwYnftyKkxI1GyTlbStprGy+Y2ek4/59QbE3xEE+dIIuYeObM4QTptpcFMg956ZLFoeDg41Pg3tzUrbltgG8hXTbBxN852FJx2kdaqa/MKUUsJKGSD5hkUmvZRADGGWhMWzvz64ao1h02xJQIDAQAD",
+   "web_accessible_resources": [
+     "test.png",
+     "nonexistent.png"
+   ]
+}