1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
|
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "extensions/browser/extension_util.h"
#include <algorithm>
#include "base/barrier_closure.h"
#include "base/command_line.h"
#include "base/no_destructor.h"
#include "base/strings/string_util.h"
#include "build/chromeos_buildflags.h"
#include "components/crx_file/id_util.h"
#include "content/public/browser/browser_context.h"
#include "content/public/browser/child_process_security_policy.h"
#include "content/public/browser/site_instance.h"
#include "content/public/browser/storage_partition.h"
#include "content/public/browser/storage_partition_config.h"
#include "extensions/browser/extension_host.h"
#include "extensions/browser/extension_prefs.h"
#include "extensions/browser/extension_registry.h"
#include "extensions/browser/extension_system.h"
#include "extensions/browser/extension_util.h"
#include "extensions/browser/extensions_browser_client.h"
#include "extensions/browser/process_manager.h"
#include "extensions/browser/process_map.h"
#include "extensions/browser/script_injection_tracker.h"
#include "extensions/browser/ui_util.h"
#include "extensions/common/extension.h"
#include "extensions/common/extension_id.h"
#include "extensions/common/extension_set.h"
#include "extensions/common/feature_switch.h"
#include "extensions/common/features/feature.h"
#include "extensions/common/manifest.h"
#include "extensions/common/manifest_handlers/incognito_info.h"
#include "extensions/common/manifest_handlers/shared_module_info.h"
#include "extensions/common/mojom/manifest.mojom.h"
#include "extensions/common/permissions/permissions_data.h"
#include "extensions/common/switches.h"
#include "extensions/grit/extensions_browser_resources.h"
#include "mojo/public/cpp/bindings/clone_traits.h"
#include "ui/base/resource/resource_bundle.h"
#include "url/gurl.h"
#if BUILDFLAG(IS_CHROMEOS)
#include "chromeos/constants/chromeos_features.h"
#include "chromeos/constants/pref_names.h"
#include "components/prefs/pref_service.h"
#endif
#if BUILDFLAG(IS_CHROMEOS)
#include "base/system/sys_info.h"
#endif
namespace extensions {
namespace util {
namespace {
#if BUILDFLAG(IS_CHROMEOS)
bool IsSigninProfileTestExtensionOnTestImage(const Extension* extension) {
if (extension->id() != extension_misc::kSigninProfileTestExtensionId) {
return false;
}
base::SysInfo::CrashIfChromeOSNonTestImage();
return true;
}
#endif
// Returns `true` if `extension` was installed from the webstore, otherwise
// false.
bool ExtensionIsFromWebstore(const Extension& extension) {
return extension.from_webstore() && !extension.was_installed_by_default() &&
extension.location() == mojom::ManifestLocation::kInternal;
}
} // namespace
bool CanBeIncognitoEnabled(const Extension* extension) {
return IncognitoInfo::IsIncognitoAllowed(extension) &&
(!extension->is_platform_app() ||
extension->location() == mojom::ManifestLocation::kComponent);
}
bool IsIncognitoEnabled(const ExtensionId& extension_id,
content::BrowserContext* context) {
const Extension* extension =
ExtensionRegistry::Get(context)->enabled_extensions().GetByID(
extension_id);
if (extension) {
if (!CanBeIncognitoEnabled(extension)) {
return false;
}
// If this is an existing component extension we always allow it to
// work in incognito mode.
if (Manifest::IsComponentLocation(extension->location())) {
return true;
}
if (extension->is_login_screen_extension()) {
return true;
}
#if BUILDFLAG(IS_CHROMEOS)
if (IsSigninProfileTestExtensionOnTestImage(extension)) {
return true;
}
#endif
}
#if BUILDFLAG(IS_CHROMEOS)
// An OTR Profile is used for captive portal signin to hide PII from
// captive portals (which require HTTP redirects to function).
// However, for captive portal signin we do not want want to disable
// extensions by default. (Proxies are explicitly disabled elsewhere).
// See b/261727502 for details.
PrefService* prefs =
ExtensionsBrowserClient::Get()->GetPrefServiceForContext(context);
if (prefs) {
const PrefService::Preference* captive_portal_pref =
prefs->FindPreference(chromeos::prefs::kCaptivePortalSignin);
if (captive_portal_pref && captive_portal_pref->GetValue()->GetBool()) {
return true;
}
}
#endif
return ExtensionPrefs::Get(context)->IsIncognitoEnabled(extension_id);
}
bool CanCrossIncognito(const Extension* extension,
content::BrowserContext* context) {
// We allow the extension to see events and data from another profile iff it
// uses "spanning" behavior and it has incognito access. "split" mode
// extensions only see events for a matching profile.
CHECK(extension);
return IsIncognitoEnabled(extension->id(), context) &&
!IncognitoInfo::IsSplitMode(extension);
}
bool IsExtensionIdle(const std::string& extension_id,
content::BrowserContext* context) {
std::vector<std::string> ids_to_check;
ids_to_check.push_back(extension_id);
const Extension* extension =
ExtensionRegistry::Get(context)->enabled_extensions().GetByID(
extension_id);
if (extension && extension->is_shared_module()) {
// We have to check all the extensions that use this shared module for idle
// to tell whether it is really 'idle'.
std::unique_ptr<ExtensionSet> dependents =
ExtensionSystem::Get(context)->GetDependentExtensions(extension);
for (const auto& dependent : *dependents) {
ids_to_check.push_back(dependent->id());
}
}
ProcessManager* process_manager = ProcessManager::Get(context);
ProcessMap* process_map = ProcessMap::Get(context);
for (const auto& id : ids_to_check) {
ExtensionHost* host = process_manager->GetBackgroundHostForExtension(id);
if (host) {
return false;
}
if (!process_manager->GetRenderFrameHostsForExtension(id).empty()) {
return false;
}
// TODO(devlin): We can probably remove the checks above (for background
// hosts and frame hosts). If an extension has any active frames, it should
// have a dedicated process.
if (process_map->ExtensionHasProcess(id)) {
return false;
}
}
return true;
}
bool IsPromptingEnabled() {
return FeatureSwitch::prompt_for_external_extensions()->IsEnabled();
}
bool AllowFileAccess(const ExtensionId& extension_id,
content::BrowserContext* context) {
return base::CommandLine::ForCurrentProcess()->HasSwitch(
switches::kDisableExtensionsFileAccessCheck) ||
ExtensionPrefs::Get(context)->AllowFileAccess(extension_id);
}
const std::string& GetPartitionDomainForExtension(const Extension* extension) {
// Extensions use their own ID for a partition domain.
return extension->id();
}
content::StoragePartitionConfig GetStoragePartitionConfigForExtensionId(
const ExtensionId& extension_id,
content::BrowserContext* browser_context) {
if (ExtensionsBrowserClient::Get()->HasIsolatedStorage(extension_id,
browser_context)) {
// For extensions with isolated storage, the |extension_id| is
// the |partition_domain|. The |in_memory| and |partition_name| are only
// used in guest schemes so they are cleared here.
return content::StoragePartitionConfig::Create(
browser_context, extension_id, std::string() /* partition_name */,
false /*in_memory */);
}
return content::StoragePartitionConfig::CreateDefault(browser_context);
}
content::StoragePartition* GetStoragePartitionForExtensionId(
const ExtensionId& extension_id,
content::BrowserContext* browser_context,
bool can_create) {
auto storage_partition_config =
GetStoragePartitionConfigForExtensionId(extension_id, browser_context);
content::StoragePartition* storage_partition =
browser_context->GetStoragePartition(storage_partition_config,
can_create);
return storage_partition;
}
content::ServiceWorkerContext* GetServiceWorkerContextForExtensionId(
const ExtensionId& extension_id,
content::BrowserContext* browser_context) {
return GetStoragePartitionForExtensionId(extension_id, browser_context)
->GetServiceWorkerContext();
}
// This function is security sensitive. Bugs could cause problems that break
// restrictions on local file access or NaCl's validation caching. If you modify
// this function, please get a security review from a NaCl person.
bool MapUrlToLocalFilePath(const ExtensionSet* extensions,
const GURL& file_url,
bool use_blocking_api,
base::FilePath* file_path) {
// Check that the URL is recognized by the extension system.
const Extension* extension = extensions->GetExtensionOrAppByURL(file_url);
if (!extension) {
return false;
}
// This is a short-cut which avoids calling a blocking file operation
// (GetFilePath()), so that this can be called on the non blocking threads. It
// only handles a subset of the urls.
if (!use_blocking_api) {
if (file_url.SchemeIs(kExtensionScheme)) {
std::string path = file_url.path();
base::TrimString(path, "/", &path); // Remove first slash
*file_path = extension->path().AppendASCII(path);
return true;
}
return false;
}
std::string path = file_url.path();
ExtensionResource resource;
if (SharedModuleInfo::IsImportedPath(path)) {
// Check if this is a valid path that is imported for this extension.
ExtensionId new_extension_id;
std::string new_relative_path;
SharedModuleInfo::ParseImportedPath(path, &new_extension_id,
&new_relative_path);
const Extension* new_extension = extensions->GetByID(new_extension_id);
if (!new_extension) {
return false;
}
if (!SharedModuleInfo::ImportsExtensionById(extension, new_extension_id)) {
return false;
}
resource = new_extension->GetResource(new_relative_path);
} else {
// Check that the URL references a resource in the extension.
resource = extension->GetResource(path);
}
if (resource.empty()) {
return false;
}
// GetFilePath is a blocking function call.
const base::FilePath resource_file_path = resource.GetFilePath();
if (resource_file_path.empty()) {
return false;
}
*file_path = resource_file_path;
return true;
}
bool CanWithholdPermissionsFromExtension(const Extension& extension) {
return CanWithholdPermissionsFromExtension(
extension.id(), extension.GetType(), extension.location());
}
bool CanWithholdPermissionsFromExtension(const ExtensionId& extension_id,
Manifest::Type type,
mojom::ManifestLocation location) {
// Some extensions must retain privilege to all requested host permissions.
// Specifically, extensions that don't show up in chrome:extensions (where
// withheld permissions couldn't be granted), extensions that are part of
// chrome or corporate policy, and extensions that are allowlisted to script
// everywhere must always have permission to run on a page.
return ui_util::ShouldDisplayInExtensionSettings(type, location) &&
!Manifest::IsPolicyLocation(location) &&
!Manifest::IsComponentLocation(location) &&
!PermissionsData::CanExecuteScriptEverywhere(extension_id, location);
}
int GetBrowserContextId(content::BrowserContext* context) {
using ContextIdMap = std::map<std::string, int>;
static int next_id = 0;
static base::NoDestructor<ContextIdMap> context_map;
// we need to get the original context to make sure we take the right context.
content::BrowserContext* original_context =
ExtensionsBrowserClient::Get()->GetOriginalContext(context);
const std::string& context_id = original_context->UniqueId();
auto iter = context_map->find(context_id);
if (iter == context_map->end()) {
iter = context_map->insert(std::make_pair(context_id, next_id++)).first;
}
DCHECK(iter->second != kUnspecifiedContextId);
return iter->second;
}
bool IsExtensionVisibleToContext(const Extension& extension,
content::BrowserContext* browser_context) {
// Renderers don't need to know about themes.
if (extension.is_theme()) {
return false;
}
// Only extensions enabled in incognito mode should be loaded in an incognito
// renderer. However extensions which can't be enabled in the incognito mode
// (e.g. platform apps) should also be loaded in an incognito renderer to
// ensure connections from incognito tabs to such extensions work.
return !browser_context->IsOffTheRecord() ||
!CanBeIncognitoEnabled(&extension) ||
IsIncognitoEnabled(extension.id(), browser_context);
}
void InitializeFileSchemeAccessForExtension(
int render_process_id,
const ExtensionId& extension_id,
content::BrowserContext* browser_context) {
ExtensionPrefs* prefs = ExtensionPrefs::Get(browser_context);
// TODO(karandeepb): This should probably use
// extensions::util::AllowFileAccess.
if (prefs->AllowFileAccess(extension_id)) {
content::ChildProcessSecurityPolicy::GetInstance()->GrantRequestScheme(
render_process_id, url::kFileScheme);
}
}
const gfx::ImageSkia& GetDefaultAppIcon() {
return *ui::ResourceBundle::GetSharedInstance().GetImageSkiaNamed(
IDR_APP_DEFAULT_ICON);
}
const gfx::ImageSkia& GetDefaultExtensionIcon() {
return *ui::ResourceBundle::GetSharedInstance().GetImageSkiaNamed(
IDR_EXTENSION_DEFAULT_ICON);
}
ExtensionId GetExtensionIdForSiteInstance(
content::SiteInstance& site_instance) {
// <webview> guests always store the ExtensionId in the partition domain.
if (site_instance.IsGuest()) {
return site_instance.GetStoragePartitionConfig().partition_domain();
}
// This works for both apps and extensions because the site has been
// normalized to the extension URL for hosted apps.
const GURL& site_url = site_instance.GetSiteURL();
if (!site_url.SchemeIs(kExtensionScheme)) {
return ExtensionId();
}
// Navigating to a disabled (or uninstalled or not-yet-installed) extension
// will set the site URL to chrome-extension://invalid.
ExtensionId maybe_extension_id = site_url.host();
if (maybe_extension_id == "invalid") {
return ExtensionId();
}
// Otherwise,`site_url.host()` should always be a valid extension id. In
// particular, navigations should never commit a URL that uses a dynamic,
// GUID-based hostname (such navigations should redirect to the statically
// known, extension-id-based hostname).
DCHECK(crx_file::id_util::IdIsValid(maybe_extension_id))
<< "; maybe_extension_id = " << maybe_extension_id;
return maybe_extension_id;
}
std::string GetExtensionIdFromFrame(
content::RenderFrameHost* render_frame_host) {
const GURL& site = render_frame_host->GetSiteInstance()->GetSiteURL();
if (!site.SchemeIs(kExtensionScheme)) {
return std::string();
}
return site.host();
}
bool CanRendererHostExtensionOrigin(int render_process_id,
const ExtensionId& extension_id,
bool is_sandboxed) {
url::Origin extension_origin =
Extension::CreateOriginFromExtensionId(extension_id);
if (is_sandboxed) {
// If the extension frame is sandboxed, the corresponding process is only
// allowed to host opaque origins, per crbug.com/325410297. Therefore,
// convert the origin into an opaque origin, and note that HostsOrigin()
// will still validate the extension ID in the origin's precursor.
extension_origin = extension_origin.DeriveNewOpaqueOrigin();
}
auto* policy = content::ChildProcessSecurityPolicy::GetInstance();
return policy->HostsOrigin(render_process_id, extension_origin);
}
bool CanRendererActOnBehalfOfExtension(
const ExtensionId& extension_id,
content::RenderFrameHost* render_frame_host,
content::RenderProcessHost& render_process_host,
bool include_user_scripts) {
// TODO(lukasza): Some of the checks below can be restricted to specific
// context types (e.g. an empty `extension_id` should not happen in an
// extension context; and the SiteInstance-based check should only be needed
// for hosted apps). Consider leveraging ProcessMap::GetMostLikelyContextType
// to implement this kind of restrictions. Note that
// ExtensionFunctionDispatcher::CreateExtensionFunction already calls
// GetMostLikelyContextType - some refactoring might be needed to avoid
// duplicating the work.
// Allow empty extension id (it seems okay to assume that no
// extension-specific special powers will be granted without an extension id).
// For instance, WebUI pages may call private APIs like developerPrivate,
// settingsPrivate, metricsPrivate, and others. In these cases, there is no
// associated extension ID.
//
// TODO(lukasza): Investigate if the exception below can be avoided if
// `render_process_host` hosts HTTP origins (i.e. if the exception can be
// restricted to NTP, and/or chrome://... cases.
if (extension_id.empty()) {
return true;
}
// Did `render_process_id` run a content script or user script from
// `extension_id`?
// TODO(crbug.com/40055126): Ideally, we'd only check content script/
// user script status if the renderer claimed to be acting on behalf of the
// corresponding type (e.g. mojom::ContextType::kContentScript). We evaluate
// this later in ProcessMap::CanProcessHostContextType(), but we could be
// stricter by including it here.
if (ScriptInjectionTracker::DidProcessRunContentScriptFromExtension(
render_process_host, extension_id) ||
(ScriptInjectionTracker::DidProcessRunUserScriptFromExtension(
render_process_host, extension_id) &&
include_user_scripts)) {
return true;
}
// CanRendererHostExtensionOrigin() needs to know if the extension is
// sandboxed, so check the sandbox flags if this request is for an extension
// frame. Note that extension workers cannot be sandboxed since workers aren't
// supported in opaque origins.
bool is_sandboxed =
render_frame_host &&
render_frame_host->IsSandboxed(network::mojom::WebSandboxFlags::kOrigin);
// Can `render_process_id` host a chrome-extension:// origin (frame, worker,
// etc.)?
if (CanRendererHostExtensionOrigin(render_process_host.GetDeprecatedID(),
extension_id, is_sandboxed)) {
return true;
}
if (render_frame_host) {
DCHECK_EQ(render_process_host.GetDeprecatedID(),
render_frame_host->GetProcess()->GetDeprecatedID());
content::SiteInstance& site_instance =
*render_frame_host->GetSiteInstance();
// Chrome Extension APIs can be accessed from some hosted apps.
//
// Today this is mostly needed by the Chrome Web Store's hosted app, but the
// code below doesn't make this assumption and allows *all* hosted apps
// based on the trustworthy, Browser-side information from the SiteInstance
// / SiteURL. This way the code is resilient to future changes + there are
// concerns that `chrome.test.sendMessage` might already be exposed to
// hosted apps (but maybe not covered by tests).
//
// Note that the condition below allows all extensions (i.e. not just hosted
// apps), but hosted apps aren't covered by the
// `CanRendererHostExtensionOrigin` call above (because the process lock of
// hosted apps is based on a https://, rather than chrome-extension:// url).
//
// GuestView is explicitly excluded, because we don't want to allow
// GuestViews to spoof the extension id of their host.
if (!site_instance.IsGuest() &&
extension_id == util::GetExtensionIdForSiteInstance(site_instance)) {
return true;
}
}
// Disallow any other cases.
return false;
}
bool IsChromeApp(const ExtensionId& extension_id,
content::BrowserContext* context) {
const Extension* extension =
ExtensionRegistry::Get(context)->enabled_extensions().GetByID(
extension_id);
return extension->is_platform_app();
}
bool IsAppLaunchable(const ExtensionId& extension_id,
content::BrowserContext* context) {
DisableReasonSet reason =
ExtensionPrefs::Get(context)->GetDisableReasons(extension_id);
return !reason.contains(disable_reason::DISABLE_UNSUPPORTED_REQUIREMENT) &&
!reason.contains(disable_reason::DISABLE_CORRUPTED);
}
bool IsAppLaunchableWithoutEnabling(const ExtensionId& extension_id,
content::BrowserContext* context) {
return ExtensionRegistry::Get(context)->enabled_extensions().Contains(
extension_id);
}
bool AnyCurrentlyInstalledExtensionIsFromWebstore(
content::BrowserContext* context) {
const ExtensionSet previously_installed_extensions =
ExtensionRegistry::Get(context)->GenerateInstalledExtensionsSet();
return std::ranges::any_of(previously_installed_extensions,
[](const auto& extension_ptr) {
return ExtensionIsFromWebstore(*extension_ptr);
});
}
} // namespace util
} // namespace extensions
|
