1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
|
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/extensions/scripting_permissions_modifier.h"
#include "base/bind_helpers.h"
#include "base/feature_list.h"
#include "chrome/browser/extensions/permissions_updater.h"
#include "content/public/common/url_constants.h"
#include "extensions/browser/extension_prefs.h"
#include "extensions/browser/extension_registry.h"
#include "extensions/common/extension.h"
#include "extensions/common/extension_features.h"
#include "extensions/common/manifest_handlers/permissions_parser.h"
#include "extensions/common/permissions/permission_set.h"
#include "extensions/common/permissions/permissions_data.h"
#include "extensions/common/user_script.h"
namespace extensions {
namespace {
// The entry into the ExtensionPrefs indicating that an extension should be
// granted all the requested host permissions without requiring explicit runtime
// permission from the user. The preference name is different for legacy
// reasons.
const char kGrantExtensionAllHostPermissionsPrefName[] =
"extension_can_script_all_urls";
// Returns true if Chrome can potentially withhold permissions from the
// extension.
bool CanWithholdFromExtension(const Extension& extension) {
// Some extensions must retain privilege to all requested host permissions.
// Specifically, extensions that don't show up in chrome:extensions (where
// withheld permissions couldn't be granted), extensions that are part of
// chrome or corporate policy, and extensions that are whitelisted to script
// everywhere must always have permission to run on a page.
return extension.ShouldDisplayInExtensionSettings() &&
!Manifest::IsPolicyLocation(extension.location()) &&
!Manifest::IsComponentLocation(extension.location()) &&
!PermissionsData::CanExecuteScriptEverywhere(extension.id(),
extension.location());
}
// Iterates over |requested_permissions| and adds any permissions that should
// be granted to |granted_permissions_out|. These include any non-host
// permissions or host permissions that are present in
// |runtime_granted_permissions|. |granted_permissions_out| may contain new
// patterns not found in either |requested_permissions| or
// |runtime_granted_permissions| in the case of overlapping host permissions
// (such as *://*.google.com/* and https://*/*, which would intersect with
// https://*.google.com/*).
void PartitionHostPermissions(
const PermissionSet& requested_permissions,
const PermissionSet& runtime_granted_permissions,
std::unique_ptr<const PermissionSet>* granted_permissions_out) {
auto segregate_url_permissions =
[](const URLPatternSet& requested_patterns,
const URLPatternSet& runtime_granted_patterns,
URLPatternSet* granted) {
*granted = URLPatternSet::CreateIntersection(
requested_patterns, runtime_granted_patterns,
URLPatternSet::IntersectionBehavior::kDetailed);
for (const URLPattern& pattern : requested_patterns) {
// The chrome://favicon permission is special. It is requested by
// extensions to access stored favicons, but is not a traditional
// host permission. Since it cannot be reasonably runtime-granted
// while the user is on the site (i.e., the user never visits
// chrome://favicon/), we auto-grant it and treat it like an API
// permission.
bool is_chrome_favicon =
pattern.host() == "favicon" && pattern.scheme() == "chrome";
if (is_chrome_favicon)
granted->AddPattern(pattern);
}
};
URLPatternSet granted_explicit_hosts;
URLPatternSet granted_scriptable_hosts;
segregate_url_permissions(requested_permissions.explicit_hosts(),
runtime_granted_permissions.explicit_hosts(),
&granted_explicit_hosts);
segregate_url_permissions(requested_permissions.scriptable_hosts(),
runtime_granted_permissions.scriptable_hosts(),
&granted_scriptable_hosts);
*granted_permissions_out = std::make_unique<PermissionSet>(
requested_permissions.apis().Clone(),
requested_permissions.manifest_permissions().Clone(),
granted_explicit_hosts, granted_scriptable_hosts);
}
// Returns true if the extension should even be considered for being affected
// by the runtime host permissions experiment.
bool ShouldConsiderExtension(const Extension& extension) {
// No extensions are affected if the experiment is disabled.
if (!base::FeatureList::IsEnabled(
extensions_features::kRuntimeHostPermissions))
return false;
// Certain extensions are always exempt from having permissions withheld.
if (!CanWithholdFromExtension(extension))
return false;
return true;
}
base::Optional<bool> GetWithholdPermissionsPrefValue(
const ExtensionPrefs& prefs,
const ExtensionId& id) {
bool permissions_allowed = false;
if (!prefs.ReadPrefAsBoolean(id, kGrantExtensionAllHostPermissionsPrefName,
&permissions_allowed)) {
return base::nullopt;
}
// NOTE: For legacy reasons, the preference stores whether the extension was
// allowed access to all its host permissions, rather than if Chrome should
// withhold permissions. Invert the boolean for backwards compatibility.
return !permissions_allowed;
}
void SetWithholdPermissionsPrefValue(ExtensionPrefs* prefs,
const ExtensionId& id,
bool should_withhold) {
// NOTE: For legacy reasons, the preference stores whether the extension was
// allowed access to all its host permissions, rather than if Chrome should
// withhold permissions. Invert the boolean for backwards compatibility.
bool permissions_allowed = !should_withhold;
prefs->UpdateExtensionPref(
id, kGrantExtensionAllHostPermissionsPrefName,
std::make_unique<base::Value>(permissions_allowed));
}
// Retrieves the effective list of runtime-granted permissions for a given
// |extension| from the |prefs|. ExtensionPrefs doesn't store the valid schemes
// for URLPatterns, which results in the chrome:-scheme being included for
// <all_urls> when retrieving it directly from the prefs; this then causes
// CHECKs to fail when validating that permissions being revoked are present
// (see https://crbug.com/930062).
// Returns null if there are no stored runtime-granted permissions.
// TODO(https://crbug.com/931881): ExtensionPrefs should return properly-bounded
// permissions.
std::unique_ptr<const PermissionSet> GetRuntimePermissionsFromPrefs(
const Extension& extension,
const ExtensionPrefs& prefs) {
std::unique_ptr<const PermissionSet> permissions =
prefs.GetRuntimeGrantedPermissions(extension.id());
// If there are no stored permissions, there's nothing to adjust.
if (!permissions)
return nullptr;
// If the extension is allowed to run on chrome:// URLs, then we don't have
// to adjust anything.
if (PermissionsData::AllUrlsIncludesChromeUrls(extension.id()))
return permissions;
// We need to adjust a pattern if it matches all URLs and includes the
// chrome:-scheme. These patterns would otherwise match hosts like
// chrome://settings, which should not be allowed.
// NOTE: We don't need to adjust for the file scheme, because
// ExtensionPrefs properly does that based on the extension's file access.
auto needs_chrome_scheme_adjustment = [](const URLPattern& pattern) {
return pattern.match_all_urls() &&
((pattern.valid_schemes() & URLPattern::SCHEME_CHROMEUI) != 0);
};
// NOTE: We don't need to check scriptable_hosts, because the default
// scriptable_hosts scheme mask omits the chrome:-scheme in normal
// circumstances (whereas the default explicit scheme does not, in order to
// allow for patterns like chrome://favicon).
bool needs_adjustment = std::any_of(permissions->explicit_hosts().begin(),
permissions->explicit_hosts().end(),
needs_chrome_scheme_adjustment);
// If no patterns need adjustment, return the original set.
if (!needs_adjustment)
return permissions;
// Otherwise, iterate over the explicit hosts, and modify any that need to be
// tweaked, adding back in permitted chrome:-scheme hosts. This logic mirrors
// that in PermissionsParser, and is also similar to logic in
// permissions_api_helpers::UnpackOriginPermissions(), and has some overlap
// to URLPatternSet::Populate().
// TODO(devlin): ^^ Ouch. Refactor so that this isn't duplicated.
URLPatternSet new_explicit_hosts;
for (const auto& pattern : permissions->explicit_hosts()) {
if (!needs_chrome_scheme_adjustment(pattern)) {
new_explicit_hosts.AddPattern(pattern);
continue;
}
URLPattern new_pattern(pattern);
int new_valid_schemes =
pattern.valid_schemes() & ~URLPattern::SCHEME_CHROMEUI;
new_pattern.SetValidSchemes(new_valid_schemes);
new_explicit_hosts.AddPattern(std::move(new_pattern));
}
return std::make_unique<PermissionSet>(
permissions->apis().Clone(), permissions->manifest_permissions().Clone(),
std::move(new_explicit_hosts), permissions->scriptable_hosts());
}
} // namespace
ScriptingPermissionsModifier::ScriptingPermissionsModifier(
content::BrowserContext* browser_context,
const scoped_refptr<const Extension>& extension)
: browser_context_(browser_context),
extension_(extension),
extension_prefs_(ExtensionPrefs::Get(browser_context_)) {
DCHECK(extension_);
}
ScriptingPermissionsModifier::~ScriptingPermissionsModifier() {}
void ScriptingPermissionsModifier::SetWithholdHostPermissions(
bool should_withhold) {
DCHECK(CanAffectExtension());
if (HasWithheldHostPermissions() == should_withhold)
return;
// Set the pref first, so that listeners for permission changes get the proper
// value if they query HasWithheldHostPermissions().
SetWithholdPermissionsPrefValue(extension_prefs_, extension_->id(),
should_withhold);
if (should_withhold)
WithholdHostPermissions();
else
GrantWithheldHostPermissions();
}
bool ScriptingPermissionsModifier::HasWithheldHostPermissions() const {
DCHECK(CanAffectExtension());
base::Optional<bool> pref_value =
GetWithholdPermissionsPrefValue(*extension_prefs_, extension_->id());
if (!pref_value.has_value()) {
// If there is no value present, default to false.
return false;
}
return *pref_value;
}
bool ScriptingPermissionsModifier::CanAffectExtension() const {
if (!ShouldConsiderExtension(*extension_))
return false;
// The extension can be affected if it currently has host permissions, or if
// it did and they are actively withheld.
return !extension_->permissions_data()
->active_permissions()
.effective_hosts()
.is_empty() ||
!extension_->permissions_data()
->withheld_permissions()
.effective_hosts()
.is_empty();
}
ScriptingPermissionsModifier::SiteAccess
ScriptingPermissionsModifier::GetSiteAccess(const GURL& url) const {
SiteAccess access;
ExtensionPrefs* prefs = ExtensionPrefs::Get(browser_context_);
// Awkward holder object because permission sets are immutable, and when
// return from prefs, ownership is passed.
std::unique_ptr<const PermissionSet> permission_holder;
const PermissionSet* granted_permissions = nullptr;
if (!HasWithheldHostPermissions()) {
// If the extension doesn't have any withheld permissions, we look at the
// current active permissions.
// TODO(devlin): This is clunky. It would be nice to have runtime-granted
// permissions be correctly populated in all cases, rather than looking at
// two different sets.
// TODO(devlin): This won't account for granted permissions that aren't
// currently active, even though the extension may re-request them (and be
// silently granted them) at any time.
granted_permissions = &extension_->permissions_data()->active_permissions();
} else {
permission_holder = GetRuntimePermissionsFromPrefs(*extension_, *prefs);
granted_permissions = permission_holder.get();
}
DCHECK(granted_permissions);
const bool is_restricted_site =
extension_->permissions_data()->IsRestrictedUrl(url, /*error=*/nullptr);
// For indicating whether an extension has access to a site, we look at the
// granted permissions, which could include patterns that weren't explicitly
// requested. However, we should still indicate they are granted, so that the
// user can revoke them (and because if the extension does request them and
// they are already granted, they are silently added).
// The extension should never have access to restricted sites (even if a
// pattern matches, as it may for e.g. the webstore).
if (!is_restricted_site &&
granted_permissions->effective_hosts().MatchesSecurityOrigin(url)) {
access.has_site_access = true;
}
const PermissionSet& withheld_permissions =
extension_->permissions_data()->withheld_permissions();
// Be sure to check |access.has_site_access| in addition to withheld
// permissions, so that we don't indicate we've withheld permission if an
// extension is granted https://a.com/*, but has *://*/* withheld.
// We similarly don't show access as withheld for restricted sites, since
// withheld permissions should only include those that are conceivably
// grantable.
if (!is_restricted_site && !access.has_site_access &&
withheld_permissions.effective_hosts().MatchesSecurityOrigin(url)) {
access.withheld_site_access = true;
}
constexpr bool include_api_permissions = false;
if (granted_permissions->ShouldWarnAllHosts(include_api_permissions))
access.has_all_sites_access = true;
if (withheld_permissions.ShouldWarnAllHosts(include_api_permissions) &&
!access.has_all_sites_access) {
access.withheld_all_sites_access = true;
}
return access;
}
void ScriptingPermissionsModifier::GrantHostPermission(const GURL& url) {
DCHECK(CanAffectExtension());
// Check that we don't grant host permission to a restricted URL.
DCHECK(
!extension_->permissions_data()->IsRestrictedUrl(url, /*error=*/nullptr))
<< "Cannot grant access to a restricted URL.";
URLPatternSet explicit_hosts;
explicit_hosts.AddOrigin(Extension::kValidHostPermissionSchemes, url);
URLPatternSet scriptable_hosts;
scriptable_hosts.AddOrigin(UserScript::ValidUserScriptSchemes(), url);
PermissionsUpdater(browser_context_)
.GrantRuntimePermissions(
*extension_,
PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
explicit_hosts, scriptable_hosts),
base::DoNothing::Once());
}
bool ScriptingPermissionsModifier::HasGrantedHostPermission(
const GURL& url) const {
DCHECK(CanAffectExtension());
return GetRuntimePermissionsFromPrefs(*extension_, *extension_prefs_)
->effective_hosts()
.MatchesSecurityOrigin(url);
}
void ScriptingPermissionsModifier::RemoveGrantedHostPermission(
const GURL& url) {
DCHECK(CanAffectExtension());
DCHECK(HasGrantedHostPermission(url));
ExtensionPrefs* prefs = ExtensionPrefs::Get(browser_context_);
std::unique_ptr<const PermissionSet> runtime_permissions =
GetRuntimePermissionsFromPrefs(*extension_, *prefs);
URLPatternSet explicit_hosts;
for (const auto& pattern : runtime_permissions->explicit_hosts()) {
if (pattern.MatchesSecurityOrigin(url))
explicit_hosts.AddPattern(pattern);
}
URLPatternSet scriptable_hosts;
for (const auto& pattern : runtime_permissions->scriptable_hosts()) {
if (pattern.MatchesSecurityOrigin(url))
scriptable_hosts.AddPattern(pattern);
}
PermissionsUpdater(browser_context_)
.RevokeRuntimePermissions(
*extension_,
PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
explicit_hosts, scriptable_hosts),
base::DoNothing::Once());
}
void ScriptingPermissionsModifier::RemoveAllGrantedHostPermissions() {
DCHECK(CanAffectExtension());
WithholdHostPermissions();
}
// static
void ScriptingPermissionsModifier::WithholdPermissionsIfNecessary(
const Extension& extension,
const ExtensionPrefs& extension_prefs,
const PermissionSet& permissions,
std::unique_ptr<const PermissionSet>* granted_permissions_out) {
bool should_withhold = false;
if (ShouldConsiderExtension(extension)) {
base::Optional<bool> pref_value =
GetWithholdPermissionsPrefValue(extension_prefs, extension.id());
should_withhold = pref_value.has_value() && pref_value.value() == true;
}
should_withhold &= !permissions.effective_hosts().is_empty();
if (!should_withhold) {
*granted_permissions_out = permissions.Clone();
return;
}
// Only grant host permissions that the user has explicitly granted at
// runtime through the runtime host permissions feature or the optional
// permissions API.
std::unique_ptr<const PermissionSet> runtime_granted_permissions =
GetRuntimePermissionsFromPrefs(extension, extension_prefs);
PartitionHostPermissions(permissions, *runtime_granted_permissions,
granted_permissions_out);
}
std::unique_ptr<const PermissionSet>
ScriptingPermissionsModifier::GetRevokablePermissions() const {
// No extra revokable permissions if the extension couldn't ever be affected.
if (!ShouldConsiderExtension(*extension_))
return nullptr;
// If we aren't withholding host permissions, then there may be some
// permissions active on the extension that should be revokable. Otherwise,
// all granted permissions should be stored in the preferences (and these
// can be a superset of permissions on the extension, as in the case of e.g.
// granting origins when only a subset is requested by the extension).
// TODO(devlin): This is confusing and subtle. We should instead perhaps just
// add all requested hosts as runtime-granted hosts if we aren't withholding
// host permissions.
const PermissionSet* current_granted_permissions = nullptr;
std::unique_ptr<const PermissionSet> runtime_granted_permissions =
GetRuntimePermissionsFromPrefs(*extension_, *extension_prefs_);
std::unique_ptr<const PermissionSet> union_set;
if (runtime_granted_permissions) {
union_set = PermissionSet::CreateUnion(
*runtime_granted_permissions,
extension_->permissions_data()->active_permissions());
current_granted_permissions = union_set.get();
} else {
current_granted_permissions =
&extension_->permissions_data()->active_permissions();
}
// Revokable permissions are those that would be withheld if there were no
// runtime-granted permissions.
PermissionSet empty_runtime_granted_permissions;
std::unique_ptr<const PermissionSet> granted_permissions;
PartitionHostPermissions(*current_granted_permissions,
empty_runtime_granted_permissions,
&granted_permissions);
return PermissionSet::CreateDifference(*current_granted_permissions,
*granted_permissions);
}
void ScriptingPermissionsModifier::GrantWithheldHostPermissions() {
const PermissionSet& withheld =
extension_->permissions_data()->withheld_permissions();
PermissionSet permissions(APIPermissionSet(), ManifestPermissionSet(),
withheld.explicit_hosts(),
withheld.scriptable_hosts());
PermissionsUpdater(browser_context_)
.GrantRuntimePermissions(*extension_, permissions,
base::DoNothing::Once());
}
void ScriptingPermissionsModifier::WithholdHostPermissions() {
PermissionsUpdater(browser_context_)
.RevokeRuntimePermissions(*extension_, *GetRevokablePermissions(),
base::DoNothing::Once());
}
} // namespace extensions
|
