Google Git
Sign in
chromium / chromium / src.git / main / . / extensions / common / content_script_injection_url_getter.cc
blob: 11af719230431cda92598e968b57902d4a744498 [file] [log] [blame]
// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "extensions/common/content_script_injection_url_getter.h"
#include "base/containers/contains.h"
#include "base/containers/flat_set.h"
#include "base/notreached.h"
#include "base/trace_event/typed_macros.h"
#include "extensions/common/mojom/match_origin_as_fallback.mojom-shared.h"
#include "url/scheme_host_port.h"
namespace extensions {
// static
GURL ContentScriptInjectionUrlGetter::Get(
const FrameContextData& context_data,
const GURL& document_url,
mojom::MatchOriginAsFallbackBehavior match_origin_as_fallback,
bool allow_inaccessible_parents) {
// The following schemes are considered for opaque origins if the
// `match_origin_as_fallback` behavior is to always match.
// NOTE(devlin): This isn't an exhaustive list of schemes: some schemes may
// be missing, or more schemes may be added in the future. Would it make
// sense to turn this into a blocklist? Just doing this for all opaque
// schemes *should* be safe, since We still have a permission check against
// the precursor origin. This would only be a problem if an
// extension-accessible precursor origin can create an opaque-origin frame
// that *shouldn't* be accessible.
static const char* const kAllowedSchemesToMatchOriginAsFallback[] = {
url::kAboutScheme,
url::kBlobScheme,
url::kDataScheme,
url::kFileSystemScheme,
};
// TODO(crbug.com/40055997): Consider reducing tracing instrumentation
// in the main function bodu and in the lambda below (once the bug is
// understood and fixed).
auto should_consider_origin = [&document_url, match_origin_as_fallback]() {
bool result = false;
switch (match_origin_as_fallback) {
case mojom::MatchOriginAsFallbackBehavior::kNever: {
TRACE_EVENT_INSTANT("extensions",
"ContentScriptInjectionUrlGetter::Get/"
"should_consider_origin: origin-never");
result = false;
break;
}
case mojom::MatchOriginAsFallbackBehavior::
kMatchForAboutSchemeAndClimbTree: {
TRACE_EVENT_INSTANT("extensions",
"ContentScriptInjectionUrlGetter::Get/"
"should_consider_origin: origin-climb");
result = document_url.SchemeIs(url::kAboutScheme);
break;
}
case mojom::MatchOriginAsFallbackBehavior::kAlways: {
TRACE_EVENT_INSTANT("extensions",
"ContentScriptInjectionUrlGetter::Get/"
"should_consider_origin: origin-always");
result = base::Contains(kAllowedSchemesToMatchOriginAsFallback,
document_url.GetScheme());
break;
}
}
if (result) {
TRACE_EVENT_INSTANT("extensions",
"ContentScriptInjectionUrlGetter::Get/"
"should_consider_origin=true");
} else {
TRACE_EVENT_INSTANT("extensions",
"ContentScriptInjectionUrlGetter::Get/"
"should_consider_origin=false");
}
return result;
};
// If we don't need to consider the origin, we're done.
if (!should_consider_origin()) {
TRACE_EVENT_INSTANT(
"extensions", "ContentScriptInjectionUrlGetter::Get/!consider-origin");
return document_url;
}
// Get the security origin for the `frame`. For about: frames, this is the
// origin of that of the controlling frame - e.g., an about:blank frame on
// https://example.com will have the security origin of https://example.com.
// Other frames, like data: frames, will have an opaque origin. For these,
// we can get the precursor origin.
const url::Origin frame_origin = context_data.GetOrigin();
const url::SchemeHostPort& tuple_or_precursor_tuple =
frame_origin.GetTupleOrPrecursorTupleIfOpaque();
// When there's no valid tuple (which can happen in the case of e.g. a
// browser-initiated navigation to an opaque URL), there's no origin to
// fallback to. Bail.
if (!tuple_or_precursor_tuple.IsValid()) {
TRACE_EVENT_INSTANT("extensions",
"ContentScriptInjectionUrlGetter::Get/invalid-tuple");
return document_url;
}
const url::Origin origin_or_precursor_origin =
url::Origin::Create(tuple_or_precursor_tuple.GetURL());
if (!allow_inaccessible_parents &&
!context_data.CanAccess(origin_or_precursor_origin)) {
// The `context_data` can't access its precursor. Bail.
TRACE_EVENT_INSTANT(
"extensions",
"ContentScriptInjectionUrlGetter::Get/no-precursor-access");
return document_url;
}
// Note: Just because the frame origin can theoretically access its
// precursor origin, there may be more restrictions in practice - such as
// if the frame has the disallowdocumentaccess attribute. It's okay to
// ignore this case for context classification because it's not meant as an
// origin boundary (unlike e.g. a sandboxed frame).
// Looks like the initiator origin is an appropriate fallback!
if (match_origin_as_fallback ==
mojom::MatchOriginAsFallbackBehavior::kAlways) {
// The easy case! We use the origin directly. We're done.
TRACE_EVENT_INSTANT(
"extensions",
"ContentScriptInjectionUrlGetter::Get/origin-or-precursor");
return origin_or_precursor_origin.GetURL();
}
DCHECK_EQ(
mojom::MatchOriginAsFallbackBehavior::kMatchForAboutSchemeAndClimbTree,
match_origin_as_fallback);
// Unfortunately, in this case, we have to climb the frame tree. This is for
// match patterns that are associated with paths as well, not just origins.
// For instance, if an extension wants to run on google.com/maps/* with
// match_about_blank true, then it should run on about:-scheme frames created
// by google.com/maps, but not about:-scheme frames created by google.com
// (which is what the precursor tuple origin would be).
// Traverse the frame/window hierarchy to find the closest non-about:-page
// with the same origin as the precursor and return its URL.
// TODO(crbug.com/40753677): This can return the incorrect result, e.g.
// if a parent frame navigates a grandchild frame to about:blank.
std::unique_ptr<FrameContextData> parent_context_data =
context_data.CloneFrameContextData();
GURL parent_url;
base::flat_set<uintptr_t> already_visited_frame_ids;
do {
already_visited_frame_ids.insert(parent_context_data->GetId());
parent_context_data = parent_context_data->GetLocalParentOrOpener();
// We reached the end of the ancestral chain without finding a valid parent,
// or found a remote web frame (in which case, it's a different origin).
// Bail and use the original URL.
if (!parent_context_data) {
TRACE_EVENT_INSTANT(
"extensions", "ContentScriptInjectionUrlGetter::Get/no-more-parents");
return document_url;
}
// Avoid an infinite loop - see https://crbug.com/568432 and
// https://crbug.com/883526.
if (base::Contains(already_visited_frame_ids,
parent_context_data->GetId())) {
TRACE_EVENT_INSTANT("extensions",
"ContentScriptInjectionUrlGetter::Get/infinite-loop");
return document_url;
}
url::SchemeHostPort parent_tuple_or_precursor_tuple =
url::Origin(parent_context_data->GetOrigin())
.GetTupleOrPrecursorTupleIfOpaque();
if (!parent_tuple_or_precursor_tuple.IsValid() ||
parent_tuple_or_precursor_tuple != tuple_or_precursor_tuple) {
// The parent has a different tuple origin than frame; this could happen
// in edge cases where a parent navigates an iframe or popup of a child
// frame at a different origin. [1] In this case, bail, since we can't
// find a full URL (i.e., one including the path) with the same security
// origin to use for the frame in question.
// [1] Consider a frame tree like:
// <html> <!--example.com-->
// <iframe id="a" src="a.com">
// <iframe id="b" src="b.com"></iframe>
// </iframe>
// </html>
// Frame "a" is cross-origin from the top-level frame, and so the
// example.com top-level frame can't directly access frame "b". However,
// it can navigate it through
// window.frames[0].frames[0].location.href = 'about:blank';
// In that case, the precursor origin tuple origin of frame "b" would be
// example.com, but the parent tuple origin is a.com.
// Note that usually, this would have bailed earlier with a remote frame,
// but it may not if we're at the process limit.
TRACE_EVENT_INSTANT("extensions",
"ContentScriptInjectionUrlGetter::Get/tuple-diff");
return document_url;
}
// If we don't allow inaccessible parents, the security origin may still
// be restricted if the author has prevented same-origin access via the
// disallowdocumentaccess attribute on iframe.
if (!allow_inaccessible_parents &&
!context_data.CanAccess(*parent_context_data)) {
// The frame can't access its precursor. Bail.
TRACE_EVENT_INSTANT(
"extensions",
"ContentScriptInjectionUrlGetter::Get/no-parent-access");
return document_url;
}
parent_url = parent_context_data->GetUrl();
} while (parent_url.SchemeIs(url::kAboutScheme));
DCHECK(!parent_url.is_empty());
// We should know that the frame can access the parent document (unless we
// explicitly allow it not to), since it has the same tuple origin as the
// frame, and we checked the frame access above.
TRACE_EVENT_INSTANT("extensions",
"ContentScriptInjectionUrlGetter::Get/parent-url");
DCHECK(allow_inaccessible_parents ||
context_data.CanAccess(parent_context_data->GetOrigin()));
return parent_url;
}
} // namespace extensions