Extensions: Policy blocked hosts supersede `debugger` permission
Bug: 1139156
Change-Id: Iade012ca814b872d156763b034fbc2be1a647502
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2803843
Commit-Queue: Solomon Kinard <[email protected]>
Reviewed-by: Karan Bhatia <[email protected]>
Reviewed-by: Devlin <[email protected]>
Cr-Commit-Position: refs/heads/master@{#870242}
diff --git a/chrome/browser/extensions/api/debugger/debugger_api.cc b/chrome/browser/extensions/api/debugger/debugger_api.cc
index a0c6dfe6..cfd5e2c 100644
--- a/chrome/browser/extensions/api/debugger/debugger_api.cc
+++ b/chrome/browser/extensions/api/debugger/debugger_api.cc
@@ -105,6 +105,10 @@
if (extension.permissions_data()->IsRestrictedUrl(url, error))
return false;
+ // Policy blocked hosts supersede the `debugger` permission.
+ if (extension.permissions_data()->IsPolicyBlockedHost(url))
+ return false;
+
if (url.SchemeIsFile() && !util::AllowFileAccess(extension.id(), profile)) {
*error = debugger_api_constants::kRestrictedError;
return false;
@@ -470,8 +474,9 @@
ProcessManager::Get(browser_context())
->GetBackgroundHostForExtension(*debuggee_.extension_id);
if (extension_host) {
- if (extension()->permissions_data()->IsRestrictedUrl(
- extension_host->GetLastCommittedURL(), error)) {
+ const GURL& url = extension_host->GetLastCommittedURL();
+ if (extension()->permissions_data()->IsRestrictedUrl(url, error) ||
+ extension()->permissions_data()->IsPolicyBlockedHost(url)) {
return false;
}
agent_host_ =
diff --git a/chrome/browser/extensions/api/debugger/debugger_apitest.cc b/chrome/browser/extensions/api/debugger/debugger_apitest.cc
index 425430d..30c4588 100644
--- a/chrome/browser/extensions/api/debugger/debugger_apitest.cc
+++ b/chrome/browser/extensions/api/debugger/debugger_apitest.cc
@@ -17,6 +17,7 @@
#include "chrome/browser/extensions/api/debugger/extension_dev_tools_infobar_delegate.h"
#include "chrome/browser/extensions/extension_apitest.h"
#include "chrome/browser/extensions/extension_function_test_utils.h"
+#include "chrome/browser/extensions/extension_management_test_util.h"
#include "chrome/browser/infobars/infobar_service.h"
#include "chrome/browser/ui/tabs/tab_strip_model.h"
#include "chrome/common/chrome_paths.h"
@@ -24,6 +25,7 @@
#include "chrome/test/base/ui_test_utils.h"
#include "components/infobars/core/infobar.h"
#include "components/infobars/core/infobar_delegate.h"
+#include "components/policy/core/common/mock_configuration_policy_provider.h"
#include "components/sessions/content/session_tab_helper.h"
#include "content/public/test/browser_test.h"
#include "content/public/test/browser_test_utils.h"
@@ -420,6 +422,19 @@
EXPECT_EQ(1u, service->infobar_count());
}
+// Tests that policy blocked hosts supersede the `debugger`
+// permission. Regression test for crbug.com/1139156.
+IN_PROC_BROWSER_TEST_F(DebuggerApiTest, TestDefaultPolicyBlockedHosts) {
+ ASSERT_TRUE(embedded_test_server()->Start());
+ GURL url("https://example.com");
+ EXPECT_TRUE(RunAttachFunction(url, std::string()));
+ policy::MockConfigurationPolicyProvider policy_provider;
+ ExtensionManagementPolicyUpdater pref(&policy_provider);
+ pref.AddPolicyBlockedHost("*", url.spec());
+ EXPECT_FALSE(
+ RunAttachFunction(url, manifest_errors::kCannotAccessExtensionUrl));
+}
+
class DebuggerExtensionApiTest : public ExtensionApiTest {
public:
void SetUpOnMainThread() override {
