Revert change that disallowed content scripts access to
file:// URLs. It turns out teams were already depending on
this and we didn't want to break them.
Instead, group file:// access with NPAPI in the extension
install prompt.
Note: this is a pure revert of r402029 and r402069 (sorry
Finnur!) except the changes in extension_install_ui.cc,
which are new.
BUG=28456
Review URL: http://codereview.chromium.org/430003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32770 0039d316-1c4b-4281-b951-d872f2087c98
diff --git a/chrome/browser/extensions/extension_install_ui.cc b/chrome/browser/extensions/extension_install_ui.cc
index c89a9fa..72a7c1e 100644
--- a/chrome/browser/extensions/extension_install_ui.cc
+++ b/chrome/browser/extensions/extension_install_ui.cc
@@ -21,6 +21,7 @@
#endif // TOOLKIT_VIEWS
#include "chrome/common/extensions/extension.h"
#include "chrome/common/notification_service.h"
+#include "chrome/common/url_constants.h"
#include "grit/browser_resources.h"
#include "grit/chromium_strings.h"
#include "grit/generated_resources.h"
@@ -39,6 +40,25 @@
if (!extension->plugins().empty())
return l10n_util::GetString(IDS_EXTENSION_PROMPT_WARNING_NEW_FULL_ACCESS);
+ // We also show the severe warning if the extension has access to any file://
+ // URLs. They aren't *quite* as dangerous as full access to the system via
+ // NPAPI, but pretty dang close. Content scripts are currently the only way
+ // that extension can get access to file:// URLs.
+ for (UserScriptList::const_iterator script =
+ extension->content_scripts().begin();
+ script != extension->content_scripts().end();
+ ++script) {
+ for (UserScript::PatternList::const_iterator pattern =
+ script->url_patterns().begin();
+ pattern != script->url_patterns().end();
+ ++pattern) {
+ if (pattern->scheme() == chrome::kFileScheme) {
+ return l10n_util::GetString(
+ IDS_EXTENSION_PROMPT_WARNING_NEW_FULL_ACCESS);
+ }
+ }
+ }
+
// Otherwise, we go in descending order of severity: all hosts, several hosts,
// a single host, no hosts. For each of these, we also have a variation of the
// message for when api permissions are also requested.
diff --git a/chrome/browser/extensions/extension_startup_unittest.cc b/chrome/browser/extensions/extension_startup_unittest.cc
index f076b37..00089ae3 100644
--- a/chrome/browser/extensions/extension_startup_unittest.cc
+++ b/chrome/browser/extensions/extension_startup_unittest.cc
@@ -131,9 +131,12 @@
void TestInjection(bool expect_css, bool expect_script) {
// Load a page affected by the content script and test to see the effect.
- HTTPTestServer* server = StartHTTPServer();
- GURL url = server->TestServerPage("file/extensions/test_file.html");
- ui_test_utils::NavigateToURL(browser(), url);
+ FilePath test_file;
+ PathService::Get(chrome::DIR_TEST_DATA, &test_file);
+ test_file = test_file.AppendASCII("extensions")
+ .AppendASCII("test_file.html");
+
+ ui_test_utils::NavigateToURL(browser(), net::FilePathToFileURL(test_file));
bool result = false;
ui_test_utils::ExecuteJavaScriptAndExtractBool(
diff --git a/chrome/browser/extensions/extensions_service_unittest.cc b/chrome/browser/extensions/extensions_service_unittest.cc
index 50247577..f9af689 100644
--- a/chrome/browser/extensions/extensions_service_unittest.cc
+++ b/chrome/browser/extensions/extensions_service_unittest.cc
@@ -539,11 +539,11 @@
extension->toolstrips();
ASSERT_EQ(2u, scripts.size());
EXPECT_EQ(3u, scripts[0].url_patterns().size());
- EXPECT_EQ("http://*.google.com/*",
+ EXPECT_EQ("file://*",
scripts[0].url_patterns()[0].GetAsString());
- EXPECT_EQ("https://*.google.com/*",
+ EXPECT_EQ("http://*.google.com/*",
scripts[0].url_patterns()[1].GetAsString());
- EXPECT_EQ("http://localhost/*",
+ EXPECT_EQ("https://*.google.com/*",
scripts[0].url_patterns()[2].GetAsString());
EXPECT_EQ(2u, scripts[0].js_scripts().size());
ExtensionResource resource00(scripts[0].js_scripts()[0].extension_root(),
