Click to script: Don't show wants-to-run UI for cross-origin requests. |
|||||||
Issue descriptionConsider that an extension has withheld access to a.com and no access to example.com. Now we load example.com and it makes a request to a.com. The extension's badge will be updated to the wants-to-run state. This is incorrect, since even if we click the page and grant it active-tab access, the extension won't be able to intercept the request. It will retain the wants-to-run UI. Also, note that at least in this case, there would be no way to grant access to the extension on the page using the extension action context menu. (Since the extension didn't request access to example.com). Fixing this should be pretty simple. We should not add a request to the set of withheld requests on ExtensionActionRunner, if the request's origin isn't the same as the web contents origin.
,
Oct 5
This should be fixed with #1. We may want to merge this, since it's a pretty small fix. Adding a next action date for Monday when I can verify on Canary.
,
Oct 8
The NextAction date has arrived: 2018-10-08
,
Oct 8
Verified on canary; requesting merge.
,
Oct 8
This bug requires manual review: We are only 7 days from stable. Please contact the milestone owner if you have questions. Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 8
,
Oct 8
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/49bd5ede841dd0cf50157c9fd4b564340d328daf commit 49bd5ede841dd0cf50157c9fd4b564340d328daf Author: Devlin Cronin <rdevlin.cronin@chromium.org> Date: Mon Oct 08 20:19:44 2018 [Merge M70][Extensions Click-to-Script] Don't badge for withheld cross-origin requests If an extension using the webRequest API has access to a.com, and the user visits b.com, and b.com requests a script from a.com, the request will be withheld from the extension. However, we shouldn't badge the extension as wanting to run in this scenario, since invoking the extension won't grant access to a.com (because it's not the tab's origin) or b.com (because the extension didn't request access). Thus, the extension still won't be able to intercept the request. Because there's no actionable behavior, don't badge. Add a test for the same. TBR=karandeepb@chromium.org (cherry picked from commit 5c98bfc2fe10499098035269b4f7e320b10d68cb) Bug: 891586 Change-Id: Ic4f402df7fa75836f1e06f6ba04d18f153f65431 Reviewed-on: https://chromium-review.googlesource.com/c/1260211 Commit-Queue: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Karan Bhatia <karandeepb@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#596968} Reviewed-on: https://chromium-review.googlesource.com/c/1269179 Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/branch-heads/3538@{#902} Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811} [modify] https://crrev.com/49bd5ede841dd0cf50157c9fd4b564340d328daf/chrome/browser/extensions/api/web_request/chrome_extension_web_request_event_router_delegate.cc [modify] https://crrev.com/49bd5ede841dd0cf50157c9fd4b564340d328daf/chrome/browser/extensions/api/web_request/web_request_apitest.cc [add] https://crrev.com/49bd5ede841dd0cf50157c9fd4b564340d328daf/chrome/test/data/extensions/empty_script.js
,
Oct 8
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/49bd5ede841dd0cf50157c9fd4b564340d328daf Commit: 49bd5ede841dd0cf50157c9fd4b564340d328daf Author: rdevlin.cronin@chromium.org Commiter: rdevlin.cronin@chromium.org Date: 2018-10-08 20:19:44 +0000 UTC [Merge M70][Extensions Click-to-Script] Don't badge for withheld cross-origin requests If an extension using the webRequest API has access to a.com, and the user visits b.com, and b.com requests a script from a.com, the request will be withheld from the extension. However, we shouldn't badge the extension as wanting to run in this scenario, since invoking the extension won't grant access to a.com (because it's not the tab's origin) or b.com (because the extension didn't request access). Thus, the extension still won't be able to intercept the request. Because there's no actionable behavior, don't badge. Add a test for the same. TBR=karandeepb@chromium.org (cherry picked from commit 5c98bfc2fe10499098035269b4f7e320b10d68cb) Bug: 891586 Change-Id: Ic4f402df7fa75836f1e06f6ba04d18f153f65431 Reviewed-on: https://chromium-review.googlesource.com/c/1260211 Commit-Queue: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Karan Bhatia <karandeepb@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#596968} Reviewed-on: https://chromium-review.googlesource.com/c/1269179 Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/branch-heads/3538@{#902} Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811} |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by bugdroid1@chromium.org
, Oct 5