[Extensions] Require a scrub tab behavior for CreateTabObject
CreateTabObject() creates an object to pass to an extension representing
a given tab. Depending on whether the tab has permission to see the
user's tabs or the specific tab, this may include URL, title, and
favicon (but shouldn't if the extension doesn't have that permission).
There were multiple CreateTabObject() methods in ExtensionTabUtil(), and
it was easy to get them mixed up. Combine these methods so that all
require an explicit argument specifying scrubbing behavior. Also fix an
instance in tabs.discard where the scrubbing behavior was incorrect.
Bug: 809253
Change-Id: I1ed77fd0323dc261de3214db2e405db2e95cb9ae
Reviewed-on: https://chromium-review.googlesource.com/902928
Commit-Queue: Devlin <[email protected]>
Reviewed-by: Karan Bhatia <[email protected]>
Cr-Commit-Position: refs/heads/master@{#535564}diff --git a/chrome/browser/extensions/extension_tab_util.h b/chrome/browser/extensions/extension_tab_util.h
index 64a4693e..a813302 100644
--- a/chrome/browser/extensions/extension_tab_util.h
+++ b/chrome/browser/extensions/extension_tab_util.h
@@ -44,6 +44,11 @@
kDontPopulateTabs,
};
+ enum ScrubTabBehavior {
+ kScrubTab,
+ kDontScrubTab,
+ };
+
struct OpenTabParams {
OpenTabParams();
~OpenTabParams();
@@ -93,31 +98,23 @@
static std::string GetBrowserWindowTypeText(const Browser& browser);
// Creates a Tab object (see chrome/common/extensions/api/tabs.json) with
- // information about the state of a browser tab. Depending on the
- // permissions of the extension, the object may or may not include sensitive
- // data such as the tab's URL.
+ // information about the state of a browser tab for the given |web_contents|.
+ // This will scrub the tab of sensitive data (URL, favicon, title) according
+ // to |scrub_tab_behavior| and |extension|'s permissions. A null extension is
+ // treated as having no permissions.
+ // By default, tab information should always be scrubbed (kScrubTab) for any
+ // data passed to any extension.
static std::unique_ptr<api::tabs::Tab> CreateTabObject(
content::WebContents* web_contents,
+ ScrubTabBehavior scrub_tab_behavior,
const Extension* extension) {
- return CreateTabObject(web_contents, nullptr, -1, extension);
+ return CreateTabObject(web_contents, scrub_tab_behavior, extension, nullptr,
+ -1);
}
static std::unique_ptr<api::tabs::Tab> CreateTabObject(
content::WebContents* web_contents,
- TabStripModel* tab_strip,
- int tab_index,
- const Extension* extension);
-
- // Creates a Tab object but performs no extension permissions checks; the
- // returned object will contain privacy-sensitive data.
- // TODO(devlin): These are easy to confuse with the safer, info-scrubbing
- // versions above. We should get rid of these, and have callers explicitly
- // pass in a null extension if they do not want values scrubbed.
- static std::unique_ptr<api::tabs::Tab> CreateTabObject(
- content::WebContents* web_contents) {
- return CreateTabObject(web_contents, nullptr, -1);
- }
- static std::unique_ptr<api::tabs::Tab> CreateTabObject(
- content::WebContents* web_contents,
+ ScrubTabBehavior scrub_tab_behavior,
+ const Extension* extension,
TabStripModel* tab_strip,
int tab_index);
