github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-04-10 03:01:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: chrome.tabs 'url' and 'title' are privileged information (#39607)

Browse Source 
fix: tabs url and title are privileged information

Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com>
Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
This commit is contained in:
trop[bot]
2023-08-22 17:28:57 +02:00
committed by GitHub
parent 1047532f1d
commit 5da1b91546
10 changed files with 129 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
shell/browser/extensions/api/tabs/tabs_api.cc
View File

@@ -301,6 +301,7 @@ ExtensionFunction::ResponseAction TabsQueryFunction::Run() {
tabs::Tab tab;
tab.id = contents->ID();
tab.title = base::UTF16ToUTF8(wc->GetTitle());
tab.url = wc->GetLastCommittedURL().spec();
tab.active = contents->IsFocused();
tab.audible = contents->IsCurrentlyAudible();
@@ -322,12 +323,18 @@ ExtensionFunction::ResponseAction TabsGetFunction::Run() {
return RespondNow(Error("No such tab"));
tabs::Tab tab;
tab.id = tab_id;
// TODO(nornagon): in Chrome, the tab URL is only available to extensions
// that have the "tabs" (or "activeTab") permission. We should do the same
// permission check here.
tab.url = contents->web_contents()->GetLastCommittedURL().spec();
// "title" and "url" properties are considered privileged data and can
// only be checked if the extension has the "tabs" permission or it has
// access to the WebContents's origin.
auto* wc = contents->web_contents();
if (extension()->permissions_data()->HasAPIPermissionForTab(
contents->ID(), mojom::APIPermissionID::kTab) ||
extension()->permissions_data()->HasHostPermission(wc->GetURL())) {
tab.url = wc->GetLastCommittedURL().spec();
tab.title = base::UTF16ToUTF8(wc->GetTitle());
}
tab.active = contents->IsFocused();
@@ -609,10 +616,16 @@ ExtensionFunction::ResponseValue TabsUpdateFunction::GetResult() {
auto* api_web_contents = electron::api::WebContents::From(web_contents_);
tab.id = (api_web_contents ? api_web_contents->ID() : -1);
// TODO(nornagon): in Chrome, the tab URL is only available to extensions
// that have the "tabs" (or "activeTab") permission. We should do the same
// permission check here.
tab.url = web_contents_->GetLastCommittedURL().spec();
// "title" and "url" properties are considered privileged data and can
// only be checked if the extension has the "tabs" permission or it has
// access to the WebContents's origin.
if (extension()->permissions_data()->HasAPIPermissionForTab(
api_web_contents->ID(), mojom::APIPermissionID::kTab) ||
extension()->permissions_data()->HasHostPermission(
web_contents_->GetURL())) {
tab.url = web_contents_->GetLastCommittedURL().spec();
tab.title = base::UTF16ToUTF8(web_contents_->GetTitle());
}
if (api_web_contents)
tab.active = api_web_contents->IsFocused();