Prevents extensions from accessing protected resources.

Fixes brave/brave-browser#42998

Author: bsclifton

chromium_src/extensions/common/permissions/DEPS

@@ -0,0 +1,3 @@
+include_rules = [
+  "+brave/components/skus/renderer",
+]

chromium_src/extensions/common/permissions/permissions_data.cc

@@ -0,0 +1,50 @@
+/* Copyright (c) 2025 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "extensions/common/permissions/permissions_data.h"
+
+#include "brave/components/skus/renderer/skus_utils.h"
+#include "url/origin.h"
+
+namespace extensions {
+
+bool IsBraveProtectedUrl(const GURL& url) {
+  if (skus::IsSafeOrigin(url)) {
+    return true;
+  }
+  return false;
+}
+
+}  // namespace extensions
+
+namespace {
+
+bool IsBraveRestrictedUrl(const GURL& document_url,
+                          const extensions::ExtensionId& extension_id,
+                          extensions::mojom::ManifestLocation location,
+                          std::string* error) {
+  if (extensions::PermissionsData::CanExecuteScriptEverywhere(extension_id,
+                                                              location)) {
+    return false;
+  }
+
+  if (extensions::IsBraveProtectedUrl(document_url)) {
+    return true;
+  }
+
+  return false;
+}
+
+}  // namespace
+
+// Disable some content scripts until users click on the extension icon
+#define BRAVE_CAN_RUN_ON_PAGE                                                \
+  if (IsBraveRestrictedUrl(document_url, extension_id_, location_, error)) { \
+    return PageAccess::kWithheld;                                            \
+  }
+
+#include "src/extensions/common/permissions/permissions_data.cc"
+
+#undef BRAVE_CAN_RUN_ON_PAGE

components/skus/renderer/skus_utils.cc

@@ -5,24 +5,37 @@
 
 #include "brave/components/skus/renderer/skus_utils.h"
 
+#include <algorithm>
+#include <string>
 #include <vector>
 
 #include "base/no_destructor.h"
 #include "third_party/blink/public/platform/web_security_origin.h"
 #include "third_party/blink/public/platform/web_url.h"
 #include "url/gurl.h"
 
-namespace skus {
+namespace {
+// NOTE: please open a security review when appending to this list.
+std::vector<std::string> safe_origins_string{
+    "https://account.brave.com", "https://account.bravesoftware.com",
+    "https://account.brave.software"};
 
-bool IsSafeOrigin(const blink::WebSecurityOrigin& origin) {
-  // NOTE: please open a security review when appending to this list.
-  static base::NoDestructor<std::vector<blink::WebSecurityOrigin>> safe_origins{
-      {{blink::WebSecurityOrigin::Create(GURL("https://account.brave.com"))},
-       {blink::WebSecurityOrigin::Create(
-           GURL("https://account.bravesoftware.com"))},
-       {blink::WebSecurityOrigin::Create(
-           GURL("https://account.brave.software"))}}};
+base::NoDestructor<std::vector<blink::WebSecurityOrigin>>
+WebSecurityOriginList() {
+  std::vector<blink::WebSecurityOrigin> list(safe_origins_string.size());
+  std::transform(safe_origins_string.begin(), safe_origins_string.end(),
+                 list.begin(), [](auto& origin_string) {
+                   return blink::WebSecurityOrigin::Create(GURL(origin_string));
+                 });
+  return base::NoDestructor(list);
+}
+
+}  // namespace
 
+namespace skus {
+bool IsSafeOrigin(const blink::WebSecurityOrigin& origin) {
+  static base::NoDestructor<std::vector<blink::WebSecurityOrigin>>
+      safe_origins = WebSecurityOriginList();
   for (const blink::WebSecurityOrigin& safe_origin : *safe_origins) {
     if (safe_origin.IsSameOriginWith(origin)) {
       return true;
@@ -31,4 +44,14 @@ bool IsSafeOrigin(const blink::WebSecurityOrigin& origin) {
   return false;
 }
 
+bool IsSafeOrigin(const GURL& origin) {
+  for (const std::string& safe_origin_string : safe_origins_string) {
+    auto safe_origin = url::Origin::Create(GURL(safe_origin_string));
+    if (safe_origin.IsSameOriginWith(origin)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 }  // namespace skus

components/skus/renderer/skus_utils.h

@@ -6,12 +6,28 @@
 #ifndef BRAVE_COMPONENTS_SKUS_RENDERER_SKUS_UTILS_H_
 #define BRAVE_COMPONENTS_SKUS_RENDERER_SKUS_UTILS_H_
 
+class GURL;
+
 namespace blink {
 class WebSecurityOrigin;
 }  // namespace blink
 
 namespace skus {
+// This version is used in a renderer process where blink is initialized.
+// For example, if you are in a render frame observer where you get the origin
+// via `render_frame()->GetWebFrame()->GetSecurityOrigin()`.
+//
+// NOTE: You'll get DCHECK/CHECK errors for trying to create a
+// `blink::WebString` if you're not in a blink context (tests are fine).
+//
+// See //third_party/blink/renderer/platform/weborigin/security_origin.cc
 bool IsSafeOrigin(const blink::WebSecurityOrigin& origin);
+
+// This version is safe for use elsewhere. The internal `IsSameOriginWith`
+// check is different than the version above.
+//
+// See //url/origin.cc
+bool IsSafeOrigin(const GURL& origin);
 }  // namespace skus
 
 #endif  // BRAVE_COMPONENTS_SKUS_RENDERER_SKUS_UTILS_H_

patches/extensions-common-BUILD.gn.patch

@@ -0,0 +1,12 @@
+diff --git a/extensions/common/BUILD.gn b/extensions/common/BUILD.gn
+index 118c7255c77e74bd8c5cdb011c7f9bc96288de40..51d7fc9375d5f4a9629b1d8842b50e1ab3e8e675 100644
+--- a/extensions/common/BUILD.gn
++++ b/extensions/common/BUILD.gn
+@@ -551,6 +551,7 @@ static_library("common") {
+     "//url",
+   ]
+ 
++  deps += ["//brave/components/skus/renderer"]
+   if (enable_extensions) {
+     deps += [ "//extensions:extensions_resources" ]
+   }

patches/extensions-common-permissions-permissions_data.cc.patch

@@ -0,0 +1,12 @@
+diff --git a/extensions/common/permissions/permissions_data.cc b/extensions/common/permissions/permissions_data.cc
+index ffdce9beaa7c207df5ab304dbcf4d97c631139ca..94131fdbd37a094b1376442fe44b5c2befde30f6 100644
+--- a/extensions/common/permissions/permissions_data.cc
++++ b/extensions/common/permissions/permissions_data.cc
+@@ -649,6 +649,7 @@ PermissionsData::PageAccess PermissionsData::CanRunOnPage(
+       return PageAccess::kDenied;
+     }
+   }
++  BRAVE_CAN_RUN_ON_PAGE
+ 
+   if (tab_url_patterns && tab_url_patterns->MatchesURL(document_url))
+     return PageAccess::kAllowed;