Extension's options page crashes after navigating to it with other e…

…xtensions enabled

https://bugs.webkit.org/show_bug.cgi?id=273915
rdar://127752769

Reviewed by Brian Weinstein.

What's happening here is that an extension is trying to send a message to a tab with
full page extension content and we're sending the message to wrong content world.
Since the url of the tab of the page receiving the message isn't the url of the current
extension, we're sending the message to the content script world and not the main world.
To fix this, we should check if the url is any extension url, because in that case we
want to the message to the main world.

This crash was originally addressed in 277240@main, but was partially reverted by the
permissions check being removed in WebExtensionContext:tabsSendMessage() in 278066@main.

Note: we don't support extensions sending messages to other extensions, but we don't
want to return early/call the completion handler here if the page receiving the message
isn't same extension since it could have a subframe that can receive the message.
The message won't end up reaching any frames for another extension since it'll get
dropped in `WebExtensionContext::processes()`.

* Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPITabsCocoa.mm:
(WebKit::WebExtensionContext::tabsSendMessage):
(WebKit::WebExtensionContext::tabsConnect):
* Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionContextCocoa.mm:
(WebKit::WebExtensionContext::isURLForAnyExtension):
* Source/WebKit/UIProcess/Extensions/WebExtensionContext.h:

Canonical link: https://commits.webkit.org/278577@main

Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPITabsCocoa.mm

@@ -466,7 +466,7 @@ static inline String toMIMEType(WebExtensionTab::ImageFormat format)
         return;
     }
 
-    auto targetContentWorldType = isURLForThisExtension(tab->url()) ? WebExtensionContentWorldType::Main : WebExtensionContentWorldType::ContentScript;
+    auto targetContentWorldType = isURLForAnyExtension(tab->url()) ? WebExtensionContentWorldType::Main : WebExtensionContentWorldType::ContentScript;
 
     auto processes = tab->processes(WebExtensionEventListenerType::RuntimeOnMessage, targetContentWorldType);
     if (processes.isEmpty()) {
@@ -493,7 +493,7 @@ static inline String toMIMEType(WebExtensionTab::ImageFormat format)
     }
 
     constexpr auto sourceContentWorldType = WebExtensionContentWorldType::Main;
-    auto targetContentWorldType = isURLForThisExtension(tab->url()) ? WebExtensionContentWorldType::Main : WebExtensionContentWorldType::ContentScript;
+    auto targetContentWorldType = isURLForAnyExtension(tab->url()) ? WebExtensionContentWorldType::Main : WebExtensionContentWorldType::ContentScript;
 
     // Add 1 for the starting port here so disconnect will balance with a decrement.
     addPorts(sourceContentWorldType, targetContentWorldType, channelIdentifier, { senderParameters.pageProxyIdentifier });

Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionContextCocoa.mm

@@ -484,6 +484,11 @@ static _WKWebExtensionContextError toAPI(WebExtensionContext::Error error)
     return url.isValid() && protocolHostAndPortAreEqual(baseURL(), url);
 }
 
+bool WebExtensionContext::isURLForAnyExtension(const URL& url)
+{
+    return url.isValid() && WebExtensionMatchPattern::extensionSchemes().contains(url.protocol().toString());
+}
+
 void WebExtensionContext::setUniqueIdentifier(String&& uniqueIdentifier)
 {
     ASSERT(!isLoaded());

Source/WebKit/UIProcess/Extensions/WebExtensionContext.h

@@ -143,6 +143,8 @@ class WebExtensionContext : public API::ObjectImpl<API::Object::Type::WebExtensi
     static bool readLastBaseURLFromState(const String& filePath, URL& outLastBaseURL);
     static bool readDisplayNameFromState(const String& filePath, String& outDisplayName);
 
+    static bool isURLForAnyExtension(const URL&);
+
     static WebExtensionContext* get(WebExtensionContextIdentifier);
 
     explicit WebExtensionContext(Ref<WebExtension>&&);