chromium_src/chrome/browser/devtools/devtools_availability_checker.cc · OpenHarmony-TPC/chromium_src - AtomGit

// Copyright 2025 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chrome/browser/devtools/devtools_availability_checker.h"

#include "chrome/browser/policy/developer_tools_policy_checker.h"
#include "chrome/browser/policy/developer_tools_policy_checker_factory.h"
#include "chrome/browser/policy/developer_tools_policy_handler.h"
#include "chrome/browser/policy/profile_policy_connector.h"
#include "chrome/browser/profiles/profile.h"
#include "chrome/common/pref_names.h"
#include "components/prefs/pref_service.h"
#include "content/public/browser/web_contents.h"

#if BUILDFLAG(ENABLE_EXTENSIONS_CORE)
#include "extensions/browser/extension_host.h"
#include "extensions/browser/process_manager.h"
#endif

#if !BUILDFLAG(IS_ANDROID)
#include "chrome/browser/web_applications/web_app.h"
#include "chrome/browser/web_applications/web_app_provider.h"
#include "chrome/browser/web_applications/web_app_registrar.h"
#include "chrome/browser/web_applications/web_app_tab_helper.h"
#include "chrome/browser/web_applications/web_app_utils.h"
#endif

#if BUILDFLAG(IS_CHROMEOS)
#include "chromeos/constants/pref_names.h"
#include "components/prefs/pref_service.h"
#endif

namespace {

policy::DeveloperToolsPolicyHandler::Availability GetDevToolsAvailability(
    Profile* profile) {
  using Availability = policy::DeveloperToolsPolicyHandler::Availability;
  Availability availability =
      policy::DeveloperToolsPolicyHandler::GetEffectiveAvailability(profile);
#if BUILDFLAG(IS_CHROMEOS)
  // On ChromeOS disable dev tools for captive portal signin windows to prevent
  // them from being used for general navigation.
  if (availability != Availability::kDisallowed) {
    const PrefService::Preference* const captive_portal_pref =
        profile->GetPrefs()->FindPreference(
            chromeos::prefs::kCaptivePortalSignin);
    if (captive_portal_pref && captive_portal_pref->GetValue()->GetBool()) {
      availability = Availability::kDisallowed;
    }
  }
#endif
  return availability;
}

}  // namespace

bool IsInspectionAllowed(Profile* profile, content::WebContents* web_contents) {
  if (!web_contents) {
    // For contexts without web_contents, we can only check the general policy.
    return IsInspectionAllowed(
        profile, static_cast<const extensions::Extension*>(nullptr));
  }
  policy::DeveloperToolsPolicyChecker* checker =
      policy::DeveloperToolsPolicyCheckerFactory::GetForBrowserContext(profile);
  if (checker) {
    if (auto url_check =
            checker->CheckDevToolsAvailabilityForUrl(web_contents->GetURL())) {
      return *url_check;
    }
  }
  // Now check the enum policy
  using Availability = policy::DeveloperToolsPolicyHandler::Availability;
  Availability availability = GetDevToolsAvailability(profile);
  switch (availability) {
    case Availability::kDisallowed:
      return false;
    case Availability::kAllowed:
      return true;
    case Availability::kDisallowedForForceInstalledExtensions: {
// This policy only restricts extensions and web apps. Regular pages are
// allowed.
#if BUILDFLAG(ENABLE_EXTENSIONS_CORE)
      const extensions::Extension* extension = nullptr;
      if (auto* process_manager = extensions::ProcessManager::Get(
              web_contents->GetBrowserContext())) {
        extension = process_manager->GetExtensionForWebContents(web_contents);
      }
      if (extension) {
        if (extensions::Manifest::IsPolicyLocation(extension->location()) ||
            (extensions::Manifest::IsComponentLocation(extension->location()) &&
             profile->GetProfilePolicyConnector()->IsManaged())) {
          return false;
        }
      }
#endif
#if !BUILDFLAG(IS_ANDROID)
      if (web_app::AreWebAppsEnabled(profile)) {
        const webapps::AppId* app_id =
            web_app::WebAppTabHelper::GetAppId(web_contents);
        auto* web_app_provider =
            web_app::WebAppProvider::GetForWebContents(web_contents);
        if (app_id && web_app_provider) {
          const web_app::WebApp* web_app =
              web_app_provider->registrar_unsafe().GetAppById(*app_id);
          if (web_app && (web_app->IsKioskInstalledApp() ||
                          web_app->IsIwaPolicyInstalledApp())) {
            return false;
          }
        }
      }
#endif
      // If it's not a restricted extension or web app, it's allowed.
      return true;
    }
    default:
      NOTREACHED();
  }
}

bool IsInspectionAllowed(Profile* profile,
                         const extensions::Extension* extension) {
#if !BUILDFLAG(IS_ANDROID)
  if (extension) {
    policy::DeveloperToolsPolicyChecker* checker =
        policy::DeveloperToolsPolicyCheckerFactory::GetForBrowserContext(
            profile);
    if (auto url_check =
            checker->CheckDevToolsAvailabilityForUrl(extension->url())) {
      return *url_check;
    }
  }
#endif
  using Availability = policy::DeveloperToolsPolicyHandler::Availability;
  Availability availability;
  if (extension) {
    availability =
        policy::DeveloperToolsPolicyHandler::GetEffectiveAvailability(profile);
  } else {
    // Perform additional checks for browser windows (extension == null).
    availability = GetDevToolsAvailability(profile);
  }
  switch (availability) {
    case Availability::kDisallowed:
      if (!extension) {
        // When no specific context is given, we can't check for exceptions
        // like the allowlist. But if the allowlist is not empty, we should
        // allow the DevTools UI to load its resources, so it can be used for
        // allowlisted contexts.
        const base::Value::List& allowlist = profile->GetPrefs()->GetList(
            prefs::kDeveloperToolsAvailabilityAllowlist);
        if (!allowlist.empty()) {
          return true;
        }
      }
      return false;
    case Availability::kAllowed:
      return true;
    case Availability::kDisallowedForForceInstalledExtensions:
#if BUILDFLAG(ENABLE_EXTENSIONS_CORE)
      if (!extension) {
        return true;
      }
      if (extensions::Manifest::IsPolicyLocation(extension->location())) {
        return false;
      }
      // We also disallow inspecting component extensions, but only for managed
      // profiles.
      if (extensions::Manifest::IsComponentLocation(extension->location()) &&
          profile->GetProfilePolicyConnector()->IsManaged()) {
        return false;
      }
#endif
      return true;
    default:
      NOTREACHED() << "Unknown developer tools policy";
  }
}

#if !BUILDFLAG(IS_ANDROID)
bool IsInspectionAllowed(Profile* profile, const web_app::WebApp* web_app) {
  if (web_app) {
    policy::DeveloperToolsPolicyChecker* checker =
        policy::DeveloperToolsPolicyCheckerFactory::GetForBrowserContext(
            profile);
    if (auto url_check =
            checker->CheckDevToolsAvailabilityForUrl(web_app->start_url())) {
      return *url_check;
    }
  }
  using Availability = policy::DeveloperToolsPolicyHandler::Availability;
  Availability availability =
      policy::DeveloperToolsPolicyHandler::GetEffectiveAvailability(profile);
  switch (availability) {
    case Availability::kDisallowed:
      return false;
    case Availability::kAllowed:
      return true;
    case Availability::kDisallowedForForceInstalledExtensions: {
      if (!web_app) {
        return true;
      }
      // DevTools should be blocked for Kiosk apps and policy-installed IWAs.
      if (web_app->IsKioskInstalledApp() ||
          web_app->IsIwaPolicyInstalledApp()) {
        return false;
      }
      return true;
    }
    default:
      NOTREACHED() << "Unknown developer tools policy";
  }
}
#endif