Only allow AngularDart DevTools to send Dart Debug Extension messages (#1678)

* Only allow incoming connections from AngularDart DevTools extension

This ensures Dart AngularDart DevTools is the only extension that can
connect to Dart Debug Extension via runtime.sendMessage and removes the
need to manually check the sender on each message.

https://developer.chrome.com/docs/extensions/mv3/manifest/externally_connectable/

* Update extension version to 1.31 for release

Author: leonsenft

dwds/debug_extension/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.31
+- Replace manual extension allowlist by configuring `externally_connectable` in
+  the `manifest.json`. See https://developer.chrome.com/docs/extensions/mv3/manifest/externally_connectable/
+  for details.
 
 ## 1.30
 - Batch extension `Debugger.scriptParsed` events and send batches every 1000ms

dwds/debug_extension/pubspec.yaml

@@ -1,6 +1,6 @@
 name: extension
 publish_to: none
-version: 1.30.0
+version: 1.31.0
 homepage: https://github.com/dart-lang/webdev
 description: >-
   A chrome extension for Dart debugging.

dwds/debug_extension/web/background.dart

@@ -34,6 +34,9 @@ const _notADartAppAlert = 'No Dart application detected.'
     ' see https://bugs.chromium.org/p/chromium/issues/detail?id=885025#c11.';
 
 // Extensions allowed for cross-extension communication.
+//
+// This is only used to forward outgoing messages, as incoming messages are
+// restricted by `externally_connectable` in the extension manijest.json.
 const _allowedExtensions = {
   'nbkbficgbembimioedhceniahniffgpl', // AngularDart DevTools
 };
@@ -362,36 +365,34 @@ void _maybeSaveDevToolsTabId(Tab tab) async {
 
 void _handleMessageFromExternalExtensions(
     Request request, Sender sender, Function sendResponse) async {
-  if (_allowedExtensions.contains(sender.id)) {
-    if (request.name == 'chrome.debugger.sendCommand') {
-      try {
-        final options = request.options as SendCommandOptions;
-
-        void sendResponseOrError([e]) {
-          // No arguments indicate that an error occurred.
-          if (e == null) {
-            sendResponse(ErrorResponse()..error = stringify(lastError));
-          } else {
-            sendResponse(e);
-          }
-        }
+  if (request.name == 'chrome.debugger.sendCommand') {
+    try {
+      final options = request.options as SendCommandOptions;
 
-        sendCommand(Debuggee(tabId: request.tabId), options.method,
-            options.commandParams, allowInterop(sendResponseOrError));
-      } catch (e) {
-        sendResponse(ErrorResponse()..error = '$e');
+      void sendResponseOrError([e]) {
+        // No arguments indicate that an error occurred.
+        if (e == null) {
+          sendResponse(ErrorResponse()..error = stringify(lastError));
+        } else {
+          sendResponse(e);
+        }
       }
-    } else if (request.name == 'dwds.encodedUri') {
-      sendResponse(_tabIdToEncodedUri[request.tabId] ?? '');
-    } else if (request.name == 'dwds.startDebugging') {
-      _startDebugging(DebuggerTrigger.dwds);
-      // TODO(grouma) - Actually determine if debugging initiated
-      // successfully.
-      sendResponse(true);
-    } else {
-      sendResponse(
-          ErrorResponse()..error = 'Unknown request name: ${request.name}');
+
+      sendCommand(Debuggee(tabId: request.tabId), options.method,
+          options.commandParams, allowInterop(sendResponseOrError));
+    } catch (e) {
+      sendResponse(ErrorResponse()..error = '$e');
     }
+  } else if (request.name == 'dwds.encodedUri') {
+    sendResponse(_tabIdToEncodedUri[request.tabId] ?? '');
+  } else if (request.name == 'dwds.startDebugging') {
+    _startDebugging(DebuggerTrigger.dwds);
+    // TODO(grouma) - Actually determine if debugging initiated
+    // successfully.
+    sendResponse(true);
+  } else {
+    sendResponse(
+        ErrorResponse()..error = 'Unknown request name: ${request.name}');
   }
 }