Chromium Code Reviews Chromium Code Reviews
Issue 10810054:
Describing the `sandbox` workflow for extension developers. (Closed)
Base URL: http://git.chromium.org/git/chromium.git@trunk| OLD | NEW |
|---|---|
| (Empty) | |
| 1 <div id="pageData-name" class="pageData">Using eval in Chrome Extensions. Safely .</div> | |
| 2 <div id="pageData-showTOC" class="pageData">true</div> | |
| 3 | |
| 4 <p> | |
| 5 Chrome's extension system enforces a fairly strict default | |
| 6 <a href='contentSecurityPolicy.html'> | |
| 7 <strong>Content Security Policy (CSP)</strong> | |
| 8 </a>. The policy restrictions are straightforward: script must be moved | |
| 9 out-of-line into separate JavaScript files, inline event handlers must be | |
| 10 converted to use <code>addEventListener</code>, and <code>eval()</code> is | |
| 11 disabled. Chrome Apps have an | |
| 12 <a href='http://developer.chrome.com/trunk/apps/app_csp.html'>even more strict | |
| 13 policy</a>, and we're quite happy with the security properties these policies | |
| 14 provide. | |
| 15 </p> | |
| 16 | |
| 17 <p> | |
| 18 We recognize, however, that a variety of libraries use <code>eval()</code> and | |
| 19 <code>eval</code>-like constructs such as <code>new Function()</code> for | |
| 20 performance optimization and ease of expression. Templating libraries are | |
| 21 especially prone to this style of implementation. While some (like | |
| 22 <a href='http://angularjs.com/'>Angular.js</a>) support CSP out of the box, | |
| 23 many popular frameworks haven't yet updated to a mechanism that is compatible | |
| 24 with extensions' <code>eval</code>-less world. Removing support for that | |
| 25 functionality has therefore proven <a href='http://crbug.com/107538'>more | |
| 26 problematic than expected</a> for developers. | |
| 27 </p> | |
| 28 | |
| 29 <p> | |
| 30 This document introduces sandboxing as a safe mechanism to include these | |
| 31 libraries in your projects without compromising on security. For brevity, | |
| 32 we'll be using the term <em>extensions</em> throughout, but the concept | |
| 33 applies equally to applications. | |
| 34 </p> | |
| 35 | |
| 36 <h2>Why sandbox?</h2> | |
| 37 | |
| 38 <p> | |
| 39 <code>eval</code> is dangerous inside an extension because the code it | |
| 40 executes has access to everything in the extension's high-permission | |
| 41 environment. A slew of powerful <code>chrome.*</code> APIs are available that | |
| 42 could severely impact a user's security and privacy; simple data exfiltration | |
| 43 is the least of our worries. The solution on offer is a sandbox in which | |
| 44 <code>eval</code> can execute code without access either to the extension's | |
| 45 data or the extension's high-value APIs. No data, no APIs, no problem. | |
| 46 </p> | |
| 47 | |
| 48 <p> | |
| 49 We accomplish this by listing specific HTML files inside the extension package | |
| 50 as being sandboxed. Whenever a sandboxed page is loaded, it will be moved to a | |
| 51 <a href='http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0. html#sandboxed-origin-browsing-context-flag'>unique origin</a>, | |
| 52 and will be denied access to <code>chrome.*</code> APIs. If we load this | |
| 53 sandboxed page into our extension via an <code>iframe</code>, we can pass it | |
| 54 messages, let it act upon those messages in some way, and wait for it to pass | |
| 55 us back a result. This simple messaging mechanism gives us everything we need | |
| 56 to safely include <code>eval</code>-driven code in our extension's workflow. | |
| 57 </p> | |
| 58 | |
| 59 <h2>Creating and using a sandbox.</h2> | |
| 60 | |
| 61 <p> | |
| 62 If you'd like to dive straight into code, please grab the | |
| 63 <a href='#TODO'>sandboxing sample extension and take off</a>. It's a working | |
| 64 example of a tiny messaging API built on top of the | |
| 65 <a href='http://handlebarsjs.com'>Handlebars</a> templating library, and it | |
| 66 should give you everything you need to get going. For those of you who'd like | |
| 67 a little more explanation, let's walk through it together here. | |
| 68 </p> | |
| 69 | |
| 70 <h3>List files in manifest</h3> | |
| 71 | |
| 72 <p> | |
| 73 Each file that ought to be run inside a sandbox must be listed in the | |
| 74 extension manifest by adding a <code>sandbox</code> property. This is a | |
| 75 critical step, and it's easy to forget, so please double check that your | |
| 76 sandboxed file is listed in the manifest. In this sample, we're sandboxing the | |
| 77 file cleverly named "sandbox.html". The manifest entry looks like this: | |
| 78 </p> | |
| 79 | |
| 80 <pre>{ | |
| 81 ..., | |
| 82 "sandbox": { | |
| 83 "pages": ["sandbox.html"] | |
| 84 }, | |
| 85 ... | |
| 86 }</pre> | |
| 87 | |
| 88 <h3>Load the sandboxed file</h3> | |
| 89 | |
| 90 <p> | |
| 91 In order to do something interesting with the sandboxed file, we need to load | |
| 92 it in a context where it can be addressed by the extension's code. Here, | |
| 93 <a href='#TODO'>sandbox.html</a> has been loaded into the extension's | |
| 94 <a href='http://code.google.com/chrome/extensions/dev/event_pages.html'>Event | |
| 95 Page</a> (<a href='#TODO'>eventpage.html</a>) via an <code>iframe</code>. | |
| 96 <a href='#TODO'>eventpage.js</a> contains code that sends a message into the | |
| 97 sandbox whenever the browser action is clicked by finding the | |
| 98 <code>iframe</code> on the page, and executing the <code>postMessage</code> | |
| 99 method on its <code>contentWindow</code>. The message is an object containing | |
| 100 two properties: <code>context</code> and <code>command</code>. We'll dive into | |
| 101 both in a moment. | |
| 102 </p> | |
| 103 | |
| 104 <pre>chrome.browserAction.onClicked.addListener(function() { | |
| 105 var iframe = document.getElementById('theFrame'); | |
| 106 var message = { | |
| 107 command: 'render', | |
| 108 context: {thing: 'world'} | |
| 109 }; | |
| 110 iframe.contentWindow.postMessage(message, '*'); | |
| 111 });</pre> | |
| 112 | |
| 113 <p class="note">For general information about the <code>postMessage</code> API, | |
| 114 take a look at the <a href="https://developer.mozilla.org/en/DOM/window.postMess age"> | |
| 115 <code>postMessage</code> documentation on MDN | |
| 116 </a>. It's quite complete and worth reading. In particular, note that data can | |
| 117 only be passed back and forth if it's serializable. Functions, for instance, are | |
| 118 not.</p> | |
| 119 | |
| 120 <h3>Do something dangerous</h3> | |
| 121 | |
| 122 <p> | |
| 123 When <a href='#TODO'>sandbox.html</a> is loaded, it loads the Handlebars | |
| 124 library, and creates and compiles an inline template in the way Handlebars | |
| 125 suggests: | |
| 126 </p> | |
| 127 | |
| 128 <pre><script src="handlebars-1.0.0.beta.6.js"></script> | |
| 129 <script id="hello-world-template" type="text/x-handlebars-template"> | |
| 130 <div class="entry"> | |
| 131 <h1>Hello, {{thing}}!</h1> | |
| 132 </div> | |
| 133 </script> | |
| 134 <script> | |
| 135 var templates = []; | |
| 136 var source = document.getElementById('hello-world-template').innerHTML; | |
| 137 templates['hello'] = Handlebars.compile(source); | |
| 138 </script></pre> | |
| 139 | |
| 140 <p> | |
| 141 This doesn't fail! Even though <code>Handlebars.compile</code> ends up using | |
| 142 <code>new Function</code>, things work exactly as expected, and we end up with | |
| 143 a compiled template in <code>templates[‘hello']</code>. | |
| 144 </p> | |
| 145 | |
| 146 <h3>Pass the result back</h3> | |
| 147 | |
| 148 <p> | |
| 149 We'll make this template available for use by setting up a message listener | |
| 150 that accepts commands from the Event Page. We'll use the <code>command</code> | |
| 151 passed in to determine what ought to be done (you could imagine doing more | |
| 152 than simply rendering; perhaps creating templates? Perhaps managing them in | |
| 153 some way?), and the <code>context</code> will be passed into the template | |
| 154 directly for rendering. The rendered HTML will be passed back to the Event | |
| 155 Page so the extension can do something useful with it later on: | |
| 156 </p> | |
| 157 | |
| 158 <pre>window.addEventListener('message', function(event) { | |
| 159 var command = event.data.command; | |
| 160 var name = event.data.name || 'hello'; | |
| 161 switch(command) { | |
| 162 case 'render': | |
| 163 event.source.postMessage({ | |
| 164 name: name, | |
| 165 html: templates[name](event.data.context) | |
| 166 }, event.origin); | |
| 167 break; | |
| 168 | |
| 169 // case 'somethingElse': | |
| 170 // ... | |
| 171 } | |
| 172 });</pre> | |
| 173 | |
| 174 <p> | |
| 175 Back in the Event Page, we'll receive this message, and do something | |
| 176 interesting with the <code>html</code> data we've been passed. In this case, | |
| 177 we'll just echo it out via a <a href='notifications.html'>Desktop | |
| 178 Notification</a>, but it's entirely possible to use this HTML safely as part | |
| 179 of the extension's UI. Inserting it via <code>innerHTML</code> doesn't pose a | |
| 180 security risk, as we're protected in this context from unintentional execution | |
| 181 of inline script. | |
| 182 </p> | |
| 183 | |
| 184 <p> | |
| 185 This mechanism makes templating straightforward, but it of course isn't | |
| 186 limited to templating. For example, the | |
| 187 <a href='https://github.com/GoogleChrome/chrome-app-samples/blob/master/regex- tester/'>Regex Tester</a> | |
|
Mihai Parparita -not on Chrome
2012/07/26 17:51:57
https://github.com/GoogleChrome/chrome-app-samples
Mike West
2012/07/27 07:58:57
Alright. Thanks. :)
I'll point to Jorge's I/O tal
| |
| 188 application uses <code>eval</code> to dynamically generate and test regular | |
| 189 expressions. It's built similarly, and would also be good for you to take a | |
| 190 look at before building your own sandboxed application or extension. | |
| 191 </p> | |
| OLD | NEW |
