Issue 11198044: Make tab capture media stream requests verify that the request came from extension API

Issue 11198044: Make tab capture media stream requests verify that the request came from extension API (Closed)

Created:
8 years, 2 months ago by justinlin

Modified:
8 years, 1 month ago

Reviewers:
Aaron Boodman, wjia(left Chromium), no longer working on chromium, sky

CC:
chromium-reviews, joi+watch-content_chromium.org, feature-media-reviews_chromium.org, darin-cc_chromium.org

Base URL:
svn://svn.chromium.org/chrome/trunk/src

Visibility:
Public.

More Reviews

Description

Make tab capture media stream requests verify that the request came from extension API. Checking that the security_origin of a getUserMedia call for tab media is an extension is not enough. We want to also verify that the extension has the correct permissions to make the call. This is to prevent extensions from calling getUserMedia({tab-media-params}) directly without going through the extension API. This CL makes it so that tab media requests will go through the webcam/mic media stream infobar permission check, but we will accept right away after verifying that the request is in the TabCaptureRegistry (this is the change in media_stream_devices_controller.cc). If the request comes from an extension background page or packaged app, we check that the extension/app has the tab capture permission, and we will approve it right away (these are the changes in extension_host.cc and shell_window.cc).

Patch Set 1 : init #

Total comments: 6

Patch Set 2 : review comments #

Total comments: 20

Patch Set 3 : review #

Total comments: 4

Patch Set 4 : refactor media access permission helper #

Total comments: 4

Patch Set 5 : Fix || and keep webcam/mic disabled in extensions #

Total comments: 2

Patch Set 6 : Rebase and move flag check into extension_host #

Total comments: 4

Patch Set 7 : address comments #

Total comments: 1

Patch Set 8 : rebase #

Created: 8 years, 2 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+193 lines, -36 lines)			Patch
M	chrome/browser/extensions/api/tab_capture/tab_capture_apitest.cc	View	1 2 3 4 5	1 chunk	+12 lines, -0 lines	0 comments	Download
M	chrome/browser/extensions/extension_host.h	View		1 chunk	+4 lines, -0 lines	0 comments	Download
M	chrome/browser/extensions/extension_host.cc	View	1 2 3 4 5 6	2 chunks	+11 lines, -0 lines	0 comments	Download
M	chrome/browser/media/media_stream_devices_controller.cc	View	1 2 3 4	2 chunks	+32 lines, -0 lines	0 comments	Download
M	chrome/browser/ui/extensions/shell_window.cc	View	1 2 3 4 5 6 7	3 chunks	+4 lines, -25 lines	0 comments	Download
M	chrome/chrome_common.gypi	View	1 2 3 4 5 6 7	1 chunk	+2 lines, -0 lines	0 comments	Download
A	chrome/common/extensions/request_media_access_permission_helper.h	View	1 2 3 4 5 6	1 chunk	+34 lines, -0 lines	0 comments	Download
A	chrome/common/extensions/request_media_access_permission_helper.cc	View	1 2 3 4 5 6	1 chunk	+57 lines, -0 lines	0 comments	Download
A +	chrome/test/data/extensions/api_test/tab_capture/permissions/manifest.json	View		1 chunk	+1 line, -1 line	0 comments	Download
A	chrome/test/data/extensions/api_test/tab_capture/permissions/test.js	View		1 chunk	+28 lines, -0 lines	0 comments	Download
M	content/browser/renderer_host/media/media_stream_manager.cc	View	1 2 3 4 5 6 7	2 chunks	+8 lines, -10 lines	0 comments	Download

Messages

Total messages: 21 (0 generated)

Expand Messages | Collapse Messages

justinlin

Hi, xians@, wjia@: please take a look at the media stream changes. aa@: please review ...

8 years, 2 months ago (2012-10-18 02:47:47 UTC) #1

wjia(left Chromium)

https://codereview.chromium.org/11198044/diff/4001/chrome/browser/media/media_stream_devices_controller.cc File chrome/browser/media/media_stream_devices_controller.cc (right): https://codereview.chromium.org/11198044/diff/4001/chrome/browser/media/media_stream_devices_controller.cc#newcode72 chrome/browser/media/media_stream_devices_controller.cc:72: request_.devices.find(content::MEDIA_TAB_VIDEO_CAPTURE); MEDIA_TAB_AUDIO_CAPTURE? https://codereview.chromium.org/11198044/diff/4001/chrome/browser/media/media_stream_devices_controller.cc#newcode92 chrome/browser/media/media_stream_devices_controller.cc:92: false); nit: this fits in ...

8 years, 2 months ago (2012-10-18 04:54:27 UTC) #2

justinlin

http://codereview.chromium.org/11198044/diff/4001/chrome/browser/media/media_stream_devices_controller.cc File chrome/browser/media/media_stream_devices_controller.cc (right): http://codereview.chromium.org/11198044/diff/4001/chrome/browser/media/media_stream_devices_controller.cc#newcode72 chrome/browser/media/media_stream_devices_controller.cc:72: request_.devices.find(content::MEDIA_TAB_VIDEO_CAPTURE); On 2012/10/18 04:54:27, wjia wrote: > MEDIA_TAB_AUDIO_CAPTURE? Done. ...

8 years, 2 months ago (2012-10-18 07:05:47 UTC) #3

no longer working on chromium

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/extensions/extension_host.cc File chrome/browser/extensions/extension_host.cc (right): http://codereview.chromium.org/11198044/diff/9001/chrome/browser/extensions/extension_host.cc#newcode653 chrome/browser/extensions/extension_host.cc:653: if (!accepted_an_audio_device && content::IsAudioMediaType(it->first) && fix the alignment to ...

8 years, 2 months ago (2012-10-18 08:36:16 UTC) #4

justinlin

Thanks! Made some of the statements hopefully less confusing. http://codereview.chromium.org/11198044/diff/9001/chrome/browser/extensions/extension_host.cc File chrome/browser/extensions/extension_host.cc (right): http://codereview.chromium.org/11198044/diff/9001/chrome/browser/extensions/extension_host.cc#newcode653 chrome/browser/extensions/extension_host.cc:653: ...

8 years, 2 months ago (2012-10-18 09:33:29 UTC) #5

Thanks! Made some of the statements hopefully less confusing.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/extensions/e...
File chrome/browser/extensions/extension_host.cc (right):

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/extensions/e...
chrome/browser/extensions/extension_host.cc:653: if (!accepted_an_audio_device
&& content::IsAudioMediaType(it->first) &&
On 2012/10/18 08:36:17, xians1 wrote:
> fix the alignment to help readability.
> If (*** &&
>     *** &&
>     ***)

Done.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/extensions/e...
chrome/browser/extensions/extension_host.cc:656: if (it->first !=
content::MEDIA_TAB_AUDIO_CAPTURE ||
On 2012/10/18 08:36:17, xians1 wrote:
> I don't understand here, shouldn't it be
> it->first == content::MEDIA_TAB_AUDIO_CAPTURE &&
> extension()->HasAPIPermission(APIPermission::kTabCapture)

Sorry if this is confusing. We add the device if it's (not a tab_capture device
so we don't care about permission) or (if it is tab capture device and we have
the permission). The "it->first == content::MEDIA_TAB_AUDIO_CAPTURE" is implied
with the permission check. Made the comment longer.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/extensions/e...
File chrome/browser/extensions/extension_host.h (right):

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/extensions/e...
chrome/browser/extensions/extension_host.h:176: const
content::MediaStreamRequest* request,
On 2012/10/18 08:36:17, xians1 wrote:
> use a reference instead of a pointer.

This is an override. Probably better to fix this in a cleanup CL if needed.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/media/media_...
File chrome/browser/media/media_stream_devices_controller.cc (right):

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/media/media_...
chrome/browser/media/media_stream_devices_controller.cc:78:
DCHECK(tab_audio->second.size() || tab_video->second.size());
On 2012/10/18 08:36:17, xians1 wrote:
> use !tab_audio->second.empty(), the same for other places.

Done.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/media/media_...
chrome/browser/media/media_stream_devices_controller.cc:88: video_device_id :
audio_device_id))
On 2012/10/18 08:36:17, xians1 wrote:
> add a { because "if" takes two line.

Done.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/media/media_...
chrome/browser/media/media_stream_devices_controller.cc:88: video_device_id :
audio_device_id))
On 2012/10/18 08:36:17, xians1 wrote:
> Does it mean that we will have either video_device_id or audio_device_id, and
> never both?

No, this is a little bit related to http://crbug.com/155444. The issue is that
DeviceRequest only has one requested_device_id, so we key the registry (where
extensions keep track of the media stream requests for tabs) by a single
device_id. If video is request, then we use that one, if not we use the one from
audio, but they will both be the same anyway. I think there's checks before this
that prevent us from getting here without a tab video device right now, but if
later we allowed only capturing tab audio, then we might not have a tab video
device here.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/ui/extension...
File chrome/browser/ui/extensions/shell_window.cc (right):

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/ui/extension...
chrome/browser/ui/extensions/shell_window.cc:208: if ((it->first !=
content::MEDIA_TAB_AUDIO_CAPTURE &&
On 2012/10/18 08:36:17, xians1 wrote:
> it should be it->first != content::MEDIA_DEVICE_AUDIO_CAPTURE

Sorry, tried to be clever and probably made it too confusing. Here it's saying
for anything that's not tab, we need kAudioCapture permission, otherwise we need
kTabCapture permission. Made it more clear.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/ui/extension...
chrome/browser/ui/extensions/shell_window.cc:210:
extension()->HasAPIPermission(APIPermission::kTabCapture)) {
On 2012/10/18 08:36:17, xians1 wrote:
> indentation.

Done.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/ui/extension...
chrome/browser/ui/extensions/shell_window.cc:210:
extension()->HasAPIPermission(APIPermission::kTabCapture)) {
On 2012/10/18 08:36:17, xians1 wrote:
> Dont you need to 
> it->first == content::MEDIA_TAB_AUDIO_CAPTURE &&
> extension()->HasAPIPermission(APIPermission::kTabCapture

Done.

http://codereview.chromium.org/11198044/diff/9001/chrome/browser/ui/extension...
chrome/browser/ui/extensions/shell_window.cc:216: if ((it->first !=
content::MEDIA_TAB_VIDEO_CAPTURE &&
On 2012/10/18 08:36:17, xians1 wrote:
> ditto
Same

Aaron Boodman

http://codereview.chromium.org/11198044/diff/8002/chrome/browser/extensions/extension_host.cc File chrome/browser/extensions/extension_host.cc (right): http://codereview.chromium.org/11198044/diff/8002/chrome/browser/extensions/extension_host.cc#newcode643 chrome/browser/extensions/extension_host.cc:643: void ExtensionHost::RequestMediaAccessPermission( This code looks like a dupe of ...

8 years, 2 months ago (2012-10-18 22:14:09 UTC) #6

justinlin

8 years, 2 months ago (2012-10-19 02:22:54 UTC) #7

no longer working on chromium

http://codereview.chromium.org/11198044/diff/8002/chrome/browser/media/media_stream_devices_controller.cc File chrome/browser/media/media_stream_devices_controller.cc (right): http://codereview.chromium.org/11198044/diff/8002/chrome/browser/media/media_stream_devices_controller.cc#newcode78 chrome/browser/media/media_stream_devices_controller.cc:78: DCHECK(!tab_audio->second.empty() && !tab_video->second.empty()); It looks like you also changed ...

8 years, 2 months ago (2012-10-19 14:40:53 UTC) #8

justinlin

8 years, 2 months ago (2012-10-19 18:02:01 UTC) #9

http://codereview.chromium.org/11198044/diff/8002/chrome/browser/media/media_...
File chrome/browser/media/media_stream_devices_controller.cc (right):

http://codereview.chromium.org/11198044/diff/8002/chrome/browser/media/media_...
chrome/browser/media/media_stream_devices_controller.cc:78:
DCHECK(!tab_audio->second.empty() && !tab_video->second.empty());
On 2012/10/19 14:40:53, xians1 wrote:
> It looks like you also changed from || to &&, is it intentional?

No. Done. Sorry.

http://codereview.chromium.org/11198044/diff/11002/chrome/common/extensions/r...
File chrome/common/extensions/request_media_access_permission_helper.cc (right):

http://codereview.chromium.org/11198044/diff/11002/chrome/common/extensions/r...
chrome/common/extensions/request_media_access_permission_helper.cc:11: const
content::MediaStreamRequest* request,
On 2012/10/19 14:40:54, xians1 wrote:
> Are you sure the request won't be deleted before it quits the function?

Do you mean I should make a copy? I don't think I see any problem with it
getting deleted since none of the calling functions or original code expect it
to be deleted during authorization.

http://codereview.chromium.org/11198044/diff/11002/chrome/common/extensions/r...
chrome/common/extensions/request_media_access_permission_helper.cc:15: bool
allow_tab_media) {
On 2012/10/19 14:40:54, xians1 wrote:
> why do you need an extra allow_tab_media? reuse the allow_audio should be
enough
> for you.

Trying to preserve the existing functionality. In shell_window.cc (platform
apps), they require kAudioCapture and kVideoCapture permissions to access webcam
and mic (in extensions we didn't require that). For tab audio/video, we require
the kTabCapture permission for both platform_apps/extensions. I don't think we
need separate tab_audio/tab_video permissions because it's really always the
same "device".

Also, on second thought, since I didn't work before to get webcam/mic from an
extension, we should probably just keep it disabled. Made that change.

wjia(left Chromium)

last comment from me. https://codereview.chromium.org/11198044/diff/19003/chrome/browser/media/media_stream_devices_controller.cc File chrome/browser/media/media_stream_devices_controller.cc (right): https://codereview.chromium.org/11198044/diff/19003/chrome/browser/media/media_stream_devices_controller.cc#newcode88 chrome/browser/media/media_stream_devices_controller.cc:88: video_device_id : audio_device_id)) { Do ...

8 years, 2 months ago (2012-10-21 05:40:19 UTC) #10

justinlin

Thanks! https://codereview.chromium.org/11198044/diff/19003/chrome/browser/media/media_stream_devices_controller.cc File chrome/browser/media/media_stream_devices_controller.cc (right): https://codereview.chromium.org/11198044/diff/19003/chrome/browser/media/media_stream_devices_controller.cc#newcode88 chrome/browser/media/media_stream_devices_controller.cc:88: video_device_id : audio_device_id)) { On 2012/10/21 05:40:19, wjia ...

8 years, 2 months ago (2012-10-21 05:49:27 UTC) #11

justinlin

Sorry, I misread your last comment. They are always the same with the current tab ...

8 years, 2 months ago (2012-10-22 03:27:48 UTC) #12

Aaron Boodman

http://codereview.chromium.org/11198044/diff/23001/chrome/common/extensions/request_media_access_permission_helper.cc File chrome/common/extensions/request_media_access_permission_helper.cc (right): http://codereview.chromium.org/11198044/diff/23001/chrome/common/extensions/request_media_access_permission_helper.cc#newcode13 chrome/common/extensions/request_media_access_permission_helper.cc:13: bool allow_audio, I think it would be better to ...

8 years, 2 months ago (2012-10-24 01:29:38 UTC) #14

justinlin

Thanks!, addressed comments. Please take another look. http://codereview.chromium.org/11198044/diff/23001/chrome/common/extensions/request_media_access_permission_helper.cc File chrome/common/extensions/request_media_access_permission_helper.cc (right): http://codereview.chromium.org/11198044/diff/23001/chrome/common/extensions/request_media_access_permission_helper.cc#newcode13 chrome/common/extensions/request_media_access_permission_helper.cc:13: bool allow_audio, ...

8 years, 2 months ago (2012-10-24 02:04:54 UTC) #15

justinlin

On 2012/10/24 02:07:59, Aaron Boodman wrote: > lgtm jam: ptal the gypi changes

8 years, 2 months ago (2012-10-24 02:12:27 UTC) #17

no longer working on chromium

lgtm too http://codereview.chromium.org/11198044/diff/35001/chrome/common/extensions/request_media_access_permission_helper.cc File chrome/common/extensions/request_media_access_permission_helper.cc (right): http://codereview.chromium.org/11198044/diff/35001/chrome/common/extensions/request_media_access_permission_helper.cc#newcode15 chrome/common/extensions/request_media_access_permission_helper.cc:15: const extensions::Extension* extension, much nicer now. +1

8 years, 2 months ago (2012-10-24 08:01:56 UTC) #18

jam

On 2012/10/24 02:12:27, justinlin wrote: > On 2012/10/24 02:07:59, Aaron Boodman wrote: > > lgtm ...

8 years, 2 months ago (2012-10-24 16:40:39 UTC) #19

justinlin

sky@: please take a look at the gypi changes, thanks! On 2012/10/24 16:40:39, John Abd-El-Malek ...

8 years, 2 months ago (2012-10-24 16:53:04 UTC) #20

LGTM

Expand Messages | Collapse Messages