DescriptionNon-web-accessible extension URLs should not load in non-extension processes
Blocking of URL loads in the browser process cannot be as extensive as the one done in the renderer process, as we don't have the frame URL and page URL at resource load time. I've tried to do a similar check with the data available on the browser side.
The main part which I'm not entirely happy about is the check for DevTools pages. Currently, if an extension has DevTools page, all of its resources can be loaded by a compromised renderer. I think this can be tightened up with a follow up CL, if we find a good way of distinguishing DevTools processes or permissioning those requests.
BUG=173688
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=184245
Patch Set 1 : #Patch Set 2 : Actual implementation of blocking. #
Total comments: 5
Patch Set 3 : Restoring CORS check. #Patch Set 4 : Fix? a compile error #
Total comments: 15
Patch Set 5 : Changes based on Charlie's review #Patch Set 6 : Fix for a failing unit test #
Messages
Total messages: 17 (0 generated)
|