Chromium Code Reviews Chromium Code Reviews
Issue
2399853003:
[M54 merge] Lock down creation of blob:chrome-extension URLs from non-extension processes. (Closed)
DescriptionMerges six security fixes to M54, related to blobs.
Merge patch created pair programming style with creis@ and nick@.
Several manual fixups were required to get the tests passing on M54.
BUG=644966, 646278, 652784
TEST=Manual testing included:
- Verifying exploit steps w/ chrome w/ --isolate-extensions
- content_browsertests and content_unittests
- The following browser_tests subsets, both w/ and w/o --isolate-extensions:
*ProcessManager*
*Grants*
*Exploit*
*TouchFocuses*
NOPRESUBMIT=true
NOTRY=true
TBR=nick@chromium.org
The following six fixes are included in this diff:
1. https://codereview.chromium.org/2322673005:
> Fix process transfers for blob urls of sites requiring dedicated processes
>
> RenderFrameHostManager::IsRendererTransferNeededForNavigation had a bug
> where it passed an effective url, instead of an effective SITE url, to
> a function that was expecting the latter.
>
> Add a test that exercises this case. Add a CHECK to content shell browser
> client to verify that we're actually getting site urls all the time.
>
> Committed: https://crrev.com/db193a1b105de523fd0bb089c9769a71ed287d9e
> Cr-Commit-Position: refs/heads/master@{#417752}
2. https://codereview.chromium.org/2331063002:
> Fix IsolateIcelandFrameTreeBrowserTest.ProcessSwitchForIsolatedBlob so
> that it's not flaky under --site-per-process.
>
> Committed: https://crrev.com/07fd7e19e0095aeb30bd2c99109d083bb67732cb
> Cr-Commit-Position: refs/heads/master@{#417987}
3. https://codereview.chromium.org/2365433002:
> (re-land) Disallow navigations to blob URLs with non-canonical origins.
>
> Re-landing this with a fix for xhr-to-blob-in-isolated-world.html
>
> Review-Url: https://codereview.chromium.org/2365433002
> Cr-Commit-Position: refs/heads/master@{#420436}
4. https://codereview.chromium.org/2332263002
[partial merge, just for the helper function it added, used by later CLs]
> Updated suborigin serialization to latest spec proposal
>
> This modifiest the serialization format of suborigins so they are now
> represented in the form https-so://suboriginname.host.name (or,
> alternatively, with the scheme http-so). This change removes collisions
> with potentially valid URLs that were being deserialized as suborigins.
>
> Additionally, this adds suborigins back as an experimental web platform
> feature rather than a testing feature.
>
> Review-Url: https://codereview.chromium.org/2332263002
> Cr-Commit-Position: refs/heads/master@{#420828}
> CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
5. https://codereview.chromium.org/2364633004:
> Update ChildProcessSecurityPolicy so that the chrome-extension:// scheme
> is considered "web safe" to be requestable from any process, but only
> "web safe" to commit in extension processes.
>
> In ChildProcessSecurityPolicy::CanRequestURL and CanCommitURL, when
> seeing blob and filesystem urls, make a security decision based
> on the inner origin rather than the scheme.
>
> When the extensions ProcessManager (via ExtensionWebContentsObserver)
> notices a RenderFrame being created in an extension SiteInstance,
> grant that process permission to commit chrome-extension:// URLs.
>
> In BlobDispatcherHost, only allow creation of blob URLs from processes
> that would be able to commit them.
>
> Add a security exploit browsertest that verifies the above mechanisms
> working together.
>
> Committed: https://crrev.com/a411fd062bc68fc2b5fc3aca7e4cbb8e4a3e074e
> Committed: https://crrev.com/2a8ba8c4c186e5ea0a2ed938cc5d41441af64228
> Cr-Original-Commit-Position: refs/heads/master@{#421964}
> Cr-Commit-Position: refs/heads/master@{#422474}
6. https://codereview.chromium.org/2396533003:
> Allow <webview> to access URLs in the origin of the app embedding it.
>
> With r422474 creation of blob: URLs with origin of a chrome-extension://
> was locked down. However, the case of a <webview> loading an
> accessible_resource from its embedder and creating a blob: is disallowed.
> This CL adds permission for <webview> to create such URLs in the origin
> of its embedder.
>
> This CL is based on work by nick@chromium.org.
>
> Committed: https://crrev.com/5edda59b0b1cb8fff058b47567ac32e58be5168a
> Cr-Commit-Position: refs/heads/master@{#422976}
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
Patch Set 1 #Patch Set 2 : Additional merges and fixes #Patch Set 3 : Rebase #Messages
Total messages: 15 (10 generated)
|
