Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(328)

Issue 2450503002: Tighten IO thread blob/filesystem URL checks for apps with webview permission. (Closed)

Created:
4 years, 1 month ago by alexmos
Modified:
4 years, 1 month ago
Reviewers:
CC:
chromium-reviews
Target Ref:
refs/pending/branch-heads/2883
Project:
chromium
Visibility:
Public.

Description

Tighten IO thread blob/filesystem URL checks for apps with webview permission. [Merge to M55] The IO thread blob/filesystem URL security checks were originally introduced in r419019 and r422954. This was merged back to M54 and M55. They were later moved to the UI thread (into ExtensionNavigationThrottle) in r424937 to make them compatible with PlzNavigate. However, that only exists in M56. Per linked bug, we need to tighten the security check currently in M54 and M55 for apps with a "webview" permission where the problematic blob/filesystem URL requests aren't made from the guest process. This is the plan for fixing this: 1. https://codereview.chromium.org/2435593007/: Reintroduce these IO thread checks on M56. 2. <This CL> Tighten the checks for the scenario above using ChildProcessSecurityPolicy. 3. Merge the CL from step 2 back to M55 and M54. 4. Remove these checks from M56 and tighten the checks in ExtensionNavigationThrottle. The goal of this CL is to determine if a request is being made by a guest process on the IO thread. It relies on the fact that ChildProcessSecurityPolicyImpl already has the origin "chrome-extension://<appid>" in the origin_set_ for the guest process, thanks to the GrantOrigin that was added to WebViewGuest::CreateWebContents in r422976 as part of fixing issue 652784. Therefore, it's sufficient to check whether the requested nested URL's origin is in the origin_set_ for the process making the request. BUG=656752 Review-Url: https://chromiumcodereview.appspot.com/2437753003 Cr-Commit-Position: refs/heads/master@{#426870} (cherry picked from commit f7af135c51a99daba0cdb5ef204465ff995802e4) Committed: https://chromium.googlesource.com/chromium/src/+/3299d4da316b8dd3cbf72e49e5b3de4ea806e87f

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+155 lines, -2 lines) Patch
M chrome/browser/extensions/process_manager_browsertest.cc View 2 chunks +107 lines, -0 lines 0 comments Download
M chrome/browser/net/chrome_extensions_network_delegate.cc View 2 chunks +22 lines, -1 line 0 comments Download
M content/browser/child_process_security_policy_impl.h View 1 chunk +2 lines, -0 lines 0 comments Download
M content/browser/child_process_security_policy_impl.cc View 3 chunks +15 lines, -1 line 0 comments Download
M content/public/browser/child_process_security_policy.h View 1 chunk +9 lines, -0 lines 0 comments Download

Messages

Total messages: 2 (1 generated)
alexmos
4 years, 1 month ago (2016-10-24 18:41:00 UTC) #2
Message was sent while issue was closed.
Committed patchset #1 (id:1) manually as
3299d4da316b8dd3cbf72e49e5b3de4ea806e87f.

Powered by Google App Engine
This is Rietveld 408576698