Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
246533006:
Block renderer-initiated navigation to other chrome URLs on signin page (Closed)
|
Created:
6 years, 8 months ago by guohui Modified:
6 years, 7 months ago CC:
chromium-reviews, darin-cc_chromium.org, nasko+codewatch_chromium.org, jam, creis+watch_chromium.org Base URL:
svn://svn.chromium.org/chrome/trunk/src Visibility:
Public. |
DescriptionBlock renderer-initiated navigation to other chrome URLs on signin page.
BUG=366127
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=266721
Patch Set 1 : #Patch Set 2 : test added #Patch Set 3 : fix broken test #Patch Set 4 : #
Messages
Total messages: 26 (0 generated)
Hey, could you please take a look at the CL? Will add unit test after the main code is approved. Thanks, Hui
Yes, that check looks like a good starting point. What happens if you force RenderFrameImpl::DecidePolicyForNavigation to return default_policy and then click a link (or use a script to navigate) to chrome://settings? That should simulate an exploited renderer which decides not to use OpenURL. Hopefully we'll catch it already in something like FilterURL, but if not we can think about how. And thanks, I agree we'll need a test.
On 2014/04/23 20:54:03, Charlie Reis wrote: > Yes, that check looks like a good starting point. > > What happens if you force RenderFrameImpl::DecidePolicyForNavigation to return > default_policy and then click a link (or use a script to navigate) to > chrome://settings? That should simulate an exploited renderer which decides not > to use OpenURL. Hopefully we'll catch it already in something like FilterURL, > but if not we can think about how. Tested on a local build with DecidePolicyForNavigation always returning default_policy, i am able to trigger navigation to chrome://settings, but the settings page is not loaded and instead shows the standard error "this webpage is not available". Is this good enough? > > And thanks, I agree we'll need a test.
On 2014/04/24 21:40:54, guohui wrote: > On 2014/04/23 20:54:03, Charlie Reis wrote: > > Yes, that check looks like a good starting point. > > > > What happens if you force RenderFrameImpl::DecidePolicyForNavigation to return > > default_policy and then click a link (or use a script to navigate) to > > chrome://settings? That should simulate an exploited renderer which decides > not > > to use OpenURL. Hopefully we'll catch it already in something like FilterURL, > > but if not we can think about how. > Tested on a local build with DecidePolicyForNavigation always returning > default_policy, i am able to trigger navigation to chrome://settings, but the > settings page is not loaded and instead shows the standard error "this webpage > is not available". > > Is this good enough? Interesting. I'm curious what's preventing us from loading other chrome:// URLs in that process. Do you see any clues? Anyway, the AllowOpenURL check should be sufficient to prevent any process swap to another chrome:// URL, which is the main goal. > > > > > And thanks, I agree we'll need a test.
On 2014/04/24 21:53:35, Charlie Reis wrote: > On 2014/04/24 21:40:54, guohui wrote: > > On 2014/04/23 20:54:03, Charlie Reis wrote: > > > Yes, that check looks like a good starting point. > > > > > > What happens if you force RenderFrameImpl::DecidePolicyForNavigation to > return > > > default_policy and then click a link (or use a script to navigate) to > > > chrome://settings? That should simulate an exploited renderer which decides > > not > > > to use OpenURL. Hopefully we'll catch it already in something like > FilterURL, > > > but if not we can think about how. > > Tested on a local build with DecidePolicyForNavigation always returning > > default_policy, i am able to trigger navigation to chrome://settings, but the > > settings page is not loaded and instead shows the standard error "this webpage > > is not available". > > > > Is this good enough? > > Interesting. I'm curious what's preventing us from loading other chrome:// URLs > in that process. Do you see any clues? URLDataManagerBackend::GetDataSourceFromURL returns NULL for the URL chrome://settings from the chrome-signin process, thus URLRequestChromeJob::StartAsyn failed with net::ERR_INVALID_URL. I guess it worked without my fix because of process swap. > > Anyway, the AllowOpenURL check should be sufficient to prevent any process swap > to another chrome:// URL, which is the main goal. > > > > > > > > > > And thanks, I agree we'll need a test.
@charlie, are you ok with the main code? if yes i ll go ahead with adding unit test.
On 2014/04/25 14:30:54, guohui wrote: > @charlie, are you ok with the main code? if yes i ll go ahead with adding unit > test. Yes, it sounds like the sign-in process doesn't have the ability to load other chrome pages itself, and we can block process swaps to them using AllowOpenURL. Thanks for investigating it. In the future, you don't need to wait to write the test until the main code is fully approved. In many cases (this included), the test should be somewhat agnostic of how the fix works (e.g., trying to navigate to a chrome:// URL in the sign-in process).
Added test, please take another look, thanks!
Thanks! LGTM.
The CQ bit was checked by guohui@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/guohui@chromium.org/246533006/70001
The CQ bit was checked by guohui@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/guohui@chromium.org/246533006/90001
The CQ bit was checked by guohui@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/guohui@chromium.org/246533006/110001
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: tryserver.chromium on linux_chromium_chromeos_rel
The CQ bit was checked by guohui@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/guohui@chromium.org/246533006/110001
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: tryserver.chromium on linux_chromium_chromeos_rel
The CQ bit was checked by guohui@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/guohui@chromium.org/246533006/110001
Message was sent while issue was closed.
Change committed as 266721 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
