Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(28)

Issue 2958343002: [Extensions] Change renderer-side web accessible resource determination (Closed)

Created:
3 years, 5 months ago by Devlin
Modified:
3 years, 5 months ago
Reviewers:
lazyboy, alexmos, nasko
CC:
chromium-reviews, chromium-apps-reviews_chromium.org, extensions-reviews_chromium.org
Target Ref:
refs/heads/master
Project:
chromium
Visibility:
Public.

Description

[Extensions] Change renderer-side web accessible resource determination The web accessible resource determination in the renderer has an early-out for non-existent extensions. Unfortunately, this makes it possible to determine whether a user has a given extension installed through timing attacks - it takes longer to make a decision about whether to allow a resource to load when the extension is installed than when it isn't. This can be surprisingly accurate. Rejigger the web accessible resource determination in a few ways. Most importantly, keep a set of loaded extensions that have any accessible resources, and check this (rather than the full extension set) for whether to potentially allow the load. This way, an extension with no accessible resources and an uninstalled extension should take the same amount of time to reach a decision, which is the desired outcome. BUG=709464 BUG=611420 Review-Url: https://codereview.chromium.org/2958343002 Cr-Commit-Position: refs/heads/master@{#485494} Committed: https://chromium.googlesource.com/chromium/src/+/0e41fe8632d60a94200666e5eae0660bfdcd33e9

Patch Set 1 #

Patch Set 2 : fix #

Patch Set 3 : . #

Total comments: 28

Patch Set 4 : Alex's/Nasko's #

Patch Set 5 : Revert ancestor check #

Patch Set 6 : Expand comments #

Total comments: 6

Patch Set 7 : lazyboy's #

Total comments: 2

Patch Set 8 : s/web_accessible_ids/web_accessible_ids_ #

Unified diffs Side-by-side diffs Delta from patch set Stats (+148 lines, -40 lines) Patch
M chrome/renderer/extensions/chrome_extensions_renderer_client.h View 1 2 3 1 chunk +3 lines, -0 lines 0 comments Download
M chrome/renderer/extensions/chrome_extensions_renderer_client.cc View 1 2 3 1 chunk +10 lines, -0 lines 0 comments Download
M chrome/renderer/extensions/resource_request_policy.h View 1 2 3 3 chunks +12 lines, -1 line 0 comments Download
M chrome/renderer/extensions/resource_request_policy.cc View 1 2 3 4 5 6 7 3 chunks +91 lines, -39 lines 0 comments Download
M extensions/common/manifest_handlers/webview_info.h View 1 chunk +4 lines, -0 lines 0 comments Download
M extensions/common/manifest_handlers/webview_info.cc View 1 chunk +16 lines, -0 lines 0 comments Download
M extensions/renderer/dispatcher.cc View 1 2 3 2 chunks +4 lines, -0 lines 0 comments Download
M extensions/renderer/extensions_renderer_client.h View 1 2 3 2 chunks +8 lines, -0 lines 0 comments Download

Messages

Total messages: 51 (38 generated)
Devlin
Hey all, mind taking a look? lazyboy@ - extensions nasko/alexmos - web accessible resources gurus ...
3 years, 5 months ago (2017-06-30 00:46:56 UTC) #15
nasko
https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc File chrome/renderer/extensions/resource_request_policy.cc (right): https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc#newcode46 chrome/renderer/extensions/resource_request_policy.cc:46: (extension.is_hosted_app() && !IconsInfo::GetIcons(&extension).empty())) { I see this call scattered ...
3 years, 5 months ago (2017-06-30 18:08:10 UTC) #16
alexmos
https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc File chrome/renderer/extensions/resource_request_policy.cc (right): https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc#newcode85 chrome/renderer/extensions/resource_request_policy.cc:85: if (frame_url.GetOrigin() == extension_origin || I know you're not ...
3 years, 5 months ago (2017-06-30 21:10:18 UTC) #17
Devlin
https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc File chrome/renderer/extensions/resource_request_policy.cc (right): https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc#newcode46 chrome/renderer/extensions/resource_request_policy.cc:46: (extension.is_hosted_app() && !IconsInfo::GetIcons(&extension).empty())) { On 2017/06/30 18:08:10, nasko (out ...
3 years, 5 months ago (2017-07-06 00:40:39 UTC) #26
alexmos
LGTM https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc File chrome/renderer/extensions/resource_request_policy.cc (right): https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc#newcode72 chrome/renderer/extensions/resource_request_policy.cc:72: GURL page_origin = url::Origin(frame->Top()->GetSecurityOrigin()).GetURL(); On 2017/07/06 00:40:38, Devlin ...
3 years, 5 months ago (2017-07-06 18:20:06 UTC) #27
Devlin
https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc File chrome/renderer/extensions/resource_request_policy.cc (right): https://codereview.chromium.org/2958343002/diff/40001/chrome/renderer/extensions/resource_request_policy.cc#newcode72 chrome/renderer/extensions/resource_request_policy.cc:72: GURL page_origin = url::Origin(frame->Top()->GetSecurityOrigin()).GetURL(); On 2017/07/06 18:20:06, alexmos wrote: ...
3 years, 5 months ago (2017-07-06 19:14:56 UTC) #29
Devlin
lazyboy@, friendly ping when you get a chance. :)
3 years, 5 months ago (2017-07-07 00:35:52 UTC) #33
lazyboy
https://codereview.chromium.org/2958343002/diff/100001/chrome/renderer/extensions/resource_request_policy.cc File chrome/renderer/extensions/resource_request_policy.cc (right): https://codereview.chromium.org/2958343002/diff/100001/chrome/renderer/extensions/resource_request_policy.cc#newcode106 chrome/renderer/extensions/resource_request_policy.cc:106: // Note: we check web_accessible_ids (rather than first looking ...
3 years, 5 months ago (2017-07-10 22:36:39 UTC) #34
Devlin
https://codereview.chromium.org/2958343002/diff/100001/chrome/renderer/extensions/resource_request_policy.cc File chrome/renderer/extensions/resource_request_policy.cc (right): https://codereview.chromium.org/2958343002/diff/100001/chrome/renderer/extensions/resource_request_policy.cc#newcode106 chrome/renderer/extensions/resource_request_policy.cc:106: // Note: we check web_accessible_ids (rather than first looking ...
3 years, 5 months ago (2017-07-10 22:52:31 UTC) #37
lazyboy
lgtm https://codereview.chromium.org/2958343002/diff/120001/chrome/renderer/extensions/resource_request_policy.cc File chrome/renderer/extensions/resource_request_policy.cc (right): https://codereview.chromium.org/2958343002/diff/120001/chrome/renderer/extensions/resource_request_policy.cc#newcode106 chrome/renderer/extensions/resource_request_policy.cc:106: // Note: we check |web_accessible_ids| (rather than first ...
3 years, 5 months ago (2017-07-10 23:13:36 UTC) #38
Devlin
https://codereview.chromium.org/2958343002/diff/120001/chrome/renderer/extensions/resource_request_policy.cc File chrome/renderer/extensions/resource_request_policy.cc (right): https://codereview.chromium.org/2958343002/diff/120001/chrome/renderer/extensions/resource_request_policy.cc#newcode106 chrome/renderer/extensions/resource_request_policy.cc:106: // Note: we check |web_accessible_ids| (rather than first looking ...
3 years, 5 months ago (2017-07-11 02:06:07 UTC) #45
commit-bot: I haz the power
CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2958343002/140001
3 years, 5 months ago (2017-07-11 02:06:25 UTC) #48
commit-bot: I haz the power
3 years, 5 months ago (2017-07-11 02:13:35 UTC) #51
Message was sent while issue was closed.
Committed patchset #8 (id:140001) as
https://chromium.googlesource.com/chromium/src/+/0e41fe8632d60a94200666e5eae0...

Powered by Google App Engine
This is Rietveld 408576698