Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
722233004:
Accept invalid chrome-extension:// and chrome:// CSP tokens (Closed)
|
Created:
6 years, 1 month ago by robwu Modified:
6 years, 1 month ago Reviewers:
not at google - send to devlin CC:
chromium-reviews, chromium-apps-reviews_chromium.org, extensions-reviews_chromium.org Base URL:
https://chromium.googlesource.com/chromium/src.git@master Project:
chromium Visibility:
Public. |
DescriptionAccept invalid chrome-extension:// and chrome:// CSP tokens
Do not refuse to load the extension when the CSP contains
"chrome-extension://", because there are some extensions in the wild
that contains this token in the CSP. It is safe to accept this token
because the invalid CSP token is ignored by Blink (together with an
error message in the console, so the developer can fix the problem if
they bother to look at the console).
BUG=432227
R=kalman@chromium.org
Committed: https://crrev.com/087183913f74ebd1e18964fabd269dfebb4763f3
Cr-Commit-Position: refs/heads/master@{#304922}
Patch Set 1 #Patch Set 2 : Add test #Patch Set 3 : Simplify patch - just accept any empty host #
Total comments: 2
Patch Set 4 : Add extra comments #Messages
Total messages: 27 (4 generated)
Ben, could you quickly take a look at this? If we wait a few more days, M39 will be released and the exclusion of this patch will break some extensions. An alternative to merging this patch is to contact some of the affected extension authors. WDYT? There is 1 extension with 400k+ users; There are 2 extensions from 2013 with 6k users each; There are 3 extensions with 523, 802 and 1046 users that are actively developed. There are 7 extensions with 146 - 348 users, half of them are dead. There is 1 extension with 1k users that is already broken in terms of functionality. There are 41 extensions with fewer than 100 users (I haven't reviewed their source code yet).
I'd like to see this backed up with tests. But I'd also like to see developers fix their extensions. Hm, a lot has happened since these changes went in (to my memory), why don't we just ignore invalid CSP and apply the default CSP if it doesn't parse?
On 2014/11/18 01:29:39, kalman wrote: > I'd like to see this backed up with tests. But I'd also like to see developers > fix their extensions. There's an error in the console when the token is invalid. > Hm, a lot has happened since these changes went in (to my memory), why don't we > just ignore invalid CSP and apply the default CSP if it doesn't parse? Not refusing to load the extension? Sounds good. To be consistent with CSP, I would skip invalid tokens, print an error and apply the valid CSP tokens.
Skipping invalid tokens sounds even better, hopefully there is already something which has implemented parsing for you.
Aw. 39 shipped and broke an extension with 400k users: https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnp... kalman, can we ship this simple fix and merge it with stable and beta?
Patchset #3 (id:40001) has been deleted
Patchset #3 (id:60001) has been deleted
The CQ bit was checked by rob@robwu.nl
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/722233004/80001
Message was sent while issue was closed.
Committed patchset #3 (id:80001)
Message was sent while issue was closed.
Patchset 3 (id:??) landed as https://crrev.com/67244e678279741947c09ba2ab18fbfec1707a97 Cr-Commit-Position: refs/heads/master@{#304799}
Message was sent while issue was closed.
Wuh, how did this land, there was never an lg?
Message was sent while issue was closed.
Please revert.
Message was sent while issue was closed.
On 2014/11/19 17:27:29, kalman wrote: > Wuh, how did this land, there was never an lg? I did a TBR, because there is something broken in the wild (assuming that you would be okay with the change that is backed by a test). I was planning to submit the ignore-invalid-CSP in a separate CL, but that is slightly more complex than the current two-line change, so that will probably require some baking.
Message was sent while issue was closed.
https://codereview.chromium.org/722233004/diff/80001/extensions/common/csp_va... File extensions/common/csp_validator_unittest.cc (right): https://codereview.chromium.org/722233004/diff/80001/extensions/common/csp_va... extensions/common/csp_validator_unittest.cc:101: EXPECT_TRUE(ContentSecurityPolicyIsSecure( Explain why this is secure (and link to the bug). https://codereview.chromium.org/722233004/diff/80001/extensions/common/csp_va... extensions/common/csp_validator_unittest.cc:170: EXPECT_TRUE(ContentSecurityPolicyIsSecure( Ditto.
Message was sent while issue was closed.
A revert of this CL (patchset #3 id:80001) has been created in https://codereview.chromium.org/739133003/ by rob@robwu.nl. The reason for reverting is: Need some extra comments before relanding.
Message was sent while issue was closed.
On 2014/11/19 17:31:27, robwu wrote: > On 2014/11/19 17:27:29, kalman wrote: > > Wuh, how did this land, there was never an lg? > > I did a TBR, because there is something broken in the wild (assuming that you > would be okay with the change that is backed by a test). This isn't what TBR is for. For starters we can't just immediately push out some change to 39, so TBR doesn't necessarily help it out any more quickly. Secondly... just never TBR anything other than a revert or changes like renaming an interface which touches a whole bunch of files (and even that people often don't TBR). > > I was planning to submit the ignore-invalid-CSP in a separate CL, but that is > slightly more complex than the current two-line change, so that will probably > require some baking. However - I think your instinct is right, that this patch is a mergable quick fix and probably the right thing to do.
Message was sent while issue was closed.
If you change me from TBR= to R= then lgtm on this patch.
Message was sent while issue was closed.
On 2014/11/19 17:40:37, kalman wrote: > If you change me from TBR= to R= then lgtm on this patch. (you'll need to re-open it)
Added extra comments. Thanks for educating me one the right use of TBR.
Ben, does the new comments in PS 4 lg to you?
lgtm
The CQ bit was checked by rob@robwu.nl
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/722233004/100001
Message was sent while issue was closed.
Committed patchset #4 (id:100001)
Message was sent while issue was closed.
Patchset 4 (id:??) landed as https://crrev.com/087183913f74ebd1e18964fabd269dfebb4763f3 Cr-Commit-Position: refs/heads/master@{#304922} |
