Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users
Status: Fixed
Owner: ----
Closed: Aug 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security
M-6

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Web pages should NOT be able to load resources if there are NO content scripts from that extension on the page
Project Member Reported by aa@chromium.org, Jun 4 2010 Back to list
We allow web pages to load resources from extensions as a feature to content scripts. However, 
if we know that an extension does not have any content scripts on a page, then we should not 
allow resources to be loaded from that extension.

For background, see  bug 45521 .
 
Comment 1 by aa@chromium.org, Jun 4 2010
Matt, can you take this for M6?
Comment 2 by aa@chromium.org, Jun 4 2010
+lostmon, original reporter of this issue.
Labels: Security
Summary: Web pages should NOT be able to load resources if there are NO content scripts from that extension on the page (was: NULL)
Labels: -SecSeverity-Low SecSeverity-Medium Mstone-6
Adjusting severity and marking M6 based on more analysis and discussions with laforge@.
Comment 6 by lost...@gmail.com, Jun 25 2010
So now you have patched midle :)
i have instaled Google Chrome	5.0.375.86 (Build oficial 49890)

and now for example if a user has instaled gmail checker plus extension or other extension it canĀ“t be accesing via iframe :)( now the same origin policy is executed right)
test this poc www.indexamelaweb.com/test.html os see attached file 

in the PoC for test it i have instaled first this extension => https://chrome.google.com/extensions/detail/ffbhefmlcoihbjcmibbfkocmnaiacinp

now same origin policy was applied right.

so in the case of extension enumeration it still continue detectable see this other 
Live PoC http://www.indexamelaweb.com/enumeration.html
So , i ask again => this bug is valid for proposed Chromium-Security-Reward?

before you patch it bypass same origin policy and extension can be detectables in normal & incognito mode ,and after patch extensions continue detectables ...
Comment 7 by lost...@gmail.com, Jun 25 2010
sorry bad html , it can continue accesable via iframe test the live PoC => http://www.indexamelaweb.com/test.html
Aaron / Justin -- did we actually patch anything in 5.0.375.86 as Lostmon seems to suggest? I don't see any reference in the release notes.

Comment 9 by lost...@gmail.com, Jun 25 2010
not patched sorry i have do a bad html code 
Comment 10 by aa@chromium.org, Jun 29 2010
Status: Assigned
Labels: OS-All
Cleaning up mstone:6 bugs, default assumption is that bugs w/ no os are os-all
Pinging to make sure someone is on this for M6.
Comment 13 by aa@chromium.org, Jul 13 2010
Labels: -Mstone-6 Mstone-7
I'm sorry, I don't think we're going to get to it.
Labels: -Mstone-7 Mstone-6
Aaron, you need to talk to someone on the security team before punting an open security issue. We'll take a look at this, get the details, and circle back.

Comment 15 by aa@chromium.org, Jul 13 2010
Status: Available
Ok.
Aaron - since you guys are busy, is there any objection if someone on the security team takes a crack at this in the next week or so?

Comment 17 by aa@chromium.org, Jul 13 2010
No object to this bug specifically. I would rather not do the whitelist part that you and I talked about for M6. I consider that a separate issue.
Aaron - Agreed. But someone on the security team should be able to squeeze this particular bug in before the M6 cutoff.
Comment 19 by aa@chromium.org, Jul 13 2010
Here are my rough thoughts on how to implement:

1. Modify Extension::GetEffectiveHostPermissions() to return an ExtensionExtent (chrome/common/extensions/extension_extent.h). The ExtensionExtent should contain:
  - All the URLPatterns from Extension::host_permissions_
  - All the URLPatterns from all the matches from all the content scripts. The path component of these URLPatterns should be set to "/*".
  - The code that is currently there does the above two steps, but instead of returning URLPatterns, it condenses the information down into just the hosts. That part is only needed by the install UI, and should move to extension_install_ui.cc somewhere.

2. Take a look at ExtensionInfo in chrome_url_request_context.h. Add an effective_host_permissions field and populate it from Extension::GetEffectiveHostPermissions() similarly to how the others are done.

3. In extension_protocols.cc, there are some other checks similar to the one you want to do in CreateExtensionURLRequestJob. Use context.effective_host_permissions.ContainsURL() to decide whether to block a resource load.

Note that this is only checking whether the extension being requested _could_ run code in the page. Checking whether the extension _did_ run code in the page is much more complicated and would probably involve upstream changes to keep track of whether any injections had been done.
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=55103 

------------------------------------------------------------------------
r55103 | cdn@chromium.org | 2010-08-05 11:28:48 -0700 (Thu, 05 Aug 2010) | 10 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/extension_browsertests_misc.cc?r1=55103&r2=55102
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/extension_install_ui.cc?r1=55103&r2=55102
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/extension_protocols.cc?r1=55103&r2=55102
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/net/chrome_url_request_context.cc?r1=55103&r2=55102
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/net/chrome_url_request_context.h?r1=55103&r2=55102
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/profile_impl.cc?r1=55103&r2=55102
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/extension.cc?r1=55103&r2=55102
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/extension.h?r1=55103&r2=55102
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/extension_unittest.cc?r1=55103&r2=55102
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/url_pattern.h?r1=55103&r2=55102
   A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/extensions/origin_privileges
   A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/extensions/origin_privileges/extension
   A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/extensions/origin_privileges/extension/manifest.json
   A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/extensions/origin_privileges/extension/test.png
   A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/extensions/origin_privileges/index.html

Refactored extension privilege enumeration and implemented URLPattern comparisons. 
This will allow checks on per origin extension resource access. Added origin
check when loading extension resources. 

BUG= 45876 
TEST=ExtensionTest.IsPrivilegeIncrease 
TEST=ExtensionTest.EffectiveHostPermissions
TEST=ExtensionBrowserTest.OriginPrivileges

Review URL: http://codereview.chromium.org/2808051
------------------------------------------------------------------------

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: WillMerge
Need to merged to both 472, 375 although not worth the hassle for 375.
Comment 24 by aa@chromium.org, Aug 12 2010
I think in addition to 55103, r55656 and r55909 should be merged. These are both in the same area and fix bugs in the original change.
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=56059 

------------------------------------------------------------------------
r56059 | aa@chromium.org | 2010-08-13 11:54:28 -0700 (Fri, 13 Aug 2010) | 13 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/extension_browsertests_misc.cc?r1=56059&r2=56058
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/extension_install_ui.cc?r1=56059&r2=56058
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/extension_protocols.cc?r1=56059&r2=56058
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/net/chrome_url_request_context.cc?r1=56059&r2=56058
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/net/chrome_url_request_context.h?r1=56059&r2=56058
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension.cc?r1=56059&r2=56058
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension.h?r1=56059&r2=56058
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension_unittest.cc?r1=56059&r2=56058
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/url_pattern.h?r1=56059&r2=56058
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/extension
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/extension/manifest.json
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/extension/test.png
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/index.html

Merge 55103 - Refactored extension privilege enumeration and implemented URLPattern comparisons. 
This will allow checks on per origin extension resource access. Added origin
check when loading extension resources. 

BUG= 45876 
TEST=ExtensionTest.IsPrivilegeIncrease 
TEST=ExtensionTest.EffectiveHostPermissions
TEST=ExtensionBrowserTest.OriginPrivileges

Review URL: http://codereview.chromium.org/2808051

TBR=cdn@chromium.org
Review URL: http://codereview.chromium.org/3173018
------------------------------------------------------------------------

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=56067 

------------------------------------------------------------------------
r56067 | aa@chromium.org | 2010-08-13 12:42:12 -0700 (Fri, 13 Aug 2010) | 16 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/extension_browsertests_misc.cc?r1=56067&r2=56066
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/extension_install_ui.cc?r1=56067&r2=56066
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/extension_protocols.cc?r1=56067&r2=56066
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/net/chrome_url_request_context.cc?r1=56067&r2=56066
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/net/chrome_url_request_context.h?r1=56067&r2=56066
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension.cc?r1=56067&r2=56066
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension.h?r1=56067&r2=56066
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension_unittest.cc?r1=56067&r2=56066
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/url_pattern.h?r1=56067&r2=56066
   D /branches/472/src/chrome/test/data/extensions/origin_privileges

Revert 56059 - Merge 55103 - Refactored extension privilege enumeration and implemented URLPattern comparisons. 
This will allow checks on per origin extension resource access. Added origin
check when loading extension resources. 

BUG= 45876 
TEST=ExtensionTest.IsPrivilegeIncrease 
TEST=ExtensionTest.EffectiveHostPermissions
TEST=ExtensionBrowserTest.OriginPrivileges

Review URL: http://codereview.chromium.org/2808051

TBR=cdn@chromium.org
Review URL: http://codereview.chromium.org/3173018

TBR=aa@chromium.org
Review URL: http://codereview.chromium.org/3116011
------------------------------------------------------------------------

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=56215 

------------------------------------------------------------------------
r56215 | aa@chromium.org | 2010-08-16 11:23:06 -0700 (Mon, 16 Aug 2010) | 8 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/app_process_apitest.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/extension_browsertests_misc.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/extension_install_ui.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/extensions/extension_protocols.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/net/chrome_url_request_context.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/net/chrome_url_request_context.h?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/profile.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/browser/renderer_host/render_view_host.h?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension.h?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension_constants.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension_constants.h?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension_manifests_unittest.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/extension_unittest.cc?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/common/extensions/url_pattern.h?r1=56215&r2=56214
   M http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/api_test/app_process/manifest.json?r1=56215&r2=56214
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/manifest_tests/disallow_hybrid_1.json
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/manifest_tests/disallow_hybrid_2.json
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/extension
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/extension/manifest.json
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/extension2
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/extension2/index.html
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/extension2/manifest.json
   A http://src.chromium.org/viewvc/chrome/branches/472/src/chrome/test/data/extensions/origin_privileges/index.html

Merge 55103, 55656, and 55909.

This is a hand-merge of the above three files. I've verified the applicable
unit tests and browser tests pass.

BUG= 45876 

Review URL: http://codereview.chromium.org/3163014
------------------------------------------------------------------------

Status: FixUnreleased
That is awesome! thanks Aaron.
Comment 29 by aa@chromium.org, Aug 16 2010
Comment 30 by lost...@gmail.com, Aug 16 2010
Good work !!!!
very thans for you hard work and to all who have involved in the loop :D
I am eager to try the new version when you launch it :)

Comment 31 by aa@chromium.org, Sep 13 2010
 Issue 39518  has been merged into this issue.
Labels: -Restrict-View-SecurityNotify
Status: Fixed
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member Comment 36 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 37 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-Internals -Feature-Extensions -SecSeverity-Medium -Mstone-6 -Type-Security -SecImpacts-Stable Cr-Platform-Extensions M-6 Security-Severity-Medium Cr-Internals Security-Impact-Stable Type-Bug-Security
Project Member Comment 38 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 39 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 40 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 41 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 42 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment