Put "Inject JS" Applescript Command behind a Finch flag |
|||||||||||||||
Issue descriptionPut "Inject JS" Applescript Command behind a Finch flag so that we have can control whether it's turned off
,
Nov 2 2016
Sure thing
,
Nov 2 2016
Based on experience with taking away other power user features (full screen) that can have extension-based workarounds, we should make sure it's easy for someone who was relying on this to migrate to that. I don't have time to check, but is https://chromium.googlesource.com/chromium/src/+/master/chrome/common/extensions/docs/examples/api/nativeMessaging sufficient, and easy to adapt safely?
,
Nov 2 2016
dcheng@ also noted that we need to block javascript: navigations in -[TabAppleScript setURL:]. Otherwise, the following would work as a trivial bypass: tell application "Google Chrome" set URL of tab 1 of window 1 to "javascript:window.location='http://pwnd/'" end tell
,
Nov 2 2016
That's a good point. Is there something we currently use to filter out javascript: navigations?
,
Nov 2 2016
GURL::SchemeIs(url::kJavaScriptScheme) is the proper check.
,
Nov 2 2016
Great, thanks!
,
Nov 4 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7e175f3dc08de15c7de87c09a70b1e98551e9fcd commit 7e175f3dc08de15c7de87c09a70b1e98551e9fcd Author: spqchan <spqchan@chromium.org> Date: Fri Nov 04 22:09:31 2016 [Mac] Add a feature flag to disable Javascript execution in Applescript BUG= 661810 Review-Url: https://codereview.chromium.org/2477633003 Cr-Commit-Position: refs/heads/master@{#430030} [modify] https://crrev.com/7e175f3dc08de15c7de87c09a70b1e98551e9fcd/chrome/app/generated_resources.grd [modify] https://crrev.com/7e175f3dc08de15c7de87c09a70b1e98551e9fcd/chrome/browser/ui/cocoa/applescript/bookmark_item_applescript.mm [modify] https://crrev.com/7e175f3dc08de15c7de87c09a70b1e98551e9fcd/chrome/browser/ui/cocoa/applescript/error_applescript.h [modify] https://crrev.com/7e175f3dc08de15c7de87c09a70b1e98551e9fcd/chrome/browser/ui/cocoa/applescript/error_applescript.mm [modify] https://crrev.com/7e175f3dc08de15c7de87c09a70b1e98551e9fcd/chrome/browser/ui/cocoa/applescript/tab_applescript.mm [modify] https://crrev.com/7e175f3dc08de15c7de87c09a70b1e98551e9fcd/chrome/common/chrome_features.cc [modify] https://crrev.com/7e175f3dc08de15c7de87c09a70b1e98551e9fcd/chrome/common/chrome_features.h
,
Nov 4 2016
,
Mar 15 2017
As this change rolls out, JavaScript injection via Applescript will not work in Chrome. We’re making this change in order to protect users from disruptive ads. Applications that legitimately need to inject JavaScript into Chrome can do so by publishing an extension and using Native Messaging to communicate with their application process. https://developer.chrome.com/extensions https://developer.chrome.com/extensions/nativeMessaging
,
Apr 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5a988db10ba9ed054abe390821248a795f470713 commit 5a988db10ba9ed054abe390821248a795f470713 Author: spqchan <spqchan@chromium.org> Date: Thu Apr 06 19:37:15 2017 [Mac] Enable Applescript's "Execute Javascript" Command by Default Finch will be used to disable it on canary/dev/beta BUG= 661810 Review-Url: https://codereview.chromium.org/2798243005 Cr-Commit-Position: refs/heads/master@{#462585} [modify] https://crrev.com/5a988db10ba9ed054abe390821248a795f470713/chrome/common/chrome_features.cc
,
Apr 6 2017
,
Apr 6 2017
This bug requires manual review: There is .grd file changes and we are only 18 days from stable. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 6 2017
Are you requesting a merge for CL listed at #11? And there is no .grd file changes, correct?
,
Apr 6 2017
Yes, the one listed in #11. There are no grd file changes
,
Apr 6 2017
Ok, please update the bug once change is baked/verified in Canary.
,
Apr 6 2017
Not a Dev blocker.
,
Apr 7 2017
It's baked in Canary. I tested it out and it's working as expected. Can I merge it?
,
Apr 7 2017
Approving merge to M58 branch 3029 based on comment #15 and #18. Thank you.
,
Apr 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a1643339b9bfc4d863211ceb7ba0789a743bda78 commit a1643339b9bfc4d863211ceb7ba0789a743bda78 Author: spqchan <spqchan@chromium.org> Date: Fri Apr 07 18:28:43 2017 [Mac] Enable Applescript's "Execute Javascript" Command by Default Finch will be used to disable it on canary/dev/beta BUG= 661810 Review-Url: https://codereview.chromium.org/2798243005 Cr-Commit-Position: refs/heads/master@{#462585} (cherry picked from commit 5a988db10ba9ed054abe390821248a795f470713) Review-Url: https://codereview.chromium.org/2801133003 . Cr-Commit-Position: refs/branch-heads/3029@{#629} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [modify] https://crrev.com/a1643339b9bfc4d863211ceb7ba0789a743bda78/chrome/common/chrome_features.cc
,
Apr 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fcc16efe4623f2452944d08d0a4d672dffafef00 commit fcc16efe4623f2452944d08d0a4d672dffafef00 Author: spqchan <spqchan@chromium.org> Date: Mon Apr 10 21:57:11 2017 Add Field Test for AppleScriptExecuteJavascript BUG= 661810 Review-Url: https://codereview.chromium.org/2813713002 Cr-Commit-Position: refs/heads/master@{#463412} [modify] https://crrev.com/fcc16efe4623f2452944d08d0a4d672dffafef00/testing/variations/fieldtrial_testing_config.json
,
Apr 10 2017
Requesting merge for the CL in #21 Will merge once it's baked into canary
,
Apr 11 2017
This bug requires manual review: We are only 13 days from stable. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 11 2017
Re #22, please update the bug with canary result. If it looks good in Canary, will approve merge to M58. Thank you.
,
Apr 11 2017
It looks good!
,
Apr 11 2017
Great thanks, approving for M58 Merge.
,
Apr 11 2017
Your change is approved for M58. Please merge ASAP so that it will be picked up for last Beta Release, RC today(Tuesday-04/11) at 4.00 PM PST. Note : We will be rolling out for Pre-Stable next week.
,
Apr 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d5e9397c2332b90782b7c661966747bc331e0e2f commit d5e9397c2332b90782b7c661966747bc331e0e2f Author: spqchan <spqchan@chromium.org> Date: Tue Apr 11 21:27:21 2017 Add Field Test for AppleScriptExecuteJavascript BUG= 661810 Review-Url: https://codereview.chromium.org/2813713002 Cr-Commit-Position: refs/heads/master@{#463412} (cherry picked from commit fcc16efe4623f2452944d08d0a4d672dffafef00) TBR=isherman@chromium.org Review-Url: https://codereview.chromium.org/2814623004 . Cr-Commit-Position: refs/branch-heads/3029@{#668} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [modify] https://crrev.com/d5e9397c2332b90782b7c661966747bc331e0e2f/testing/variations/fieldtrial_testing_config.json
,
Apr 17 2017
Sarah, please add "https://support.google.com/chrome/?p=applescript" to the end of the error message, and merge that change to 59. This won't require translation so merge should be ok.
,
Apr 19 2017
ATTN: Official Chrome Developers and Managers Please do not release this change without providing the end-user a means to enable JavaScript injection using AppleScript, as is done with Safari. There are a great many Mac users, who prefer Chrome, that have essential workflows that depend on being able to do this. It would be a major impact to our productivity, and probably force us to switch browsers to Safari, which still supports JavaScript injection by AppleScript. There are also a number of high-use Mac apps like Alfred and Keyboard Maestro that depend on being able to inject JavaScript using AppleScript. I somewhat understand your security concerns, and I'm almost always a big fan of improved security. But I'm sure you realize too much security is like being in jail. Might as well not use the product at all. I do not understand the statement that this issue is the cause of ads being improperly displayed in the Chrome browser. I have never seen this, nor heard of it, and since AppleScript is ALWAYS executed in the user's context, and I don't see how it is possible, without the user approving it. Thank you for your careful consideration of this request. Best Regards, Jim Underwood aka JMichaelTX
,
Apr 20 2017
Greetings, Should AppleScript access to Google Chrome be limited I will no longer have any reason whatsoever to use it. For so called JS-injection via AppleScript to be a security issue a system would have to already be grossly compromised. AppleScript is available to the masses and makes many valuable workflows available through Chrome. Requiring a migration to extension-based systems will subvert Chrome's usefulness in so many ways... Apple handled this in Safari without being too heavy-handed by providing a simple switch available to the user in the Develop menu. In my opinion you should be adding MORE AppleScriptability to Chrome and NOT taking any away. Best Regards, Christopher Stone
,
Apr 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5414dd0be42354864da00d8679afd4339d1f441e commit 5414dd0be42354864da00d8679afd4339d1f441e Author: spqchan <spqchan@chromium.org> Date: Tue Apr 25 21:26:42 2017 Update the "Execute Javascript" AppleScript error Append a link to the end of the error message. BUG= 661810 Review-Url: https://codereview.chromium.org/2824223003 Cr-Commit-Position: refs/heads/master@{#466050} (cherry picked from commit 439a48ad9710adb6dbf7c39e28d26f9e35d60be8) Review-Url: https://codereview.chromium.org/2836063006 . Cr-Commit-Position: refs/branch-heads/3071@{#206} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [modify] https://crrev.com/5414dd0be42354864da00d8679afd4339d1f441e/chrome/browser/ui/cocoa/applescript/error_applescript.mm
,
May 1 2017
,
May 8 2017
Just downloaded 59 beta. I cannot find a flag/option to have the JS injection via AppleScript turned on - Is it supposed to be there? Will it reach the final release? What's the due date?
,
Apr 7 2018
I am trying to run an AppleScript which injects legitimate JavaScript into Chrome Canary but i recently noticed this has been failing. As the screenshot shows, I am unable to execute the script properly, however, there is NO option to enable JavaScript execution in chrome, despite what the error message recommends. Can someone please clarify how to enable this option in canary?
,
Apr 8 2018
Sorry, the string is incorrect. I need to update it. You can access it via the View > Developer menu |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by rsesek@chromium.org
, Nov 2 2016Components: Security
Labels: M-56