Assigning low severity, as the debugger permission is quite powerful already. Devlin, can you please take a look?

Looks like this slipped through the cracks because of my low-severity rating, upgrading to medium severity. This bugs predates most of the bugs reported about devtools + extensions.

rdevlin.cronin: Uh oh! This issue still open and hasn't been updated in the last 434 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

rdevlin.cronin: Uh oh! This issue still open and hasn't been updated in the last 448 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Friendly security sheriff ping, this has been open for a while, any progress on it?

On it.

dgozman@, hoping you can guide me a bit for part of this.  It's easy enough to prevent the debugging host from attaching initially (I have a CL and test for this ready), but there's a tricky bit where we need to detach the debugger if the tab navigates to a file:// URL the extension doesn't have access to.  I think you recently handled something similar with webui pages; do you have some advice on how to handle this?

This function [1] is called for debugging sessions from extensions when trying to attach or page navigates somewhere. Returning false disconnects the debugging session.

[1] https://cs.chromium.org/chromium/src/content/browser/devtools/render_frame_devtools_agent_host.cc?rcl=6f29d60a5f3c8d095274b9a92c45e45b9cdf839b&l=966

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877

commit 4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877
Author: Devlin Cronin <rdevlin.cronin@chromium.org>
Date: Fri Jun 22 23:16:31 2018

[Extensions] Restrict debugging file:-scheme URLs

Don't allow extensions to debug file:-scheme URLs if the extension does
not have explicit file access (as set in chrome://extensions). Achieve
this by introducing a new virtual method on DevToolsAgentHostClient to
allow the implementor to check if a given host is allowed to be
inspected.

Add regression tests for the same.

Bug:  666299 

Change-Id: Icb5ee89bf788643eee166eef83802d10ab825a6c
Reviewed-on: https://chromium-review.googlesource.com/1104954
Commit-Queue: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569828}
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/browser/extensions/api/debugger/debugger_api.cc
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/browser/extensions/api/debugger/debugger_apitest.cc
[add] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/test/data/extensions/api_test/debugger_file_access/background.js
[add] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/test/data/extensions/api_test/debugger_file_access/dummy.html
[add] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/test/data/extensions/api_test/debugger_file_access/manifest.json
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/browser/devtools/devtools_agent_host_impl.cc
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/browser/devtools/devtools_agent_host_impl.h
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/browser/devtools/render_frame_devtools_agent_host.cc
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/browser/devtools/render_frame_devtools_agent_host.h
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/public/browser/BUILD.gn
[add] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/public/browser/devtools_agent_host_client.cc
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/public/browser/devtools_agent_host_client.h

So, did the CL in c#15 fix the issue?  Can we close this one out?  Thanks heaps!

I believe this should be fixed, yes.

Closing it out.

Anyone have opinions on if this should be merged to M68?

This bug filed in 2016 - so I'd say no merge.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot