Allow externally_connectable from all domains.
Reported by
mi...@zoltu.net,
Jan 9 2017
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: 1. Create an extension that asks for externally_connectable permission on `https://*` What is the expected behavior? The extension is connectable from any `https` website. What went wrong? The extension is not connectable from any `https` website. Did this work before? No Does this work in other browsers? N/A Chrome version: 55.0.2883.87 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 24.0 r0 TL;DR: restricting externall_connectable to third level domain wildcards effectively (though indirectly) decreases chrome security. There are a class of extensions that need to interact with arbitrary websites, but only if the website in question is cooperative. A great example of this are security related extensions that simplify 2FA via browser extensions. Such extensions serve no purpose when interacting with a page that doesn't integrate with the extension, but any page can integrate with the extension and the list of all pages that integrate is dynamic and not available at install time. At the moment, for such an extension to do its job it needs to inject a content script which effectively gives the extension full control over all websites the user browses, not just the ones that integrate with the extension. This situation is less than ideal because now instead of having to trust the website they are viewing with the data provided to the website, the user must trust the extension with all information they enter into any chrome tab. This is a *massive* security escalation but it is required because `https://*` isn't available to the `externally_connectable` permission. The security impact of a compromised extension that requires content_scripts to `https://*` is effectively a complete browser compromise. The security impact of a compromised extension that requires externally_connectable to `https://*` however is restricted to the data that is sent by any webpage to the extension. By restricting externally_connectable to third level domain wildcards and below, the permissions API has effectively lowered security instead of raising it because it leaves only the worse of two options to extensions that need to interact with a dynamic set of webpages and further trains users away from being cautious of extensions that ask for wildcard content_scripts. Here is an example of an extension that would benefit from such permissions (to the point where a back-door hack was added just for this extension): https://bugs.chromium.org/p/chromium/issues/detail?id=417062 Non-Google developed chrome extensions that need this are ones that add support for external hardware to chrome (e.g., external security hardware) or interact with desktop apps/drivers.
,
Jan 10 2017
@ micah: Could you please help us with the sample extension. This will help us to triage the issue faster. Thanks.!
,
Jan 10 2017
#2, this is not about a specific extension but a general architecture issue in the current chromium implementation so I doubt having a sample can help. I think it should be evaluated by extension-related chromium devs, for example rdevlin. From my experience as an extension author the highlighted problem is real and the proposed solution seems sound.
,
Jan 10 2017
Devlin - wdyt?
,
Jan 10 2017
,
Jan 10 2017
I'm fine with this - we already allow a [*] for all extensions. I imagine we didn't do this before so that an extension couldn't (accidentally) expose all kinds of terrible super powers to arbitrary evil web pages, but I'm not sure how much this is helping - and, as the micah@ points out, there are valid use cases. meacer@, wdyt from a security perspective?
,
Jan 17 2017
One concern was also that this would be seen as a sanctioned way to track users via ad networks and extensions while rendering clearing your cookies meaningless.
,
Jan 17 2017
I don't think it really offers much new functionality from an abuse standpoint - if an extension wanted, it can communicate with any web page via script injection and message posting or web-accessible resources.
,
Jan 19 2017
Hello - I am an extension developer. > if an extension wanted, it can communicate with any web page via script injection and message posting We use this technique to provide communication between the API object and our extension which manages some private keys. The ability to communicate with any page is crucial to our functionality and direct access (without the injection technique) would allow for a more sensible implementation thanks for your time and efforts MetaMask Extension on github: https://github.com/metamask/metamask-plugin MetaMask Extension on chrome webstore: https://chrome.google.com/webstore/detail/metamask/nkbihfbeogaeaoehlefnkodbefgpgknn
,
Feb 10 2017
meacer@, battre@, any thoughts here? I'm still inclined to say that this is a reasonable change.
,
Mar 20 2017
Would this also be allowed for apps? Apps may be able to workaround with sockets instead of content scripts. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by mi...@zoltu.net
, Jan 9 2017