Issue metadata
Sign in to add a comment
|
Don't allow web iframes on chrome:// pages |
||||||||||||||||||||||||||||||
Issue description
Chrome Version: 57.0.2987.3 and earlier
OS: Win10
What steps will reproduce the problem?
(0) Start Chrome with --disable-web-security to simulate a renderer exploit.
(1) Go to chrome://blob-internals
(2) Open DevTools console and enter the following:
f = document.createElement("iframe");
f.src = "http://csreis.github.io"
document.body.appendChild(f);
(3) Switch to the iframe in the DevTools console and enter:
window.parent.location.href = "chrome://settings";
What is the expected result?
We should have blocked the web iframe in step 2, since web pages should not be allowed in WebUI processes.
What happens instead?
The web iframe loads and is able to do things that web pages aren't allowed to, like navigate the main frame to other WebUI URLs in step 3.
It appears most WebUI pages have CSP policies that prevent web iframes, but not all of them. (I'm not sure if all of the ones with bindings have CSP polices. If not, that's a problem.)
,
Jan 23 2017
Tentatively assigning medium severity; please adjust if that seems wrong.
,
Jan 23 2017
,
Feb 4 2017
nasko: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 18 2017
nasko: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 10 2017
,
Apr 20 2017
,
May 2 2017
Security sheriff here. nasko: friendly ping :) Have you had a chance to look at this? Is someone else a better owner?
,
May 4 2017
This is a defense in depth measure we want to add. I will try to work on this in the month of May, but cannot guarantee it and if someone wants to pick it up, I'm happy to provide guidance.
,
Jun 6 2017
,
Jul 26 2017
,
Sep 6 2017
,
Sep 20 2017
Thanks nasko. If this is a security feature (as opposed to bug), would it be better to remove this from the security queue?
,
Sep 28 2017
It is more of a defense in-depth I want to put into Chrome, but haven't had the time to :(. If you think this is more of a "feature", feel free to convert it over, I don't have any strong preference either way.
,
Sep 28 2017
,
Oct 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e1ac6a875f84335d7ce3f6f272bfb746ea416979 commit e1ac6a875f84335d7ce3f6f272bfb746ea416979 Author: Dan Beam <dbeam@chromium.org> Date: Mon Oct 02 20:30:32 2017 Remove [mostly] unused Uber page resources The "uber" page was 1 page with many sections, i.e. * settings * history * extensions * about/help It doesn't really exist any more as these sections have slowly but surely been replaced by single-frame Material Design (MD) versions. Remove these generally unused assets. uber_shared is still used from older extensions page (will be changed to MD soon) and the policy page (unsure of MD plans). It'd make sense to simply move uber_shared to policy/shared_style.css or something when old extensions code is removed. R=dpapad@chromium.org BUG= 683418 NOPRESUBMIT=true # moving existing deprecated CSS Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation Change-Id: I6ca6c3b22eb2ac5ec29c839cdd66d3616b8359e3 Reviewed-on: https://chromium-review.googlesource.com/689957 Commit-Queue: Dan Beam (no longer on Chrome) <dbeam@chromium.org> Reviewed-by: Demetrios Papadopoulos <dpapad@chromium.org> Cr-Commit-Position: refs/heads/master@{#505761} [modify] https://crrev.com/e1ac6a875f84335d7ce3f6f272bfb746ea416979/chrome/browser/browser_resources.grd [modify] https://crrev.com/e1ac6a875f84335d7ce3f6f272bfb746ea416979/chrome/browser/resources/extensions/extensions.html [modify] https://crrev.com/e1ac6a875f84335d7ce3f6f272bfb746ea416979/chrome/browser/resources/policy.html [modify] https://crrev.com/e1ac6a875f84335d7ce3f6f272bfb746ea416979/chrome/browser/resources/policy_tool.html [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/OWNERS [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/compiled_resources2.gyp [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/uber.css [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/uber.html [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/uber.js [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/uber_frame.css [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/uber_frame.html [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/uber_frame.js [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/uber_page_manager_observer.js [delete] https://crrev.com/419b66b54c98e04141e5e966d905dbb371314770/chrome/browser/resources/uber/uber_utils.js [rename] https://crrev.com/e1ac6a875f84335d7ce3f6f272bfb746ea416979/chrome/browser/resources/uber_shared.css [modify] https://crrev.com/e1ac6a875f84335d7ce3f6f272bfb746ea416979/third_party/closure_compiler/compiled_resources2.gyp
,
Oct 3 2017
,
Oct 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6e9b7c926c5361cf064945b2f234b4d285d2c99e commit 6e9b7c926c5361cf064945b2f234b4d285d2c99e Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Wed Oct 04 17:37:40 2017 Remove a no-op + not overriden WebContentsDelegate::WebUISend method. The content::WebContentsDelegate::WebUISend virtual method is a no-op and is not overriden anywhere. Therefore it should be safe to just delete this method and stop calling it (since calling it is a no-op). The only caller of content::WebContentsDelegate::WebUISend was WebContentsImpl::OnWebUISend method which is also deleted by this CL. ViewHostMsg_WebUISend is *not* being deleted - it is still handled by the browser in content::WebUIImpl::OnWebUISend. Bug: 683418 , 666525 Change-Id: Icf6272b0df3f4359e758e04ddefd026402b9ea03 Reviewed-on: https://chromium-review.googlesource.com/698348 Commit-Queue: Nick Carter <nick@chromium.org> Reviewed-by: Nick Carter <nick@chromium.org> Cr-Commit-Position: refs/heads/master@{#506435} [modify] https://crrev.com/6e9b7c926c5361cf064945b2f234b4d285d2c99e/content/browser/web_contents/web_contents_impl.cc [modify] https://crrev.com/6e9b7c926c5361cf064945b2f234b4d285d2c99e/content/browser/web_contents/web_contents_impl.h [modify] https://crrev.com/6e9b7c926c5361cf064945b2f234b4d285d2c99e/content/public/browser/web_contents_delegate.h
,
Oct 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/055fe8f2c6931931073b0f923c541df65dc8eafa commit 055fe8f2c6931931073b0f923c541df65dc8eafa Author: Dan Beam <dbeam@chromium.org> Date: Wed Oct 04 23:23:36 2017 Remove code dealing with Web UIs living in subframes This was needed when the "uber" page hosted multiple different iframes: <iframe src="chrome://settings"></iframe> <iframe src="chrome://extensions"></iframe> <iframe src="chrome://history"></iframe> <iframe src="chrome://about"></iframe> for code separation purposes. Because the "uber" page UI has been replaced and the replacements don't use <iframe>s, the code can be removed. R=creis@chromium.org BUG= 683418 , 666525 Change-Id: I1ee60a3fe74af3bfc78503740cbccf134ea41bd8 Reviewed-on: https://chromium-review.googlesource.com/696718 Reviewed-by: Demetrios Papadopoulos <dpapad@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Dan Beam (no longer on Chrome) <dbeam@chromium.org> Cr-Commit-Position: refs/heads/master@{#506558} [modify] https://crrev.com/055fe8f2c6931931073b0f923c541df65dc8eafa/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc [modify] https://crrev.com/055fe8f2c6931931073b0f923c541df65dc8eafa/content/browser/web_contents/web_contents_impl.cc [modify] https://crrev.com/055fe8f2c6931931073b0f923c541df65dc8eafa/content/browser/web_contents/web_contents_impl.h [modify] https://crrev.com/055fe8f2c6931931073b0f923c541df65dc8eafa/content/browser/webui/web_ui_impl.cc [modify] https://crrev.com/055fe8f2c6931931073b0f923c541df65dc8eafa/content/browser/webui/web_ui_impl.h [modify] https://crrev.com/055fe8f2c6931931073b0f923c541df65dc8eafa/content/public/browser/web_contents.h [modify] https://crrev.com/055fe8f2c6931931073b0f923c541df65dc8eafa/content/public/browser/web_ui.h [modify] https://crrev.com/055fe8f2c6931931073b0f923c541df65dc8eafa/content/public/test/test_web_ui.cc [modify] https://crrev.com/055fe8f2c6931931073b0f923c541df65dc8eafa/content/public/test/test_web_ui.h
,
Oct 5 2017
Nasko and I have been chatting about this, and we're hoping to fix this in the short term. (Caveat: Issue 770313 .)
,
Oct 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/029231044beed18a9aee6c7803774ec1fac0ba1f commit 029231044beed18a9aee6c7803774ec1fac0ba1f Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Mon Oct 09 18:11:37 2017 Convert ViewHostMsg_WebUISend so that it is sent via frame (not view). Bug: 683418 , 666525 Change-Id: Id8bf3fa0a69b783b73a075a54ff7154e6d4c7a1e Cq-Include-Trybots: master.tryserver.chromium.linux:linux_site_isolation Reviewed-on: https://chromium-review.googlesource.com/701415 Reviewed-by: Nick Carter <nick@chromium.org> Reviewed-by: Rachel Blum <groby@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Commit-Queue: Ćukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#507414} [modify] https://crrev.com/029231044beed18a9aee6c7803774ec1fac0ba1f/content/browser/web_contents/web_contents_impl.cc [modify] https://crrev.com/029231044beed18a9aee6c7803774ec1fac0ba1f/content/browser/webui/web_ui_impl.cc [modify] https://crrev.com/029231044beed18a9aee6c7803774ec1fac0ba1f/content/browser/webui/web_ui_impl.h [modify] https://crrev.com/029231044beed18a9aee6c7803774ec1fac0ba1f/content/common/frame_messages.h [modify] https://crrev.com/029231044beed18a9aee6c7803774ec1fac0ba1f/content/common/view_messages.h [modify] https://crrev.com/029231044beed18a9aee6c7803774ec1fac0ba1f/content/renderer/web_ui_extension.cc [modify] https://crrev.com/029231044beed18a9aee6c7803774ec1fac0ba1f/docs/webui_explainer.md
,
Oct 18 2017
,
Oct 18 2017
,
Oct 18 2017
Blocking this with a NavigationThrottle will prevent the crashes we're seeing in issue 741651.
,
Oct 18 2017
I have started a CL at https://chromium-review.googlesource.com/c/chromium/src/+/726329.
,
Oct 27 2017
,
Oct 27 2017
,
Nov 6 2017
,
Nov 8 2017
,
Nov 10 2017
,
Nov 13 2017
,
Dec 5 2017
,
Dec 7 2017
,
Jan 25 2018
,
Mar 2 2018
,
Mar 7 2018
,
Apr 3 2018
,
Apr 5 2018
The CL to enforce this is https://chromium-review.googlesource.com/c/chromium/src/+/726329.
,
Apr 19 2018
,
Apr 27 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a50ec579ad7bd74602ec067770464bf45d968bb3 commit a50ec579ad7bd74602ec067770464bf45d968bb3 Author: Nasko Oskov <nasko@chromium.org> Date: Fri Apr 27 00:12:08 2018 Enforce that WebUI documents cannot include web content. This CL adds a new NavigationThrottle class for enforcing security properties of navigations. The first case is checking that no web content is navigated to in iframes on WebUI pages or no navigations to web content are allowed in processes having WebUI bindings. Bug: 683418 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_site_isolation Change-Id: Id4d0e8675eab375bc2de2f240af3b22e03956f2b Reviewed-on: https://chromium-review.googlesource.com/726329 Commit-Queue: Nasko Oskov <nasko@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#554206} [modify] https://crrev.com/a50ec579ad7bd74602ec067770464bf45d968bb3/content/browser/BUILD.gn [modify] https://crrev.com/a50ec579ad7bd74602ec067770464bf45d968bb3/content/browser/frame_host/navigation_handle_impl.cc [add] https://crrev.com/a50ec579ad7bd74602ec067770464bf45d968bb3/content/browser/frame_host/webui_navigation_browsertest.cc [add] https://crrev.com/a50ec579ad7bd74602ec067770464bf45d968bb3/content/browser/frame_host/webui_navigation_throttle.cc [add] https://crrev.com/a50ec579ad7bd74602ec067770464bf45d968bb3/content/browser/frame_host/webui_navigation_throttle.h [modify] https://crrev.com/a50ec579ad7bd74602ec067770464bf45d968bb3/content/test/BUILD.gn
,
May 7 2018
This enforcement seems to have stuck, resolving as fixed!
,
May 8 2018
,
May 29 2018
,
Jul 23
,
Aug 14
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||||
Comment 1 by lgar...@chromium.org
, Jan 22 2017