PlzNavigate: web_accessible_resources can be bypassed via http redirects |
||||
Issue description
Repro instructions:
1. Add the following browsertest to the bottom of chrome/browser/extensions/process_management_browsertest.cc:
IN_PROC_BROWSER_TEST_F(ProcessManagementTest,
WebAccessibleResourcesVersusServerRedirect) {
ASSERT_TRUE(embedded_test_server()->Start());
WebContents* web_contents =
browser()->tab_strip_model()->GetActiveWebContents();
// Any valid extension that happens to have a web accessible resource.
const extensions::Extension* patsy =
LoadExtension(test_data_dir_.AppendASCII("subscribe_page_action"));
// An extension with a non-webaccessible resource.
const extensions::Extension* target =
LoadExtension(test_data_dir_.AppendASCII("simple_with_file"));
// Start with an iframe.
ui_test_utils::NavigateToURL(browser(),
embedded_test_server()->GetURL("/iframe.html"));
// Send it to a web accessible resource of any extension.
GURL patsy_url = patsy->GetResourceURL("style.css");
content::NavigateIframeToURL(web_contents, "test", patsy_url);
// Now send it to a NON-webaccessible resource of any other extension, via
// http redirect.
GURL target_url = target->GetResourceURL("file.html");
GURL http_redirect_to_target_url = embedded_test_server()->GetURL(
"evil.com", "/server-redirect?" + target_url.spec());
content::NavigateIframeToURL(web_contents, "test",
http_redirect_to_target_url);
// That should not have been allowed.
EXPECT_NE(url::Origin(target_url).GetURL(),
ChildFrameAt(web_contents->GetMainFrame(), 0)
->GetLastCommittedOrigin()
.GetURL());
}
2. Run it with --enable-browser-side-navigation.
3. This should be blocked by the web_accessible_resources policy, but it is allowed.
,
May 11 2017
,
May 12 2017
Changing to Devlin's correct email and marking as Available. I can pick it up once Nick's CL for refactoring the ExtensionNavigationThrottle lands, if noone else is interested in fixing it.
,
May 12 2017
,
May 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7a719cdbf12822eb9a7be0879273e6b716b9273b commit 7a719cdbf12822eb9a7be0879273e6b716b9273b Author: nick <nick@chromium.org> Date: Tue May 23 20:51:26 2017 ExtensionNavigationThrottle: Enforce the same rules on redirect as we would on the initial navigation. TEST=ExtensionResourceRequestPolicyTest.IframeNavigateToInaccessibleViaServerRedirect BUG= 721568 Review-Url: https://codereview.chromium.org/2881733006 Cr-Commit-Position: refs/heads/master@{#474044} [modify] https://crrev.com/7a719cdbf12822eb9a7be0879273e6b716b9273b/chrome/browser/extensions/extension_navigation_throttle_unittest.cc [modify] https://crrev.com/7a719cdbf12822eb9a7be0879273e6b716b9273b/chrome/browser/extensions/extension_resource_request_policy_apitest.cc [modify] https://crrev.com/7a719cdbf12822eb9a7be0879273e6b716b9273b/extensions/browser/extension_navigation_throttle.cc [modify] https://crrev.com/7a719cdbf12822eb9a7be0879273e6b716b9273b/extensions/browser/extension_navigation_throttle.h
,
May 24 2017
Resolving this one as fixed, as part of PlzNavigate bug triage. |
||||
►
Sign in to add a comment |
||||
Comment 1 by nasko@chromium.org
, May 11 2017