New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 721568 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
not working at Google anymore
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

PlzNavigate: web_accessible_resources can be bypassed via http redirects

Project Member Reported by nick@chromium.org, May 11 2017

Issue description

Repro instructions:

1. Add the following browsertest to the bottom of chrome/browser/extensions/process_management_browsertest.cc:

IN_PROC_BROWSER_TEST_F(ProcessManagementTest,
                       WebAccessibleResourcesVersusServerRedirect) {
  ASSERT_TRUE(embedded_test_server()->Start());

  WebContents* web_contents =
      browser()->tab_strip_model()->GetActiveWebContents();

  // Any valid extension that happens to have a web accessible resource.
  const extensions::Extension* patsy =
      LoadExtension(test_data_dir_.AppendASCII("subscribe_page_action"));

  // An extension with a non-webaccessible resource.
  const extensions::Extension* target =
      LoadExtension(test_data_dir_.AppendASCII("simple_with_file"));

  // Start with an iframe.
  ui_test_utils::NavigateToURL(browser(),
                               embedded_test_server()->GetURL("/iframe.html"));

  // Send it to a web accessible resource of any extension.
  GURL patsy_url = patsy->GetResourceURL("style.css");
  content::NavigateIframeToURL(web_contents, "test", patsy_url);

  // Now send it to a NON-webaccessible resource of any other extension, via
  // http redirect.
  GURL target_url = target->GetResourceURL("file.html");
  GURL http_redirect_to_target_url = embedded_test_server()->GetURL(
      "evil.com", "/server-redirect?" + target_url.spec());
  content::NavigateIframeToURL(web_contents, "test",
                               http_redirect_to_target_url);

  // That should not have been allowed.
  EXPECT_NE(url::Origin(target_url).GetURL(),
            ChildFrameAt(web_contents->GetMainFrame(), 0)
                ->GetLastCommittedOrigin()
                .GetURL());
}

2. Run it with --enable-browser-side-navigation.

3. This should be blocked by the web_accessible_resources policy, but it is allowed.

 

Comment 1 by nasko@chromium.org, May 11 2017

Labels: Proj-PlzNavigate-Blocking

Comment 2 by nasko@chromium.org, May 11 2017

Labels: -Pri-3 M-60 Pri-2

Comment 3 by nasko@chromium.org, May 12 2017

Cc: -devlin@chromium.org rdevlin....@chromium.org
Status: Available (was: Untriaged)
Changing to Devlin's correct email and marking as Available. I can pick it up once Nick's CL for refactoring the ExtensionNavigationThrottle lands, if noone else is interested in fixing it.

Comment 4 Deleted

Comment 5 by nick@chromium.org, May 12 2017

Owner: nick@chromium.org
https://codereview.chromium.org/2881733006 is a proposed fix.

Comment 7 by nasko@chromium.org, May 24 2017

Status: Fixed (was: Started)
Resolving this one as fixed, as part of PlzNavigate bug triage.

Sign in to add a comment