New issue
Advanced search Search tips

Issue 755398 link

Starred by 2 users
Status: Verified
Owner:
nrpeter@chromium.org
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

Update chrome.webRequest event details to include the initiator of a request

Project Member Reported by nrpeter@chromium.org, Aug 14 2017 
Description:
Chrome extensions can use the chrome.webRequest API to to intercept, block, or modify web requests in-flight. The events expose basic information about the request such as the URL, method, frame loaded in, tab loaded on, etc to an extension. One thing that isn’t currently exposed is the origin of where the request was initiated from. This is tracked internally within Chrome for requests for same-origin checks. This is internally accessible as URLRequest::initiator().


Use case:
This will be used to identify requests to sensitive resources from untrusted origins. Additionally, in high confidence situations these anomalous requests could be blocked. There are a number of security & privacy related extensions that could make use of this data.


Motivation:
Enterprises regularly see web related attacks against their infrastructure. Most enterprises use off the shelf software or appliances which they can't modify to add additional web security (isolate header, anti-framing, HSTS, etc.). Tracking the initiator of a request, we can block requests to enterprise web resources from the rest of the internet.


Existing workarounds:
No existing reliable workarounds
Project Member

Comment 1 by bugdroid1@chromium.org, Sep 26 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c8557f31539ef132a8646174d7c90c1ff2a74e23

commit c8557f31539ef132a8646174d7c90c1ff2a74e23
Author: Nick Peterson <nrpeter@google.com>
Date: Tue Sep 26 23:16:16 2017

Update chrome.webRequest event details to include the initiator of a request.

If the request has no initiator, or the extension hasn't declared a
permission matching the initiator's origin, then the initiator is withheld.

BUG= 755398 

Change-Id: I4e5f2adfdaf8752c69daf933aa0a964839b43abd
Reviewed-on: https://chromium-review.googlesource.com/614904
Commit-Queue: Nick Peterson <nrpeter@google.com>
Reviewed-by: Dominic Battré <battre@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504513}
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/browser/extensions/api/web_request/web_request_apitest.cc
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/browser/extensions/api/web_request/web_request_event_details_unittest.cc
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/browser/extensions/extension_apitest.cc
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/framework.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_blocking.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_complex.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_declarative1.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_declarative2.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_newTab.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_osdd.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_post.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_simple.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_types.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_unload1.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_unload5.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_unload6.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_websocket.js
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest/test_websocket_auth.js
[add] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest_permissions/initiator/background.js
[add] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/chrome/test/data/extensions/api_test/webrequest_permissions/initiator/manifest.json
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/browser/api/web_request/web_request_api.cc
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/browser/api/web_request/web_request_api.h
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/browser/api/web_request/web_request_api_constants.cc
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/browser/api/web_request/web_request_api_constants.h
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/browser/api/web_request/web_request_event_details.cc
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/browser/api/web_request/web_request_event_details.h
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/browser/api/web_request/web_request_permissions.cc
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/browser/api/web_request/web_request_permissions.h
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/common/api/test.json
[modify] https://crrev.com/c8557f31539ef132a8646174d7c90c1ff2a74e23/extensions/common/api/web_request.json

Comment 2 by nrpeter@chromium.org, Sep 26 2017

Labels: TL-nrpeter M-63
Status: Fixed (was: Started)

Comment 3 by jingwee@chromium.org, May 3 2018

Status: Verified (was: Fixed)
Verified the API is already in place since M63 and no issue.

Sign in to add a comment