Issue 757478 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	droger@chromium.org
Closed:	Sep 2017
Cc:	ew...@chromium.org msarda@chromium.org
Components:	Services>SignIn
EstimatedDays:	----
NextAction:	----
OS:	Linux , Windows , Mac
Pri:	2
Type:	Bug
Hotlist-Merge-Approved M-62 merge-merged-3202

Blocking:
issue 716053
issue 743110

[Dice] Remove Dice response header before it is passed to extensions

Project Member Reported by droger@chromium.org, Aug 21 2017

Issue description

The Dice response header, containing the authorization code, should be removed before being seen by extensions.

Comment 1 by droger@chromium.org, Aug 21 2017

Cc: ew...@chromium.org msarda@chromium.org
Components: Services>SignIn

Comment 2 by ew...@chromium.org, Aug 21 2017

Labels: -Pri-3 M-62 Pri-2

Seems like we should mark this as P2 if it's blocking our M62 release :) Thanks David!

Comment 3 by droger@chromium.org, Aug 28 2017

Blocking: 743110

Project Member

Comment 4 by bugdroid1@chromium.org, Sep 1 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1f0a8bf74dac6a17b96a29e694f36121f6425a80

commit 1f0a8bf74dac6a17b96a29e694f36121f6425a80
Author: David Roger <droger@chromium.org>
Date: Fri Sep 01 12:44:45 2017

Prevent extensions from accessing the Dice HTTP response header

Gaia can send a Oauth2 authorization code in the Dice response header.
This is very sensitive information, and may allow an extension to
generate a refresh token for the user account.
For this reason, we choose to hide the Dice response headers to extensions.

This header should be only hidden when sent from a Gaia origin, otherwise
this could allow a website to hide information from extensions.

This CL adds support for hiding response headers to extensions, and
affects the web_request and declarative_web_request APIs.

Bug:  757478 
Change-Id: I79adc8ae7bfad828647f1a8bd792a2976a69e280
Reviewed-on: https://chromium-review.googlesource.com/629081
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Mihai Sardarescu <msarda@chromium.org>
Commit-Queue: David Roger <droger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#499173}
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/browser/extensions/BUILD.gn
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/browser/extensions/api/chrome_extensions_api_client.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/browser/extensions/api/chrome_extensions_api_client.h
[add] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/browser/extensions/api/chrome_extensions_api_client_unittest.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/browser/extensions/api/web_request/web_request_api_unittest.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/browser/extensions/api/web_request/web_request_apitest.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/browser/extensions/api/web_request/web_request_event_details_unittest.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/browser/signin/chrome_signin_helper.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/test/BUILD.gn
[add] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/test/data/extensions/api_test/webrequest_dice_header/background.js
[add] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/test/data/extensions/api_test/webrequest_dice_header/manifest.json
[add] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/test/data/extensions/dice.html
[add] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/chrome/test/data/extensions/dice.html.mock-http-headers
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/components/signin/core/browser/signin_header_helper.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/components/signin/core/browser/signin_header_helper.h
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/extensions/browser/api/declarative_webrequest/webrequest_condition_attribute.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/extensions/browser/api/declarative_webrequest/webrequest_condition_attribute_unittest.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/extensions/browser/api/extensions_api_client.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/extensions/browser/api/extensions_api_client.h
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/extensions/browser/api/web_request/web_request_api.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/extensions/browser/api/web_request/web_request_api_helpers.cc
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/extensions/browser/api/web_request/web_request_api_helpers.h
[modify] https://crrev.com/1f0a8bf74dac6a17b96a29e694f36121f6425a80/extensions/browser/api/web_request/web_request_event_details.cc

Comment 5 by droger@chromium.org, Sep 1 2017

Status: Fixed (was: Started)

Comment 6 by ew...@chromium.org, Sep 4 2017

David, before adding the Merge-Request-62 label, can you test this out on Canary to confirm that it's working as intended?

Comment 7 by ew...@chromium.org, Sep 4 2017

Labels: Merge-Request-62 OS-Linux OS-Mac OS-Windows

Just chatted with David offline. The automated tests added in the above CL are sufficient for ensuring this is working properly. Requesting a merge to 62.

Project Member

Comment 8 by sheriffbot@chromium.org, Sep 5 2017

Labels: -Merge-Request-62 Hotlist-Merge-Approved Merge-Approved-62

Your change meets the bar and is auto-approved for M62. Please go ahead and merge the CL to branch 3202 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 9 by bugdroid1@chromium.org, Sep 6 2017

Labels: -merge-approved-62 merge-merged-3202

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b

commit 9c00d71b5eaebf64ff828553b032c0f05ed6cc8b
Author: David Roger <droger@chromium.org>
Date: Wed Sep 06 12:42:25 2017

Prevent extensions from accessing the Dice HTTP response header

Gaia can send a Oauth2 authorization code in the Dice response header.
This is very sensitive information, and may allow an extension to
generate a refresh token for the user account.
For this reason, we choose to hide the Dice response headers to extensions.

This header should be only hidden when sent from a Gaia origin, otherwise
this could allow a website to hide information from extensions.

This CL adds support for hiding response headers to extensions, and
affects the web_request and declarative_web_request APIs.

TBR=droger@chromium.org

(cherry picked from commit 1f0a8bf74dac6a17b96a29e694f36121f6425a80)

Bug:  757478 
Change-Id: I79adc8ae7bfad828647f1a8bd792a2976a69e280
Reviewed-on: https://chromium-review.googlesource.com/629081
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Mihai Sardarescu <msarda@chromium.org>
Commit-Queue: David Roger <droger@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#499173}
Reviewed-on: https://chromium-review.googlesource.com/652449
Reviewed-by: David Roger <droger@chromium.org>
Cr-Commit-Position: refs/branch-heads/3202@{#42}
Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098}
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/browser/extensions/BUILD.gn
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/browser/extensions/api/chrome_extensions_api_client.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/browser/extensions/api/chrome_extensions_api_client.h
[add] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/browser/extensions/api/chrome_extensions_api_client_unittest.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/browser/extensions/api/web_request/web_request_api_unittest.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/browser/extensions/api/web_request/web_request_apitest.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/browser/extensions/api/web_request/web_request_event_details_unittest.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/browser/signin/chrome_signin_helper.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/test/BUILD.gn
[add] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/test/data/extensions/api_test/webrequest_dice_header/background.js
[add] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/test/data/extensions/api_test/webrequest_dice_header/manifest.json
[add] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/test/data/extensions/dice.html
[add] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/chrome/test/data/extensions/dice.html.mock-http-headers
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/components/signin/core/browser/signin_header_helper.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/components/signin/core/browser/signin_header_helper.h
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/extensions/browser/api/declarative_webrequest/webrequest_condition_attribute.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/extensions/browser/api/declarative_webrequest/webrequest_condition_attribute_unittest.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/extensions/browser/api/extensions_api_client.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/extensions/browser/api/extensions_api_client.h
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/extensions/browser/api/web_request/web_request_api.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/extensions/browser/api/web_request/web_request_api_helpers.cc
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/extensions/browser/api/web_request/web_request_api_helpers.h
[modify] https://crrev.com/9c00d71b5eaebf64ff828553b032c0f05ed6cc8b/extensions/browser/api/web_request/web_request_event_details.cc

►

Issue 757478 link

Issue metadata

[Dice] Remove Dice response header before it is passed to extensions

Issue description

Comment 1 by droger@chromium.org, Aug 21 2017

Comment 1 Deleted

Comment 2 by ew...@chromium.org, Aug 21 2017

Comment 2 Deleted

Comment 3 by droger@chromium.org, Aug 28 2017

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Sep 1 2017

Comment 4 Deleted

Comment 5 by droger@chromium.org, Sep 1 2017

Comment 5 Deleted

Comment 6 by ew...@chromium.org, Sep 4 2017

Comment 6 Deleted

Comment 7 by ew...@chromium.org, Sep 4 2017

Comment 7 Deleted

Comment 8 by sheriffbot@chromium.org, Sep 5 2017

Comment 8 Deleted

Comment 9 by bugdroid1@chromium.org, Sep 6 2017

Comment 9 Deleted

Sign in to add a comment