Enable MojoJSTest bindings only in WebUI when under test |
|||||
Issue descriptionBoth the old GIN wrapper bindings for overriding Mojo interfaces in the renderer and new standard Blink bindings are currently enabled in all WebUI script contexts. This is necessary because the renderer is unaware of whether or not it is running inside of a browser_test and these bindings are needed by WebUI tests. This issue tracks resolving this issue as it exposes an unnecessary and potentially exploitable API surface.
,
Oct 18 2017
Just so that folks understand exactly what test bindings we are referring to, this issue refers specifically to the MojoJSTest bindings which is essentially just the MojoInterfaceInterceptor object. This object allows script running in a renderer to intercept Mojo interface requests made by the renderer when they would otherwise be handled by the browser process.
,
Oct 18 2017
Would that allow the WebUI process to be able to create its own services, similar to issue 740710 ? Given that some WebUI pages include web iframes today (which we're trying to fix), that would be concerning. (I don't have enough Mojo knowledge to be sure-- just wanted to check.)
,
Oct 18 2017
Adding rockot@. This only allows the renderer to impersonate the browser process to itself.
,
Oct 18 2017
Thanks for confirming. Doesn't sound too severe, though we should still clean it up to reduce the attack surface. Thanks!
,
Oct 19 2017
After assuming I would have to do something more complex I realized there was an embarrassingly simple solution to this problem. https://chromium-review.googlesource.com/#/c/chromium/src/+/727477
,
Oct 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8 commit 65cc6ac7e6299ecb0bc27e8224b75e186ce245c8 Author: Reilly Grant <reillyg@chromium.org> Date: Thu Oct 19 04:05:34 2017 Enable MojoJSTest for WebUI only in WebUI browser tests This change removes the additional "context enabled" feature for the MojoJSTest bindings and instead simply modifies the base class for all WebUI browser tests to add a command line flag enabling these bindings. This enables the bindings in all renderers launched by such tests but that is okay. Bug: 775760 Change-Id: I36ec28aed07ff9bcf46228f9828e157c96222723 Reviewed-on: https://chromium-review.googlesource.com/727477 Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Reilly Grant <reillyg@chromium.org> Cr-Commit-Position: refs/heads/master@{#509994} [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/chrome/test/base/web_ui_browser_test.cc [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/chrome/test/base/web_ui_browser_test.h [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/content/renderer/render_frame_impl.cc [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/bindings/templates/ConditionalFeaturesForCore.cpp.tmpl [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/bindings/tests/results/core/ConditionalFeaturesForCore.cpp [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/core/context_features/ContextFeatureSettings.h [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/core/exported/WebContextFeatures.cpp [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/core/mojo/test/MojoInterfaceInterceptor.idl [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/core/mojo/test/MojoInterfaceRequestEvent.idl [modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/public/web/WebContextFeatures.h
,
Oct 19 2017
,
Oct 19 2017
,
Oct 19 2017
Hooray! Thanks for the quick fix.
,
Jan 27 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by creis@chromium.org
, Oct 18 2017Components: Internals>Sandbox>SiteIsolation
Labels: -Pri-3 M-64 Security Restrict-View-SecurityTeam Pri-1