Thanks for filing!  I'm including a few Mojo security and Site Isolation folks and applying a few security labels out of caution.

For context, Nick and I raised a concern about this on https://chromium-review.googlesource.com/c/chromium/src/+/706380, and Reilly was already aware and had plans to improve this.

We should make sure to fix this in the short term if possible, because it sounds like test bindings are being given to highly privileged WebUI pages in practice.  These bindings are potentially quite risky (e.g., not reviewed with the same rigor and may be connected to untrusted or exploitable code on the other end of the pipe).

Just so that folks understand exactly what test bindings we are referring to, this issue refers specifically to the MojoJSTest bindings which is essentially just the MojoInterfaceInterceptor object. This object allows script running in a renderer to intercept Mojo interface requests made by the renderer when they would otherwise be handled by the browser process.

Would that allow the WebUI process to be able to create its own services, similar to  issue 740710 ?  Given that some WebUI pages include web iframes today (which we're trying to fix), that would be concerning.

(I don't have enough Mojo knowledge to be sure-- just wanted to check.)

Adding rockot@.

This only allows the renderer to impersonate the browser process to itself.

Thanks for confirming.  Doesn't sound too severe, though we should still clean it up to reduce the attack surface.  Thanks!

After assuming I would have to do something more complex I realized there was an embarrassingly simple solution to this problem.

https://chromium-review.googlesource.com/#/c/chromium/src/+/727477

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8

commit 65cc6ac7e6299ecb0bc27e8224b75e186ce245c8
Author: Reilly Grant <reillyg@chromium.org>
Date: Thu Oct 19 04:05:34 2017

Enable MojoJSTest for WebUI only in WebUI browser tests

This change removes the additional "context enabled" feature for the
MojoJSTest bindings and instead simply modifies the base class for all
WebUI browser tests to add a command line flag enabling these bindings.

This enables the bindings in all renderers launched by such tests but
that is okay.

Bug:  775760 
Change-Id: I36ec28aed07ff9bcf46228f9828e157c96222723
Reviewed-on: https://chromium-review.googlesource.com/727477
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509994}
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/chrome/test/base/web_ui_browser_test.cc
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/chrome/test/base/web_ui_browser_test.h
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/bindings/templates/ConditionalFeaturesForCore.cpp.tmpl
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/bindings/tests/results/core/ConditionalFeaturesForCore.cpp
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/core/context_features/ContextFeatureSettings.h
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/core/exported/WebContextFeatures.cpp
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/core/mojo/test/MojoInterfaceInterceptor.idl
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/Source/core/mojo/test/MojoInterfaceRequestEvent.idl
[modify] https://crrev.com/65cc6ac7e6299ecb0bc27e8224b75e186ce245c8/third_party/WebKit/public/web/WebContextFeatures.h

Hooray!  Thanks for the quick fix.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot