Limit U2F Extension to HTTPS sites |
|||
Issue descriptionCurrently, the U2F extension specifies externally_connectable as <all_urls>. [1] This means that any extension can send a message to the U2F extension via chrome.runtime.sendMessage, and also means that we expose the chrome.runtime object on all sites. Until webAuthn ships and we deprecate and eventually remove the U2F extension and the runtime.sendMessage approach, we're kind of stuck with allowing websites to use runtime.sendMessage. But I don't see a reason that we need to expose it to http sites. U2F relies on the origin, and an http origin isn't very helpful for attestation of identity. Any reason we can't limit cryptotoken's externally_connectable to "just" https://*/*? I'll assign this to myself for now, because I'll volunteer to write the CL to change it if we're okay with this. :)
,
Feb 9 2018
,
Feb 10 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d9a0003abb75ea14217891376b068265646089ea commit d9a0003abb75ea14217891376b068265646089ea Author: Devlin Cronin <rdevlin.cronin@chromium.org> Date: Sat Feb 10 02:03:30 2018 [Extensions] Allow whitelisted extensions to list all https sites for connection The externally_connectable entry in the manifest specifies which sites can message a given extension. By default, we require that these sites be listed at a somewhat specific level (we allow subdomains, but not (e)TLD wildcards). Extensions whitelisted for the externally_connectable.all_urls permission (and with that permission present) can use externally_connectable to list all_urls. This is used by the cryptotoken extension in order to allow any arbitrary site to initiate the u2f checks. However, there's no point in allowing an http site to connect to the extension, because https is a requirement for using u2f. As a first step to reducing the u2f extension to only whitelisting https sites, allow extensions whitelisted to specify all_urls in the externally_connectable entry to also be able to specify patterns with empty hosts like https://*/*. Bug: 810553 Change-Id: I3ff34ba8ce0126a777f52648245b0a85052511b1 Reviewed-on: https://chromium-review.googlesource.com/910037 Reviewed-by: Karan Bhatia <karandeepb@chromium.org> Commit-Queue: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#535930} [modify] https://crrev.com/d9a0003abb75ea14217891376b068265646089ea/extensions/common/manifest_handlers/externally_connectable.cc [modify] https://crrev.com/d9a0003abb75ea14217891376b068265646089ea/extensions/common/manifest_handlers/externally_connectable_unittest.cc [add] https://crrev.com/d9a0003abb75ea14217891376b068265646089ea/extensions/test/data/manifest_tests/externally_connectable_all_https_urls_not_whitelisted.json [add] https://crrev.com/d9a0003abb75ea14217891376b068265646089ea/extensions/test/data/manifest_tests/externally_connectable_all_https_urls_whitelisted.json
,
Feb 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/39f8939309fe39bccc17fa1280b6c7f25c411947 commit 39f8939309fe39bccc17fa1280b6c7f25c411947 Author: Devlin Cronin <rdevlin.cronin@chromium.org> Date: Mon Feb 12 23:06:18 2018 [Cryptotoken] Update externally_connectable to only allow https The externally_connectable manifest key allows sites to connect to an extension, which cryptotoken uses in order to allow sites to initiate the authentication flow. It's a requirement that the site uses https, but currently externally_connectable allows connections from all sites. Instead, limit the externally_connectable matches to https sites. Bug: 810553 Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation Change-Id: I3bd4eb537421a78d1259c2435c9193ce309fed07 Reviewed-on: https://chromium-review.googlesource.com/912566 Reviewed-by: Juan Lang <juanlang@chromium.org> Commit-Queue: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#536232} [modify] https://crrev.com/39f8939309fe39bccc17fa1280b6c7f25c411947/chrome/browser/resources/cryptotoken/manifest.json
,
Feb 12 2018
I'm going to be optimistic and say that these patches are gonna stick, and mark this as fixed. Thanks, all! |
|||
►
Sign in to add a comment |
|||
Comment 1 by juanlang@chromium.org
, Feb 8 2018