Chromium’s extension API cannot intercept all requests from PDFium
Reported by
gertjan....@gmail.com,
Mar 22 2018
|
|||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce the problem: We used an extensive set of web mechanisms that initiate cross-site requests to a blacklisted domain in order to test the thoroughness of ad blocking and privacy extensions developed for Chrome and Opera. We concluded that all of these extensions can be bypassed with at least one web mechanism. Apart from the incompleteness of some extensions, we found another cause for this to be the insufficient extension API and unclear parts of its specification that Chromium offers to its extension developers. We found that opening JavaScript-embedding PDF files through Chromium’s PDF viewer PDFium can initiate cross-site requests that are not interceptable with onBeforeRequest listeners. Subsequently, we managed to bypass the aforementioned extensions by creating a PDF file in which the embedded JavaScript initiated both GET and POST requests to a blacklisted domain. Although cross-site requests initiated through the AppCache API and ServiceWorker API are certainly interceptable by extensions, it is difficult to tell them apart from requests associated with the browser’s background processes (e.g. address bar autocompletion). This is because the tab identifiers provided to the onBeforeRequest listener equal to -1 for requests due to these APIs, which is the same value that is used for requests due to background processes. On top of this, we found no clear specification explaining the value of the tab id associated with these requests. We only found a specification stating that a tab id of -1 indicates that the request is not related to a tab. According to us, both the lack of a clear explanation and the difficulty to distinct background processes' requests from the APIs’ requests, are the most prominent reasons why only a few extensions were able to block requests initiated by the AppCache API and ServiceWorker API. What is the expected behavior? Ad blocking and privacy extension developers should be able to intercept every cross-site request and should have access to a complete and clear specification. What went wrong? Ad blocking and privacy extension developers are not able to intercept every cross-site request and the available specification misses information about aspects important to extension developers. Did this work before? No Chrome version: Channel: stable OS Version: OS X 10.13.1 Flash Version:
,
Mar 22 2018
I included the PDF that we used in this comment. We discovered this behaviour for all extensions that we tested, this includes AdBlock, Adblock Plus, Privacy Badger, Ghostery etc. By using the extension debugger, we noticed the requests initiated by our PDF file were never handled by the onBeforeRequest listener.
,
Mar 22 2018
,
Mar 22 2018
Yes, this is accurate - extensions cannot intercept requests from PDFium. PDFium, in Chrome, is (partially) implemented as a component extension, and extension requests cannot be monitored or manipulated by other extensions. The behavior of protecting component extension requests is critical for security reasons, and we are unlikely to change it. I could see potentially treating PDFium differently in some way, but it would be costly and difficult to get right (requesting the PDF should not be protected, but other requests from the component extension should). I don't know if that's something the team is willing to take on, due to both the initial cost and likely steep maintenance burden (not to mention risk of security holes). There are workarounds for these extreme cases in which users need stronger guarantees. The most desirable may be that you can provide an alternative PDF-viewing extension to be used in lieu of PDFium, and in that incorporate the desired privacy guarantees.
,
Mar 26 2018
I don't think the trade offs of treating PDFium specially are worth the risks. I'm going to close this as WontFix as it's working as intended per #4.
,
Mar 27 2018
I understand that extensions are not supposed to intercept other extensions' requests for security reasons and that making an exception for PDFium would require quite some resources. Nevertheless, it's unfortunate that Chrome users - including privacy-aware users that made the effort of installing a tracking protection extension - are (still) exposed to trackers and have no way to protect themselves other than to stop using Chrome's default PDF viewer. You are right that there are workarounds like using a third-party PDF viewer extension or using the OS's own PDF viewer, however, the issue itself and these workarounds might not be so obvious to even the more privacy-aware portion of Chrome users. Interestingly, we found that Opera's built-in ad blocker actually does block cross-site requests to tracking domains initiated by PDFium. Maybe a solution in this direction would also be more suitable for Chrome, solving it through Chrome's recently introduced ad blocker? Or alternatively, providing an option to block JavaScript execution inside PDFs, prompting the user for permission to execute the JavaScript code inside the opened PDF, etc. could make this issue at least more manageable and visible for the user without them having to abandon PDFium?
,
Mar 27 2018
The idea of allowing users to block JS on pdfs is interesting. We already have the option for users to block JS on websites through content settings. Have you checked to see if that happens to "just work" for pdfs? If not, that may be a change we could make. +raymes for input on that.
,
Mar 28 2018
Just checked; it does not work for PDFs.
,
Mar 28 2018
I would be supportive of that change (though I'm not an expert in content settings). raymes@ and +msramek@, as content settings OWNERs, any thoughts?
,
Mar 28 2018
I think that is tracked in issue 696650
,
Apr 2 2018
Yep, that appears to be the same request (for similar reasons, too). It looks like that's currently restricted; does it need to remain so?
,
May 29 2018
Just to (fully) close the loop, this should hopefully be fixed by tsepez's patch at revision 51cd319fd6aac5ff056fa323d7072b917a7b1a7b. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by elawrence@chromium.org
, Mar 22 2018Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Chrome OS-Linux OS-Windows Type-Bug
Summary: Chromium’s extension API cannot intercept all requests from PDFium (was: Chromium’s extension API does not offer ad blocking and privacy extension developers the means to intercept all cross-site requests.)