New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 827173 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

chrome://restart allows temporary bypass of website blocking policy

Reported by m...@kaply.com, Mar 29 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0

Steps to reproduce the problem:
1. Set a policy to disallow access to a webpage.
2. Visit that web page in the browser to see the blocked message.
3. Type chrome://restart in the URL bar.
4. Notice that you can see the blocked page. (Reloading blocks it again)

What is the expected behavior?
The page should not be visible.

What went wrong?
The policy for blocking the page was not honored at restart.

Did this work before? N/A 

Chrome version: <Copy from67.0.3382.0 (Official Build) canary (64-bit) (cohort: Clang-64)  Channel: canary
OS Version: 10.0
Flash Version: Shockwave Flash 29.0 r0
 
Labels: Needs-Triage-M67
Cc: pastarmovj@chromium.org privard@chromium.org blumberg@chromium.org georgesak@chromium.org
Labels: -Pri-2 -Needs-Triage-M67 Enterprise-Triaged Pri-1
Owner: grt@chromium.org
Status: Assigned (was: Unconfirmed)
Assigning this to grt@ who's currently working in this space.

Comment 3 by grt@chromium.org, Apr 16 2018

It sounds like the policy isn't applied to tabs during session restore.

Could you assign a target milestone for this, Georges? Should we aim for M67? Thanks.
Labels: Target-67 OS-Linux OS-Mac
Yes, 67 would be ideal. Updated the bug (also I don't see why this would be Windows only, so adding Mac/Linux as well).

Comment 5 by grt@chromium.org, Apr 24 2018

Update: it's a classic race condition. The startup codepath checks the restored URL against the blacklist, yet the blacklist has yet to complete initialization. In slightly more detail:

The policy::URLBlacklistManager is created on the UI thread during startup the first time it is needed. This is when the NavigationThrottles are created for the first navigation (of any kind, not just the navigation to the blocked URL). The manager reads the policy prefs synchronously, then posts a task at BACKGROUND priority to build its blacklist. At this point, SessionRestore::RestoreSession continues on the UI thread, restoring all tabs in the session. At some point during restoration, the background thread builds the blacklist and bounces it back to the UI thread. While that's happening, the UI thread eventually gets to restoring the banned URL. Sure enough, it checks the URLBlacklist for the banned URL before the UI thread has handled the call to apply the newly computed blacklist. And there you go.

Comment 6 by grt@chromium.org, Apr 24 2018

Cc: joaodasilva@chromium.org
+joaodasilva: it looks like the blacklist manager has built the actual list on some other thread since its inception. Do you recall why the thread bounce was introduced? It seems to me that we should always gate first loads on having the blacklist ready. I can see doing the work on another thread for the sake of parallelism during startup at the cost of a little complexity.

pastarmovj: as an OWNER in components/policy, what are your thoughts?
FWIW, if the only reason for deferring the blacklist building is avoiding the startup penalty, we should definitely reconsider. This would only impact devices that have this policy set, and the admins who do set it expect to work all the time, including on session restore. That penalty should be more than acceptable in that case.

Project Member

Comment 8 by bugdroid1@chromium.org, Apr 30 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2f011a45be6d1c28c4ffb5a04729d5a635d7c7ab

commit 2f011a45be6d1c28c4ffb5a04729d5a635d7c7ab
Author: Greg Thompson <grt@chromium.org>
Date: Mon Apr 30 09:44:14 2018

Initialize the URL blacklist during startup.

This allows it to be in force during session restore.

This CL also gently reduces heap usage during blacklist preparation and
moves regular blacklist prep to a non-blocking background thread.

BUG= 827173 

Change-Id: Ibabae7111b6e005ea0433567a8dff840ce2cd156
Reviewed-on: https://chromium-review.googlesource.com/1032744
Reviewed-by: Jesse Doherty <jwd@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Commit-Queue: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#554714}
[modify] https://crrev.com/2f011a45be6d1c28c4ffb5a04729d5a635d7c7ab/chrome/browser/policy/policy_browsertest.cc
[modify] https://crrev.com/2f011a45be6d1c28c4ffb5a04729d5a635d7c7ab/components/policy/core/browser/url_blacklist_manager.cc
[modify] https://crrev.com/2f011a45be6d1c28c4ffb5a04729d5a635d7c7ab/tools/metrics/histograms/histograms.xml

Comment 9 by grt@chromium.org, May 1 2018

Status: Fixed (was: Assigned)
Fixed in 68.0.3416.0.
Cc: atwilson@chromium.org
Policies are read synchronously at startup precisely to avoid bugs like this. But the thread bounce breaks the behavior for this one, and that went unnoticed for a long time :-) I don't remember the original reason for that thread behavior.

The fix looks good. Thanks!

Comment 11 by grt@chromium.org, May 7 2018

Thanks for taking a look!
I added the URLBlacklistManager.ConstructorBuildTime metric to measure the impact of the synchronous load during startup. The 7d average on stable is sub 5ms. This seems pretty small, and only impacts startup where at least one of the two policy URL lists is set. I'll retire the metric, as it has done its job.
Project Member

Comment 13 by bugdroid1@chromium.org, Sep 4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3706d90075cafeec69e89798ede9894bc5f8fb23

commit 3706d90075cafeec69e89798ede9894bc5f8fb23
Author: Greg Thompson <grt@chromium.org>
Date: Tue Sep 04 14:13:04 2018

Remove URLBlacklistManager.ConstructorBuildTime.

It served its purpose and is now safe to remove.

BUG= 827173 
R=pastarmovj@chromium.org,isherman@chromium.org

Change-Id: I297865c08486ace46c5a42df698cf169ab5d7f9a
Reviewed-on: https://chromium-review.googlesource.com/1203372
Reviewed-by: Ilya Sherman <isherman@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Commit-Queue: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#588507}
[modify] https://crrev.com/3706d90075cafeec69e89798ede9894bc5f8fb23/components/policy/core/browser/url_blacklist_manager.cc
[modify] https://crrev.com/3706d90075cafeec69e89798ede9894bc5f8fb23/tools/metrics/histograms/histograms.xml

Project Member

Comment 14 by bugdroid1@chromium.org, Sep 4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3706d90075cafeec69e89798ede9894bc5f8fb23

commit 3706d90075cafeec69e89798ede9894bc5f8fb23
Author: Greg Thompson <grt@chromium.org>
Date: Tue Sep 04 14:13:04 2018

Remove URLBlacklistManager.ConstructorBuildTime.

It served its purpose and is now safe to remove.

BUG= 827173 
R=pastarmovj@chromium.org,isherman@chromium.org

Change-Id: I297865c08486ace46c5a42df698cf169ab5d7f9a
Reviewed-on: https://chromium-review.googlesource.com/1203372
Reviewed-by: Ilya Sherman <isherman@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Commit-Queue: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#588507}
[modify] https://crrev.com/3706d90075cafeec69e89798ede9894bc5f8fb23/components/policy/core/browser/url_blacklist_manager.cc
[modify] https://crrev.com/3706d90075cafeec69e89798ede9894bc5f8fb23/tools/metrics/histograms/histograms.xml

Project Member

Comment 15 by bugdroid1@chromium.org, Sep 4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3706d90075cafeec69e89798ede9894bc5f8fb23

commit 3706d90075cafeec69e89798ede9894bc5f8fb23
Author: Greg Thompson <grt@chromium.org>
Date: Tue Sep 04 14:13:04 2018

Remove URLBlacklistManager.ConstructorBuildTime.

It served its purpose and is now safe to remove.

BUG= 827173 
R=pastarmovj@chromium.org,isherman@chromium.org

Change-Id: I297865c08486ace46c5a42df698cf169ab5d7f9a
Reviewed-on: https://chromium-review.googlesource.com/1203372
Reviewed-by: Ilya Sherman <isherman@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Commit-Queue: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#588507}
[modify] https://crrev.com/3706d90075cafeec69e89798ede9894bc5f8fb23/components/policy/core/browser/url_blacklist_manager.cc
[modify] https://crrev.com/3706d90075cafeec69e89798ede9894bc5f8fb23/tools/metrics/histograms/histograms.xml

Labels: TE-Verified-M71 TE-Verified-71.0.3543.0
Verified this issue on Window 10, Windows 7 with chrome #71.0.3543.0 and observed the fix is worked as intended. Hence adding TE Verified labels.

Attaching the screen-cast for reference.
827173.mp4
1.5 MB View Download

Sign in to add a comment