New issue
Advanced search Search tips

Issue 827288 link

Starred by 5 users
Status: Assigned
Owner:
dbertoni@chromium.org
Cc:
jsc...@chromium.org
devlin@chromium.org
mea...@chromium.org
Components:
EstimatedDays: ----
NextAction: 2018-07-31
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Feature



Sign in to add a comment

Disallow JavaScript in chrome.tabs.update()

Project Member Reported by taviso@google.com, Mar 29 2018 
I've noticed many extensions have content scripts that allow navigating the current tab to a page-specified URL (see go/video-downloader-vulnerability for an example). This is not exploitable Firefox, because chrome.tabs.update() on Mozilla throws an exception for "javascript:" URLs.

FIREFOX:
> chrome.tabs.update({"url": "javascript:alert(1)"}, function(tab){})
Unchecked lastError value: Error: Illegal URL: javascript:alert(1)  ExtensionCommon.jsm:425
	withLastError resource://gre/modules/ExtensionCommon.jsm:425:9
	wrapPromise/< resource://gre/modules/ExtensionCommon.jsm:478:11

On Chrome, if an extension has access to the tab's origin, this works, and executes in the context of the active tab.

It seems unlikely anybody is relying on this:

1. There's a better API: chrome.tabs.executeScript()
2. It's inherently racey and unreliable, a user or page can change the active tab.
3. It doesn't work on Firefox.

I think we should disallow javascript urls in the chrome.tabs.update API, this would make a common vulnerability in chrome extensions unexploitable.

Comment 1 by taviso@google.com, Mar 29 2018

Description: Show this description

Comment 2 by rdevlin....@chromium.org, Mar 30 2018

Labels: -Pri-3 OS-Chrome OS-Linux OS-Mac OS-Windows Pri-2
Owner: dbertoni@chromium.org
Status: Assigned (was: Untriaged)
I agree that we should remove support here - there's much better ways of doing this.  For better or worse, we have explicit support here, so I think we do need to double-check what the usage counts are like before fully removing.  (Note that these injections still have all the typical permission checks, so this isn't a security vulnerability in chrome itself.)

dbertoni@, is this something you can look into?  First step will be adding UMA for the number of javascript: URL navigations via chrome.tabs.update; assuming those counts are relatively low, we should be able to then remove support (yay, code deletion!).
Project Member

Comment 3 by bugdroid1@chromium.org, May 2 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/592d43574ef815368a9f14b9b15239b62a8d0dc7

commit 592d43574ef815368a9f14b9b15239b62a8d0dc7
Author: David Bertoni <dbertoni@chromium.org>
Date: Wed May 02 19:03:51 2018

Add metric to monitor executing javascript in tabs.update API calls.

Bug: 827288
Change-Id: Id6050bc02fbb68b29e9b2a6c7abb652186aaba13
Reviewed-on: https://chromium-review.googlesource.com/1038151
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Gayane Petrosyan <gayane@chromium.org>
Commit-Queue: David Bertoni <dbertoni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#555495}
[modify] https://crrev.com/592d43574ef815368a9f14b9b15239b62a8d0dc7/chrome/browser/extensions/api/tabs/tabs_api.cc
[modify] https://crrev.com/592d43574ef815368a9f14b9b15239b62a8d0dc7/tools/metrics/histograms/histograms.xml

Comment 4 by dbertoni@chromium.org, May 25 2018

NextAction: 2018-07-31

Comment 5 by monor...@bugs.chromium.org, Jul 31 

The NextAction date has arrived: 2018-07-31
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 27 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fd8288b182702131437daf5b25f7cd8b00c638df

commit fd8288b182702131437daf5b25f7cd8b00c638df
Author: David Bertoni <dbertoni@chromium.org>
Date: Thu Sep 27 19:08:33 2018

[Extensions] chrome.tabs.update() no longer supports JavaScript URLs.

Bug: 827288
Change-Id: Ic500608906e7c7c428e3042c5ffcf29f31899beb
Reviewed-on: https://chromium-review.googlesource.com/1207576
Commit-Queue: David Bertoni <dbertoni@chromium.org>
Reviewed-by: Istiaque Ahmed <lazyboy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#594805}
[modify] https://crrev.com/fd8288b182702131437daf5b25f7cd8b00c638df/chrome/browser/extensions/api/tabs/tabs_api.cc
[modify] https://crrev.com/fd8288b182702131437daf5b25f7cd8b00c638df/chrome/browser/extensions/api/tabs/tabs_api.h
[modify] https://crrev.com/fd8288b182702131437daf5b25f7cd8b00c638df/chrome/browser/extensions/api/tabs/tabs_api_unittest.cc
[modify] https://crrev.com/fd8288b182702131437daf5b25f7cd8b00c638df/chrome/browser/extensions/api/tabs/tabs_constants.cc
[modify] https://crrev.com/fd8288b182702131437daf5b25f7cd8b00c638df/chrome/browser/extensions/api/tabs/tabs_constants.h
[modify] https://crrev.com/fd8288b182702131437daf5b25f7cd8b00c638df/chrome/browser/extensions/execute_script_apitest.cc
[delete] https://crrev.com/e205cc6835def5c0e83e10fe39f19178cf1b1b31/chrome/browser/extensions/extension_javascript_url_apitest.cc
[modify] https://crrev.com/fd8288b182702131437daf5b25f7cd8b00c638df/chrome/common/extensions/api/tabs.json
[modify] https://crrev.com/fd8288b182702131437daf5b25f7cd8b00c638df/chrome/test/BUILD.gn
[delete] https://crrev.com/e205cc6835def5c0e83e10fe39f19178cf1b1b31/chrome/test/data/extensions/api_test/executescript/navigation_race/javascript_url.html
[delete] https://crrev.com/e205cc6835def5c0e83e10fe39f19178cf1b1b31/chrome/test/data/extensions/api_test/executescript/navigation_race/javascript_url.js

Sign in to add a comment