qinmin, could you please take a look as the person that fixed   issue 666824  ?

.hta seems to be on the dangerous files list: https://cs.chromium.org/chromium/src/chrome/browser/resources/safe_browsing/download_file_types.asciipb?q=download_file_types.asciipb&sq=package:chromium&dr&l=1862

did this regress?

Any update on this bug?

I am not able to repro the bug on linux, does this has to be on windows?
On linux, i loaded the unpacked extension, then nothing happens

Shakti, can you help test this bug see if it reproduces?

I can only repro this on Windows.

Yes, I was able to reproduce this on Windows 10

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

shaktisahu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

i think this is an issue with fake user gesture. 

In DownloadsOpenFunction, we check whether there is an user gesture before opening the download here: https://cs.chromium.org/chromium/src/chrome/browser/extensions/api/downloads/downloads_api.cc?type=cs&q=downloads_ap&g=0&l=1462

But seems the fake mouse click can bypass that check. 

Since dcheng@ is the author of WebContents::HasRecentInteractiveInputEvent(), assigning it to him to investigate. 
if HasRecentInteractiveInputEvent() can be easily spoofed, then we might need to remove that bypass path and always prompt user.

What is chrome.debugger? Is this an interface to devtools?

If devtools can trigger arbitrary input from the browser-side via Input.dispatchMouseEvent, then there's really not much I can do. I suppose we can gate the downloads prompt on if the extension has debugger permissions as well, and always prompt in that case?

(I'm not familiar with the downloads API implementation itself, so this should stay with someone on the downloads team)

Yes, the `chrome.debugger` API is known to be extremely powerful. https://developer.chrome.com/extensions/debugger

+rdevlin.cronin, meacer, who know more about extensions APIs, gestures as security mechanisms, and secure UX and API design concerns generally.

There's a bunch of indirection here, but jannhorn pointed me at https://cs.chromium.org/chromium/src/content/browser/renderer_host/render_widget_host_impl.cc?rcl=f340807ff46e1662b09c0cf4f73e788a0cbf946b&l=1219, which is the entrypoint for Input.dispatchMouseEvent.

I'm not sure how hard it would be to add a bit to these input events so we could know not to call the RenderWidgetHostDelegate here: https://cs.chromium.org/chromium/src/content/browser/renderer_host/render_widget_host_impl.cc?rcl=cdcc3926f1af7e14fce9dd7337a0127dde9a10ef&l=2491

But that would be another possible solution.

This is interesting - so any extension page can open downloaded files if there was a user gesture? I guess we can disallow debugging the pages which have access to chrome.downloads api. Devlin, mind taking a look? Should be similar to restricting file:/// access.

dcheng@ sounds like you need to augment this function:

https://cs.chromium.org/chromium/src/third_party/blink/public/platform/web_input_event.h?g=0&l=256

1) pass in the input event or a bool to say from_debugger.

2) Check it is via the debugger: event.modifiers & kFromDebugger

See:
https://cs.chromium.org/chromium/src/third_party/blink/public/platform/web_input_event.h?g=0&l=256

Err; I meant https://cs.chromium.org/chromium/src/content/browser/web_contents/web_contents_impl.cc?g=0&l=5939 as the first link

Wait, do you want to make injected DevTools input events skip some processing? Please don't, we try hard to make them behave as real events would. That's very important for testing/automation scenarios.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9a4a89a53791a508896b388b0d818644834c0d6d

commit 9a4a89a53791a508896b388b0d818644834c0d6d
Author: Min Qin <qinmin@chromium.org>
Date: Thu Jul 12 18:55:57 2018

Always prompt user if opening a download thru extensions with debugger permission

The user gesture can be faked, so we shouldn't trust it

BUG= 854455 

Change-Id: Ib42911a77d3f519554a5b9a4c1464ec50e79f268
Reviewed-on: https://chromium-review.googlesource.com/1135525
Reviewed-by: Xing Liu <xingliu@chromium.org>
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#574652}
[modify] https://crrev.com/9a4a89a53791a508896b388b0d818644834c0d6d/chrome/browser/extensions/api/downloads/downloads_api.cc

Fixed?

Is it possible for a hostile extension with debugger permissions to trigger a download to open from another extension using this input injection?

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Hi Khalil - the VRP panel decided to award $500 for this report, but noted that they may not reward bugs of this type in the future.  Cheers!

Thanks a lot Andrew! :-)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot