ExtensionSettings allowed_permissions undocumented and other issues
Reported by
samuel.k...@airbnb.com,
Sep 5
|
||||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3534.4 Safari/537.36
Steps to reproduce the problem:
Try to generate and maintain a long ExtensionSettings policy and workflow.
What is the expected behavior?
We'd expect to be able to have a policy entry like this, which would prevent the extension from loading if it requested any permissions other than storage and bookmarks.
"aahpfefkmihhdabllidnlipghcjgpkdm": {
"allowed_permissions": [
"storage",
"bookmarks"
],
"blocked_permissions": [
"*"
],
"installation_mode": "allowed"
]
}
For the wildcard, we'd like to be able to do something like this:
"*": {
"allowed_types": [
"extension",
"theme",
"user_script",
"hosted_app",
"legacy_packaged_app",
"platform_app"
],
"blocked_install_message": "Please visit https://helpdesk.example.com to have this extension reviewed.",
"allowed_permissions": [
"alarms",
"background",
"clipboardWrite",
"contextMenus",
"documentScan",
"fontSettings",
"gcm",
"identity",
"idle",
"nativeMessaging",
"notifications",
"power",
"printerProvider",
"storage",
"system.cpu",
"system.display",
"system.memory",
"system.storage",
"tts",
"ttsEngine",
"unlimitedStorage",
"wallpaper",
"mediaGalleries",
"webview",
"notificationProvider",
"gcm",
"fullscreen",
"commands",
"alwaysOnTopWindows",
"cast",
"cast.streaming",
"brailleDisplayPrivate",
"feedbackPrivate",
"activityLogPrivate",
"cloudPrintPrivate",
"commandLinePrivate"
],
"installation_mode": "allowed",
"blocked_permissions": [
"*"
]
},
What went wrong?
ExtensionSettings was released with Chrome 62 late last year and is of course much more powerful than the legacy extension policies which it replaces. While building a tool to generate our ExtensionSettings policy, I found that it was going to be quite difficult to maintain the list of permissions in the `blocked_permissions` for each extension and then found that `allowed_permissions` actually does exist but is undocumented.
https://www.chromium.org/administrators/policy-list-3/extension-settings-full
https://chromium.googlesource.com/chromium/src/+/master/chrome/browser/extensions/extension_management_constants.cc#21
We would like to use the `allowed_permissions` key, but it is really only effective when paired with `blocked_permissions` as well. We would like to treat `allowed_permissions` as a copy of the permissions which were present when an extension was audited, and not have to include every single other permission in the blocked permissions to get this behavior. With extension permissions frequently including URLs, this gets even messier.
There are permissions which get added fairly often, and we can't really feasibly keep track of all of them. We also don't want to have to include an identical blocked_permissions for every single extension. This is easy to do, but makes the configuration be tens of megabytes for us which causes other problems like Chrome or prefpane hangs. For this, we would like to be able to include a special `*` wildcard in the blocked_permissions for an extension, so the only permissions which would be permitted would be those explicitly allowed in the `allowed_permissions` list.
Additionally, when trying to use the `allowed_permissions` key in the special `*` wildcard, it is not permitted. We'd like to be able to use it there, so that we can maintain a list of low risk permissions for which a user could install the extension without review.
Did this work before? No
Chrome version: 70.0.3534.4 Channel: dev
OS Version: OS X 10.14.0
Flash Version:
,
Sep 7
this is group policy on mac. owen, can you take a look or re-assign appropriately?
,
Sep 7
Assign the issue to Nick who might know the first question better. Hi Nick, Could you explain more about how does allowed_permissions work so we could ask the Tech writer to update the documentation. FYI, the official documentation is located in : https://support.google.com/chrome/a/answer/7666985?visit_id=636719527181056061-5167632&rd=1 Also, supporting '*' for blocked/allowed_permissions is a separate feature request. I opened issue 882016 for that. Thanks, Owen
,
Sep 7
,
Sep 10
,
Sep 10
,
Nov 7
,
Nov 19
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by poromov@chromium.org
, Sep 6Labels: -Type-Bug Enterprise-Triaged Type-Feature