New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 884932 link

Starred by 2 users
Status: Fixed
Owner:
karandeepb@chromium.org
Closed: Oct 4
Cc:
mkwst@chromium.org
dougt@chromium.org
jam@chromium.org
rdevlin....@chromium.org
cduvall@chromium.org
battre@chromium.org
roc...@chromium.org
msramek@chromium.org
mea...@chromium.org
dxie@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Extensions can intercept sensitive browser initiated requests

Project Member Reported by karandeepb@chromium.org, Sep 17 
Currently, extensions can intercept (block/redirect) several browser initiated requests which may be sensitive in nature or affect browser functionality using the web request api. Some examples:

- https://update.googleapis.com/service/update2 (component updater)
- https://www.googleapis.com/chromewebstore/v1.1/items/verify (install signer, used for extension install verification)
- https://clients2.googleusercontent.com/crx/blobs.... (downloading crx packages after sync)
- https://lh3.googleusercontent.com/.... (Extension icon on the install dialog triggered from webstore)
-https://www.google.com/complete/search?client=chrome-omni.. (related to omnibox)
-https://www.google.com/async/ddljson?async=ntp:1 (related to ntp doodle)
-https://www.google.com/chromesuggestions?t=1
-https://cuscochromeextension-pa.googleapis.com/v1/omniboxsuggestions
-https://googleapis.com/oauth2... (calls to gaia urls)


For example, one can easily prevent extension install verification or downloading synced extensions by blocking some of these requests. This may have other security implications as well.

We have implemented custom one-off solutions in the past to prevent things like this (e.g. we prevent extensions from intercepting browser initiated requests to some web store urls, safe browsing urls, one google bar requests made on behalf of the NTP etc.).

It seems to me that a more completion solution would be to prevent extensions from intercepting any non-navigation browser initiated requests.

Comment 1 by karandeepb@chromium.org, Sep 18

Labels: -Type-Bug Security_Impact-Stable Type-Bug-Security
Since this may be a possible security bug, marking as such.

Comment 2 by mbarbe...@chromium.org, Sep 19

Labels: Security_Severity-Medium OS-Chrome OS-Linux OS-Mac OS-Windows
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 19

Labels: Target-70 M-70

Comment 4 by karandeepb@chromium.org, Sep 21

Cc: roc...@chromium.org battre@chromium.org
cc'ing some other folks who have worked with the web request api in the past, in case they have any thoughts about the proposed solution.

Comment 5 by roc...@chromium.org, Sep 24 

I always thought it was quite surprising that we allowed this at all, but I have no of the historical context.

Comment 6 by karandeepb@chromium.org, Sep 27

Labels: -Target-70 Target-71
Status: Started (was: Assigned)
Targeting M71, since this would involve changes to a public API.

Comment 7 by battre@chromium.org, Sep 27 

The proposed change might be pretty simple via IsSensitiveRequest(...) in web_request_permissions.cc.

I guess it is a tradeoff between security and some potential privacy concerns. Given that it is today not possible to kill all network requests, I would be open to becoming even stricter. But I would suggest to give the privacy team a heads up.

Comment 8 by karandeepb@chromium.org, Sep 27

Cc: msramek@chromium.org mkwst@chromium.org
Good idea. cc'ing some members of the privacy team, in case they have any potential concerns.

Comment 9 by rdevlin....@chromium.org, Oct 1

Cc: cduvall@chromium.org
+cduvall@ FYI

Comment 10 by cduvall@chromium.org, Oct 1

Cc: dxie@chromium.org jam@chromium.org dougt@chromium.org
Project Member

Comment 11 by bugdroid1@chromium.org, Oct 1 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c66f36032447e28a08591874395ca8fbeb47ba19

commit c66f36032447e28a08591874395ca8fbeb47ba19
Author: Karan Bhatia <karandeepb@chromium.org>
Date: Mon Oct 01 20:05:44 2018

Extensions: Hide sensitive network requests from extensions.

Currently extensions can intercept browser initiated requests using the web
request API which potentially allows them to interfere with browser
functionality in various ways. This CL makes the following changes:
  - All browser initiated non-navigation requests are now hidden from
    extensions.
  - All webui requests are now hidden from extensions. (WebUI shouldn't be
    making network requests anyway).
  - Restructure code in WebRequestPermissions::HideRequest for better
    efficiency.

BUG= 884932 

Change-Id: I90f37a46e851c04fa949a1427665ecf8286210af
Reviewed-on: https://chromium-review.googlesource.com/1242296
Commit-Queue: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#595531}
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/chrome/browser/extensions/api/chrome_extensions_api_client.cc
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/chrome/browser/extensions/api/declarative_net_request/declarative_net_request_browsertest.cc
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/chrome/browser/extensions/api/declarative_net_request/ruleset_manager_unittest.cc
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/chrome/browser/extensions/api/declarative_webrequest/webrequest_action_unittest.cc
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/chrome/browser/extensions/api/declarative_webrequest/webrequest_rules_registry_unittest.cc
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/chrome/browser/extensions/api/web_request/web_request_api_unittest.cc
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/chrome/browser/extensions/api/web_request/web_request_apitest.cc
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/chrome/browser/extensions/api/web_request/web_request_permissions_unittest.cc
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/chrome/common/extensions/docs/templates/intros/webRequest.html
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/extensions/browser/api/web_request/web_request_permissions.cc
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/extensions/browser/api/web_request/web_request_permissions.h
[modify] https://crrev.com/c66f36032447e28a08591874395ca8fbeb47ba19/extensions/browser/api/web_request/web_request_permissions_unittest.cc
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 4 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aed2f80ffd9053837f90100cf999b64af72b90e4

commit aed2f80ffd9053837f90100cf999b64af72b90e4
Author: Karan Bhatia <karandeepb@chromium.org>
Date: Thu Oct 04 21:23:20 2018

Extensions: Merge similar web request permission tests.

This CL moves most of the test code in
ExtensionWebRequestHelpersTestWithThreadsTest.TestHideRequestForURL in the
chrome/ layer to a similar test in the extensions/ layer, thereby de-duplicating
code.

BUG= 884932 

Change-Id: Ic7b3907e1a87e20959839461559f881ffabaed2c
Reviewed-on: https://chromium-review.googlesource.com/c/1260493
Commit-Queue: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#596855}
[modify] https://crrev.com/aed2f80ffd9053837f90100cf999b64af72b90e4/chrome/browser/extensions/api/web_request/web_request_permissions_unittest.cc
[modify] https://crrev.com/aed2f80ffd9053837f90100cf999b64af72b90e4/extensions/browser/api/web_request/web_request_permissions_unittest.cc

Comment 13 by karandeepb@chromium.org, Oct 4

Status: Fixed (was: Started)
Project Member

Comment 14 by sheriffbot@chromium.org, Oct 5

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 15 by awhalley@google.com, Oct 15

Labels: -M-70 M-71

Comment 16 by awhalley@google.com, Dec 3

Labels: Release-0-M71
Project Member

Comment 17 by sheriffbot@chromium.org, Jan 11

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment