-
Joshua Pawlicki authored
Background: there are two extension updaters in Chrome: the update_client updater (new) and the extension_downloader client (old). Prior to this change, changing the extension updater URL would effectively disable the update_client-based updater and the extension_downloader client would take over. This makes it impossible to use the update_client updater with non-prod or local copies of CWS. A user/attacker with control over Chrome's command line can redirect the extension update check to a server of their choice. Furthermore, CUP is disabled for this transaction (because the target server presumably does not have the pinned CUP private key). This is not expected to have any tangible security impact, because: 1 - Prior to this change, the extension_downloader updater would still redirect the request, and extension_downloader doesn't use CUP anyways. 2 - Activating this feature requires attacker presence on-disk or a confused user. 3 - A MITM attacker must also compromise TLS to subvert the update check. 4 - The updater will still only accept properly-signed CRX files as update payloads, even if an attack establishes control of the update check. Bug: 1077122 Fixed: 1077122 Change-Id: I4a9169f2741900906bfa63da40196aa0f887e70a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2180862 Commit-Queue: Joshua Pawlicki <waffles@chromium.org> Reviewed-by:
Sergey Poromov <poromov@chromium.org> Reviewed-by:
Sorin Jianu <sorin@chromium.org> Reviewed-by:
Devlin <rdevlin.cronin@chromium.org> Reviewed-by:
Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#776102}
9e6d2f82
