Block top-level navigations to nested URLs with extension origins from non-extension processes.

Before this CL, it was possible for a web iframe with an unblessed extension frame to exploit the renderer, create a blob: or filesystem: URL in the extension frame context, then create a new top-level window and navigate it to that URL, which could end up putting the new window into a privileged extension process running attacker's code. BUG=645028 Review-Url: https://codereview.chromium.org/2345473003 Cr-Commit-Position: refs/heads/master@{#419019}

Block top-level navigations to nested URLs with extension origins from non-extension processes.
Before this CL, it was possible for a web iframe with an unblessed extension frame to exploit the renderer, create a blob: or filesystem: URL in the extension frame context, then create a new top-level window and navigate it to that URL, which could end up putting the new window into a privileged extension process running attacker's code. BUG=645028 Review-Url: https://codereview.chromium.org/2345473003 Cr-Commit-Position: refs/heads/master@{#419019}
4bfdc929 · alexmos · Commit bot · 6043c56e · 4bfdc929 · 4bfdc929
Commit 4bfdc929 authored Sep 15, 2016 by alexmos Committed by Commit bot Sep 15, 2016
2 changed files
--- a/chrome/browser/extensions/process_manager_browsertest.cc
+++ b/chrome/browser/extensions/process_manager_browsertest.cc
@@ -16,6 +16,7 @@
 #include "chrome/browser/extensions/test_extension_dir.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
 #include "chrome/common/extensions/extension_process_policy.h"
+#include "chrome/common/pref_names.h"
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chrome/test/base/ui_test_utils.h"
 #include "content/public/browser/notification_service.h"
@@ -23,6 +24,7 @@
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/test/browser_test_utils.h"
+#include "content/public/test/test_navigation_observer.h"
 #include "content/public/test/test_utils.h"
 #include "extensions/browser/process_manager.h"
 #include "extensions/common/value_builder.h"
@@ -40,6 +42,52 @@ void AddFrameToSet(std::set<content::RenderFrameHost*>* frames,
    frames->insert(rfh);
 }
+GURL CreateBlobURL(content::RenderFrameHost* frame,
+                   const std::string& content) {
+  std::string blob_url_string;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      frame,
+      "var blob = new Blob(['<html><body>" + content + "</body></html>'],\n"
+      "                    {type: 'text/html'});\n"
+      "domAutomationController.send(URL.createObjectURL(blob));\n",
+      &blob_url_string));
+  GURL blob_url(blob_url_string);
+  EXPECT_TRUE(blob_url.is_valid());
+  EXPECT_TRUE(blob_url.SchemeIsBlob());
+  return blob_url;
+}
+GURL CreateFileSystemURL(content::RenderFrameHost* frame,
+                         const std::string& content) {
+  std::string filesystem_url_string;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      frame,
+      "var blob = new Blob(['<html><body>" + content + "</body></html>'],\n"
+      "                    {type: 'text/html'});\n"
+      "window.webkitRequestFileSystem(TEMPORARY, blob.size, fs => {\n"
+      "  fs.root.getFile('foo.html', {create: true}, file => {\n"
+      "    file.createWriter(writer => {\n"
+      "      writer.write(blob);\n"
+      "      writer.onwriteend = () => {\n"
+      "        domAutomationController.send(file.toURL());\n"
+      "      }\n"
+      "    });\n"
+      "  });\n"
+      "});\n",
+      &filesystem_url_string));
+  GURL filesystem_url(filesystem_url_string);
+  EXPECT_TRUE(filesystem_url.is_valid());
+  EXPECT_TRUE(filesystem_url.SchemeIsFileSystem());
+  return filesystem_url;
+}
+std::string GetTextContent(content::RenderFrameHost* frame) {
+  std::string result;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      frame, "domAutomationController.send(document.body.innerText)", &result));
+  return result;
+}
 }  // namespace
 // Takes a snapshot of all frames upon construction. When Wait() is called, a
@@ -164,6 +212,20 @@ class ProcessManagerBrowserTest : public ExtensionBrowserTest {
               : if_disabled;
  }
+  content::WebContents* OpenPopup(content::RenderFrameHost* opener,
+                                  const GURL& url) {
+    content::WindowedNotificationObserver popup_observer(
+        chrome::NOTIFICATION_TAB_ADDED,
+        content::NotificationService::AllSources());
+    EXPECT_TRUE(ExecuteScript(opener, "window.open('" + url.spec() + "')"));
+    popup_observer.Wait();
+    content::WebContents* popup =
+        browser()->tab_strip_model()->GetActiveWebContents();
+    WaitForLoadStop(popup);
+    EXPECT_EQ(url, popup->GetMainFrame()->GetLastCommittedURL());
+    return popup;
+  }
 private:
  std::vector<std::unique_ptr<TestExtensionDir>> temp_dirs_;
 };
@@ -575,4 +637,163 @@ IN_PROC_BROWSER_TEST_F(ProcessManagerBrowserTest, ExtensionProcessReuse) {
  }
 }
+// Test that navigations to blob: and filesystem: URLs with extension origins
+// are disallowed when initiated from non-extension processes.  See
+// https://crbug.com/645028 and https://crbug.com/644426.
+IN_PROC_BROWSER_TEST_F(ProcessManagerBrowserTest,
+                       NestedURLNavigationsToExtensionBlocked) {
+  // Disabling web security is necessary to test the browser enforcement;
+  // without it, the loads in this test would be blocked by
+  // SecurityOrigin::canDisplay() as invalid local resource loads.
+  PrefService* prefs = browser()->profile()->GetPrefs();
+  prefs->SetBoolean(prefs::kWebKitWebSecurityEnabled, false);
+  // Create a simple extension without a background page.
+  const Extension* extension = CreateExtension("Extension", false);
+  embedded_test_server()->ServeFilesFromDirectory(extension->path());
+  ASSERT_TRUE(embedded_test_server()->Start());
+  // Navigate main tab to a web page with two web iframes.  There should be no
+  // extension frames yet.
+  NavigateToURL(embedded_test_server()->GetURL("/two_iframes.html"));
+  ProcessManager* pm = ProcessManager::Get(profile());
+  EXPECT_EQ(0u, pm->GetAllFrames().size());
+  EXPECT_EQ(0u, pm->GetRenderFrameHostsForExtension(extension->id()).size());
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  // Navigate first subframe to an extension URL. With --isolate-extensions,
+  // this will go into a new extension process.
+  const GURL extension_url(extension->url().Resolve("empty.html"));
+  EXPECT_TRUE(content::NavigateIframeToURL(tab, "frame1", extension_url));
+  EXPECT_EQ(IfExtensionsIsolated(1, 0),
+            pm->GetRenderFrameHostsForExtension(extension->id()).size());
+  EXPECT_EQ(IfExtensionsIsolated(1, 0), pm->GetAllFrames().size());
+  content::RenderFrameHost* main_frame = tab->GetMainFrame();
+  content::RenderFrameHost* extension_frame = ChildFrameAt(main_frame, 0);
+  // Open a new about:blank popup from main frame.  This should stay in the web
+  // process.
+  content::WebContents* popup =
+      OpenPopup(main_frame, GURL(url::kAboutBlankURL));
+  EXPECT_NE(popup, tab);
+  ASSERT_EQ(2, browser()->tab_strip_model()->count());
+  EXPECT_EQ(IfExtensionsIsolated(1, 0),
+            pm->GetRenderFrameHostsForExtension(extension->id()).size());
+  EXPECT_EQ(IfExtensionsIsolated(1, 0), pm->GetAllFrames().size());
+  // Create valid blob and filesystem URLs in the extension's origin.
+  url::Origin extension_origin(extension_frame->GetLastCommittedOrigin());
+  GURL blob_url(CreateBlobURL(extension_frame, "foo"));
+  EXPECT_EQ(extension_origin, url::Origin(blob_url));
+  GURL filesystem_url(CreateFileSystemURL(extension_frame, "foo"));
+  EXPECT_EQ(extension_origin, url::Origin(filesystem_url));
+  // Navigate the popup to each nested URL with extension origin.
+  GURL nested_urls[] = {blob_url, filesystem_url};
+  for (size_t i = 0; i < arraysize(nested_urls); i++) {
+    content::TestNavigationObserver observer(popup);
+    EXPECT_TRUE(ExecuteScript(
+        popup, "location.href = '" + nested_urls[i].spec() + "';"));
+    observer.Wait();
+    // This is a top-level navigation that should be blocked since it
+    // originates from a non-extension process.  Ensure that the error page
+    // doesn't commit an extension URL or origin.
+    EXPECT_NE(nested_urls[i], popup->GetLastCommittedURL());
+    EXPECT_FALSE(extension_origin.IsSameOriginWith(
+        popup->GetMainFrame()->GetLastCommittedOrigin()));
+    EXPECT_NE("foo", GetTextContent(popup->GetMainFrame()));
+    EXPECT_EQ(IfExtensionsIsolated(1, 0),
+              pm->GetRenderFrameHostsForExtension(extension->id()).size());
+    EXPECT_EQ(IfExtensionsIsolated(1, 0), pm->GetAllFrames().size());
+  }
+  // Navigate second subframe to each nested URL from the main frame (i.e.,
+  // from non-extension process).
+  //
+  // TODO(alexmos): Currently, this is still allowed due to unblessed extension
+  // contexts, but in the future such subframe navigations from non-extension
+  // processes should be blocked when unblessed contexts go away with
+  // --isolate-extensions.
+  for (size_t i = 0; i < arraysize(nested_urls); i++) {
+    EXPECT_TRUE(content::NavigateIframeToURL(tab, "frame2", nested_urls[i]));
+    content::RenderFrameHost* second_frame = ChildFrameAt(main_frame, 1);
+    EXPECT_EQ(nested_urls[i], second_frame->GetLastCommittedURL());
+    EXPECT_EQ(extension_origin, second_frame->GetLastCommittedOrigin());
+    EXPECT_EQ("foo", GetTextContent(second_frame));
+    EXPECT_EQ(IfExtensionsIsolated(2, 0),
+              pm->GetRenderFrameHostsForExtension(extension->id()).size());
+    EXPECT_EQ(IfExtensionsIsolated(2, 0), pm->GetAllFrames().size());
+  }
+}
+// Test that navigations to blob: and filesystem: URLs with extension origins
+// are allowed when initiated from extension processes.  See
+// https://crbug.com/645028 and https://crbug.com/644426.
+IN_PROC_BROWSER_TEST_F(ProcessManagerBrowserTest,
+                       NestedURLNavigationsToExtensionAllowed) {
+  // Create a simple extension without a background page.
+  const Extension* extension = CreateExtension("Extension", false);
+  embedded_test_server()->ServeFilesFromDirectory(extension->path());
+  ASSERT_TRUE(embedded_test_server()->Start());
+  // Navigate main tab to an extension URL with a blank subframe.
+  const GURL extension_url(extension->url().Resolve("blank_iframe.html"));
+  NavigateToURL(extension_url);
+  ProcessManager* pm = ProcessManager::Get(profile());
+  EXPECT_EQ(2u, pm->GetAllFrames().size());
+  EXPECT_EQ(2u, pm->GetRenderFrameHostsForExtension(extension->id()).size());
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  content::RenderFrameHost* main_frame = tab->GetMainFrame();
+  // Create blob and filesystem URLs in the extension's origin.
+  url::Origin extension_origin(main_frame->GetLastCommittedOrigin());
+  GURL blob_url(CreateBlobURL(main_frame, "foo"));
+  EXPECT_EQ(extension_origin, url::Origin(blob_url));
+  GURL filesystem_url(CreateFileSystemURL(main_frame, "foo"));
+  EXPECT_EQ(extension_origin, url::Origin(filesystem_url));
+  // From the main frame, navigate its subframe to each nested URL.  This
+  // should be allowed and should stay in the extension process.
+  GURL nested_urls[] = {blob_url, filesystem_url};
+  for (size_t i = 0; i < arraysize(nested_urls); i++) {
+    EXPECT_TRUE(content::NavigateIframeToURL(tab, "frame0", nested_urls[i]));
+    content::RenderFrameHost* child = ChildFrameAt(main_frame, 0);
+    EXPECT_EQ(nested_urls[i], child->GetLastCommittedURL());
+    EXPECT_EQ(extension_origin, child->GetLastCommittedOrigin());
+    EXPECT_EQ("foo", GetTextContent(child));
+    EXPECT_EQ(2u, pm->GetRenderFrameHostsForExtension(extension->id()).size());
+    EXPECT_EQ(2u, pm->GetAllFrames().size());
+  }
+  // From the main frame, create a blank popup and navigate it to each nested
+  // URL. This should also be allowed, since the navigation originated from an
+  // extension process.
+  for (size_t i = 0; i < arraysize(nested_urls); i++) {
+    content::WebContents* popup =
+        OpenPopup(main_frame, GURL(url::kAboutBlankURL));
+    EXPECT_NE(popup, tab);
+    content::TestNavigationObserver observer(popup);
+    EXPECT_TRUE(ExecuteScript(
+        popup, "location.href = '" + nested_urls[i].spec() + "';"));
+    observer.Wait();
+    EXPECT_EQ(nested_urls[i], popup->GetLastCommittedURL());
+    EXPECT_EQ(extension_origin,
+              popup->GetMainFrame()->GetLastCommittedOrigin());
+    EXPECT_EQ("foo", GetTextContent(popup->GetMainFrame()));
+    EXPECT_EQ(3 + i,
+              pm->GetRenderFrameHostsForExtension(extension->id()).size());
+    EXPECT_EQ(3 + i, pm->GetAllFrames().size());
+  }
+}
 }  // namespace extensions
--- a/chrome/browser/net/chrome_extensions_network_delegate.cc
+++ b/chrome/browser/net/chrome_extensions_network_delegate.cc
@@ -20,6 +20,7 @@
 #include "extensions/browser/api/web_request/web_request_api.h"
 #include "extensions/browser/info_map.h"
 #include "extensions/browser/process_manager.h"
+#include "extensions/common/constants.h"
 #include "net/url_request/url_request.h"
 using content::BrowserThread;
@@ -159,6 +160,21 @@ int ChromeExtensionsNetworkDelegateImpl::OnBeforeURLRequest(
    net::URLRequest* request,
    const net::CompletionCallback& callback,
    GURL* new_url) {
+  const content::ResourceRequestInfo* info =
+      content::ResourceRequestInfo::ForRequest(request);
+  GURL url(request->url());
+  // Block top-level navigations to blob: or filesystem: URLs with extension
+  // origin from non-extension processes.  See https://crbug.com/645028.
+  bool is_nested_url = url.SchemeIsFileSystem() || url.SchemeIsBlob();
+  bool is_navigation =
+      info && content::IsResourceTypeFrame(info->GetResourceType());
+  if (is_nested_url && is_navigation && info->IsMainFrame() &&
+      url::Origin(url).scheme() == extensions::kExtensionScheme &&
+      !extension_info_map_->process_map().Contains(info->GetChildID())) {
+    return net::ERR_ABORTED;
+  }
  return ExtensionWebRequestEventRouter::GetInstance()->OnBeforeRequest(
      profile_, extension_info_map_.get(), request, callback, new_url);
 }