Enable NativeIO for potentially trustworthy origins

At the moment NativeIO can only be used from origins that use HTTPS or are served locally, but all potentially trustworthy origins (especially Chrome extensions) should have access to it. Relying on this centrally managed definition also has the advantage that, as our view of trustworthiness changes, so does NativeIO's behavior. Also add a web platform test that confirms that NativeIO is not accessible from untrustworthy origins. Bug: 914488 Change-Id: I925a4bf39912c9747c006b1f80bc06a8ec606b23 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2353452 Commit-Queue: Emanuel Krivoy <krivoy@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#806167}

Enable NativeIO for potentially trustworthy origins
At the moment NativeIO can only be used from origins that use HTTPS or are served locally, but all potentially trustworthy origins (especially Chrome extensions) should have access to it. Relying on this centrally managed definition also has the advantage that, as our view of trustworthiness changes, so does NativeIO's behavior. Also add a web platform test that confirms that NativeIO is not accessible from untrustworthy origins. Bug: 914488 Change-Id: I925a4bf39912c9747c006b1f80bc06a8ec606b23 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2353452 Commit-Queue: Emanuel Krivoy <krivoy@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#806167}
4f09781b · Emanuel Krivoy · Commit Bot · a00b308b · 4f09781b · 4f09781b
Commit 4f09781b authored Sep 11, 2020 by Emanuel Krivoy Committed by Commit Bot Sep 11, 2020
3 changed files
--- a/content/browser/native_io/native_io_context.cc
+++ b/content/browser/native_io/native_io_context.cc
@@ -10,6 +10,7 @@
 #include "base/files/file_path.h"
 #include "content/browser/native_io/native_io_host.h"
 #include "mojo/public/cpp/bindings/pending_receiver.h"
+#include "services/network/public/cpp/is_potentially_trustworthy.h"
 #include "storage/common/database/database_identifier.h"
 #include "third_party/blink/public/mojom/native_io/native_io.mojom.h"
 #include "url/origin.h"
@@ -44,6 +45,15 @@ void NativeIOContext::BindReceiver(

  auto it = hosts_.find(origin);
  if (it == hosts_.end()) {
+    // This feature should only be exposed to potentially trustworthy origins
+    // (https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy).
+    // Notably this includes the https and chrome-extension schemes, among
+    // others.
+    if (!network::IsOriginPotentiallyTrustworthy(origin)) {
+      mojo::ReportBadMessage("Called NativeIO from an insecure context");
+      return;
+    }
+
    base::FilePath origin_root_path = RootPathForOrigin(origin);
    if (origin_root_path.empty()) {
      // NativeIO is not supported for the origin.
@@ -79,15 +89,6 @@ base::FilePath NativeIOContext::RootPathForOrigin(const url::Origin& origin) {
  if (root_path_.empty())
    return root_path_;

-  // This feature is only exposed to secure origins. This typically means https.
-  // The most notable exception is http://localhost. Command-line flags may
-  // cause other http origins to be considered secure.
-  //
-  // TODO(pwnall): Get consensus on the schemes we want to support. For example,
-  //               maybe chrome-extension:// should get access as well?
-  if (!origin.GetURL().SchemeIsHTTPOrHTTPS())
-    return base::FilePath();
-
  std::string origin_identifier = storage::GetIdentifierFromOrigin(origin);
  base::FilePath origin_path = root_path_.AppendASCII(origin_identifier);
  DCHECK(root_path_.IsParent(origin_path));

--- a/content/browser/native_io/native_io_context_unittest.cc
+++ b/content/browser/native_io/native_io_context_unittest.cc
@@ -12,6 +12,7 @@
 #include "base/test/task_environment.h"
 #include "base/threading/thread.h"
 #include "content/browser/native_io/native_io_context.h"
+#include "content/test/fake_mojo_message_dispatch_context.h"
 #include "mojo/public/cpp/bindings/pending_receiver.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "mojo/public/cpp/test_support/test_utils.h"
@@ -381,6 +382,18 @@ TEST_F(NativeIOContextTest, OriginIsolation) {
  EXPECT_EQ(0, same_file.Read(0, read_buffer, kTestData.size()));
 }

+TEST_F(NativeIOContextTest, BindReceiver_UntrustworthyOrigin) {
+  mojo::Remote<blink::mojom::NativeIOHost> insecure_host_remote_;
+
+  // Create a fake dispatch context to trigger a bad message in.
+  FakeMojoMessageDispatchContext fake_dispatch_context;
+  mojo::test::BadMessageObserver bad_message_observer;
+  context_->BindReceiver(url::Origin::Create(GURL("http://insecure.com")),
+                         insecure_host_remote_.BindNewPipeAndPassReceiver());
+  EXPECT_EQ("Called NativeIO from an insecure context",
+            bad_message_observer.WaitForBadMessage());
+}
+
 }  // namespace

 }  // namespace content
--- a/third_party/blink/web_tests/external/wpt/native-io/trustworthy_origin_failure.tentative.http.any.js
+++ b/third_party/blink/web_tests/external/wpt/native-io/trustworthy_origin_failure.tentative.http.any.js
+// META: title=NativeIO API: Interface is not exposed in untrustworthy origin.
+// META: global=window,dedicatedworker
+
+'use strict';
+
+test(testCase => {
+  var present = (typeof nativeIO !== 'undefined');
+  assert_false(present);
+}, 'NativeIO should not be accessible from an untrustworthy origin');