Additional IPC security documentation.

Talk about the special powers of WebUI renderers, and not-yet-shipped features. Bug: 789374 Change-Id: I94e76ee58aec2ac0e5c8ca65cbf810e83f6c17e3 Reviewed-on: https://chromium-review.googlesource.com/798393Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#521449}

Additional IPC security documentation.
Talk about the special powers of WebUI renderers, and not-yet-shipped features. Bug: 789374 Change-Id: I94e76ee58aec2ac0e5c8ca65cbf810e83f6c17e3 Reviewed-on: https://chromium-review.googlesource.com/798393Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#521449}
76482e61 · Chris Palmer · 6e8fd3ec · 76482e61
Commit 76482e61 authored Dec 04, 2017 by Chris Palmer
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 0 deletions

docs/security/mojo.md docs/security/mojo.md +27 -0

No files found.
--- a/docs/security/mojo.md
+++ b/docs/security/mojo.md
@@ -554,5 +554,32 @@ interface is used relatively frequently, connecting once and reusing the
 interface pointer is probably a good idea.


+## Ensure An Explicit Grant For WebUI Bindings
+
+WebUI renderers sometimes need to call special, powerful IPC endpoints in a
+privileged process. It is important to enforce the constraint that the
+privileged callee previously created and blessed the calling process as a WebUI
+process, and not as a (potentially compromised) web renderer or other
+low-privilege process.
+
+* Use the standard pattern for instantiating `MojoWebUIController`. WebUI
+methods must only be exposed through a `MojoWebUIController` subclass.
+* If there is external functionality that the WebUI needs, make sure to route
+it through the Mojo interfaces implemented by the `MojoWebUIController`, to
+avoid circumventing access checks.
+
+
+## Not-Yet-Shipped Features Should Be Feature-Checked On The Privileged Side
+
+Sometimes, there will be powerful new features that are not yet turned on by
+default, such as behind a flag, Finch trial, or [origin
+trial](https://www.chromium.org/blink/origin-trials). It is not safe to check
+for the feature's availability on the renderer side (or in another low-privilege
+process type). Instead, ensure that the check is done in the process that has
+power to actually enact the feature. Otherwise, a compromised renderer could opt
+itself in to the feature! If the feature might not yet be fully developed and
+safe, vulnerabilities could arise.
+
+
 [security-tips-for-ipc]: https://www.chromium.org/Home/chromium-security/education/security-tips-for-ipc
 [NfcTypeConverter.java]: https://chromium.googlesource.com/chromium/src/+/e97442ee6e8c4cf6bcf7f5623c6fb2cc8cce92ac/services/device/nfc/android/java/src/org/chromium/device/nfc/NfcTypeConverter.java