Highlight that content scripts need to be treated as less trustworthy.

Bug: 983618
Change-Id: I261a25a8dcf43dc7174d36800cee3766b9423f39
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1700290
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#678334}

chrome/common/extensions/docs/templates/articles/messaging.html

@@ -280,7 +280,7 @@ example:
 <p>
 This will expose the messaging API to any page which matches the URL patterns
 you specify. The URL pattern must contain at least a
-<a href="http://en.wikipedia.org/wiki/Second-level_domain">second-level domain</a>
+<a href="https://en.wikipedia.org/wiki/Second-level_domain">second-level domain</a>
 - that is, hostname
 patterns like "*", "*.com", "*.co.uk", and "*.appspot.com" are prohibited.
 From the web page, use the
@@ -334,12 +334,32 @@ To learn more about this feature, see <a href="nativeMessaging">Native messaging
 
 <h2 id="security-considerations">Security considerations</h2>
 
+<h3 id="content-scripts-are-less-trustworthy">
+  Content scripts are less trustworthy
+</h3>
+
+<p>
+<a href="security#content_scripts">Content scripts are less trustworthy</a>
+than the extension background page (e.g., a malicious web page might be able
+to compromise the renderer process where the content scripts run).
+Assume that messages from a content script might have been crafted by an
+attacker and make sure to
+<a href="security#sanitize">validate and sanitize all input</a>.
+Assume any data sent to the content script might leak to the web page.
+Limit the scope of privileged actions that can be triggered by
+messages received from content scripts.
+</p>
+
+<h3 id="cross-site-scripting">Cross-site scripting</h3>
+
 <p>
 When receiving a message from a content script or another extension, your
-background page should be careful not to fall victim to <a
-href="http://en.wikipedia.org/wiki/Cross-site_scripting">cross-site
-scripting</a>.  Specifically, avoid using dangerous APIs such as the
-below:
+scripts should be careful not to fall victim to <a
+href="https://en.wikipedia.org/wiki/Cross-site_scripting">cross-site
+scripting</a>.  This advice applies to scripts running inside the extension
+background page as well as to content scripts running inside other web origins.
+
+Specifically, avoid using dangerous APIs such as the ones below:
 </p>
 <pre data-filename="background.js">
 chrome.tabs.sendMessage(tab.id, {greeting: "hello"}, function(response) {

chrome/common/extensions/docs/templates/articles/security.html

@@ -221,16 +221,53 @@
 <h2 id="content_scripts">Use Content Scripts Carefully</h2>
 <p>
   While <a href="/content_scripts">content scripts</a> live in an
-  <a href="/content_scripts#execution-environment">isolated world</a>,
-  they are not immune from attacks.
-  Content scripts are the only part of an extension
-  that interacts directly with the web page.
-  Because of this,
-  hostile websites may manipulate parts of the DOM the content script depends on,
-  or exploit surprising web standard behavior, such as
+  <a href="/content_scripts#isolated_world">isolated world</a>,
+  they are not immune from attacks:
+  <ul>
+    <li>
+      Content scripts are the only part of an extension that interacts
+      directly with the web page.  Because of this, hostile web pages may
+      manipulate parts of the DOM the content script depends on, or exploit
+      surprising web standard behavior, such as
       <a href="https://html.spec.whatwg.org/#dom-window-nameditem">named items</a>.
+    </li><li>
+      To interact with DOM of web pages, content scripts need to execute in
+      the same renderer process as the web page.  This makes content scripts
+      vulnerable to leaking data via side channel attacks (e.g.,
+      <a href="https://spectreattack.com/">Spectre</a>),
+      and to being taken over by an attacker if a malicious web page
+      compromises the renderer process.
+    </li>
+  </ul>
+</p><p>
   Sensitive work should be performed in a dedicated process,
-  such as the extension's <a href="/background_page">background script</a>.
+  such as the extension's <a href="/background_pages">background script</a>.
+  Avoid accidentally exposing extension privileges to content scripts:
+  <ul>
+    <li>
+      Assume that
+      <a href="/messaging#content-scripts-are-less-trustworthy"
+        >messages from a content script</a>
+      might have been crafted by an attacker (e.g.
+      <a href="#sanitize">validate and sanitize</a>
+      all input and protect your scripts from
+      <a href="/messaging#cross-site-scripting">cross-site scripting</a>).
+    </li><li>
+      Assume any data sent to the content script might leak to the web page.
+      Do not send sensitive data (e.g. secrets from the extension, data from
+      other web origins, browsing history) to content scripts.
+    </li><li>
+      Limit the scope of privileged actions that can be triggered
+      by content scripts.  Do not allow content scripts to
+      <a href="/xhr#xhr-vs-content-scripts"
+           >trigger requests to arbitrary URLs</a>
+      or pass arbitrary arguments to extension APIs (e.g., do not
+      allow passing arbitrary URLs to
+      <a href="https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API"
+        ><code>fetch</code></a> or
+      <a href="/tabs#method-create"><code>chrome.tabs.create</code></a> API).
+    </li>
+  </ul>
 </p>
 <h2 id="sanitize">Register and Sanitize Inputs</h2>
 <p>
@@ -269,7 +306,7 @@
   });
 </pre>
 <p>
-  Prevent an extension from executing an attackers script by
+  Prevent an extension from executing an attacker's script by
   sanitizing user inputs and incoming data,
   even from the extension itself and approved sources.
   <a href="/security#avoid">Avoid executable APIs</a>.

chrome/common/extensions/docs/templates/articles/xhr.html

@@ -150,9 +150,10 @@ xhr.send();
 
 <p>
 When performing cross-origin requests on behalf of a content script, be careful
-to guard against a malicious webpage that might try to impersonate a content
-script.  In particular, do not allow content scripts to request an arbitrary
-URL.
+to <a href="security#content_scripts"
+  >guard against malicious web pages</a> that might try to impersonate a
+content script.  In particular, do not allow content scripts to request an
+arbitrary URL.
 </p>
 
 <p>
@@ -166,7 +167,7 @@ fetched by the background page.
 chrome.runtime.onMessage.addListener(
     function(request, sender, sendResponse) {
       if (request.contentScriptQuery == 'fetchUrl') {
-        // WARNING: SECURITY PROBLEM - a malicious webpage may abuse
+        // WARNING: SECURITY PROBLEM - a malicious web page may abuse
         // the message handler to get access to arbitrary cross-origin
         // resources.
         fetch(request.url)
@@ -188,7 +189,7 @@ chrome.runtime.sendMessage(
 
 <p>
 In the approach above, the content script can ask the extension to fetch any
-URL that the extension has access to.  A malicious website may be able to forge
+URL that the extension has access to.  A malicious web page may be able to forge
 such messages and trick the extension into giving access to cross-origin
 resources.
 </p>