Direct Sockets: Prevent connections on port 443

We ensure the direct sockets API cannot be used to by-pass CORS, by causing NotAllowedError failures when web apps attempt to open direct socket connections on port 443. Not yet implemented: We should issue CORS pre-flight checks, to see if the connection attempt may be permissible. Bug: 1119601 Change-Id: Ia2179ae41072b99eda2ad4d5a8bbf41ddba252ba Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2383373Reviewed-by: Glen Robertson <glenrob@chromium.org> Commit-Queue: Eric Willigers <ericwilligers@chromium.org> Cr-Commit-Position: refs/heads/master@{#802997}

Direct Sockets: Prevent connections on port 443
We ensure the direct sockets API cannot be used to by-pass CORS, by causing NotAllowedError failures when web apps attempt to open direct socket connections on port 443. Not yet implemented: We should issue CORS pre-flight checks, to see if the connection attempt may be permissible. Bug: 1119601 Change-Id: Ia2179ae41072b99eda2ad4d5a8bbf41ddba252ba Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2383373Reviewed-by: Glen Robertson <glenrob@chromium.org> Commit-Queue: Eric Willigers <ericwilligers@chromium.org> Cr-Commit-Position: refs/heads/master@{#802997}
ab556547 · Eric Willigers · Commit Bot · 1d355440 · ab556547 · ab556547
Commit ab556547 authored Aug 31, 2020 by Eric Willigers Committed by Commit Bot Aug 31, 2020
2 changed files
--- a/content/browser/direct_sockets/direct_sockets_browsertest.cc
+++ b/content/browser/direct_sockets/direct_sockets_browsertest.cc
@@ -66,6 +66,17 @@ IN_PROC_BROWSER_TEST_F(DirectSocketsBrowserTest, OpenTcp_NotAllowedError) {
            EvalJs(shell(), script));
 }

+IN_PROC_BROWSER_TEST_F(DirectSocketsBrowserTest, OpenTcp_CannotEvadeCors) {
+  EXPECT_TRUE(NavigateToURL(shell(), GetTestPageURL()));
+
+  // HTTPS uses port 443.
+  const std::string script =
+      "openTcp({remoteAddress: '127.0.0.1', remotePort: 443})";
+
+  EXPECT_EQ("openTcp failed: NotAllowedError: Permission denied",
+            EvalJs(shell(), script));
+}
+
 IN_PROC_BROWSER_TEST_F(DirectSocketsBrowserTest, OpenUdp_Success) {
  EXPECT_TRUE(NavigateToURL(shell(), GetTestPageURL()));

@@ -91,4 +102,15 @@ IN_PROC_BROWSER_TEST_F(DirectSocketsBrowserTest, OpenUdp_NotAllowedError) {
            EvalJs(shell(), script));
 }

+IN_PROC_BROWSER_TEST_F(DirectSocketsBrowserTest, OpenUdp_CannotEvadeCors) {
+  EXPECT_TRUE(NavigateToURL(shell(), GetTestPageURL()));
+
+  // QUIC uses port 443.
+  const std::string script =
+      "openUdp({remoteAddress: '127.0.0.1', remotePort: 443})";
+
+  EXPECT_EQ("openUdp failed: NotAllowedError: Permission denied",
+            EvalJs(shell(), script));
+}
+
 }  // namespace content
--- a/content/browser/direct_sockets/direct_sockets_service_impl.cc
+++ b/content/browser/direct_sockets/direct_sockets_service_impl.cc
@@ -100,7 +100,11 @@ net::Error DirectSocketsServiceImpl::EnsurePermission(
  // TODO(crbug.com/1119659): Check permissions policy.
  // TODO(crbug.com/1119600): Check for transient activation.
  // TODO(crbug.com/1119600): Implement rate limiting.
-  // TODO(crbug.com/1119601): Check CORS iff requested port is HTTPS.
+
+  if (options.remote_port == 443) {
+    // TODO(crbug.com/1119601): Issue a CORS preflight request.
+    return net::ERR_UNSAFE_PORT;
+  }

  // EnsurePermission() will need to become asynchronous:
  // TODO(crbug.com/1119597): Show consent dialog