Advice about using CanAccessDataForOrigin and terminating renderers

Bug: 919144, 925035, 910287, 915721, 915721 Change-Id: Ie25c906e1f558ae805b82867d79b0d26eba89cb4 Reviewed-on: https://chromium-review.googlesource.com/c/1435915 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Cr-Commit-Position: refs/heads/master@{#626140}

Advice about using CanAccessDataForOrigin and terminating renderers
Bug: 919144, 925035, 910287, 915721, 915721 Change-Id: Ie25c906e1f558ae805b82867d79b0d26eba89cb4 Reviewed-on: https://chromium-review.googlesource.com/c/1435915 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Cr-Commit-Position: refs/heads/master@{#626140}
bb99a856 · Lukasz Anforowicz · Commit Bot · 81181802 · bb99a856
Commit bb99a856 authored Jan 25, 2019 by Lukasz Anforowicz Committed by Commit Bot Jan 25, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 1 deletion

docs/security/mojo.md docs/security/mojo.md +22 -1

No files found.
--- a/docs/security/mojo.md
+++ b/docs/security/mojo.md
@@ -192,6 +192,27 @@ the browser process to:
 > performs the appropriate sanitizations and recommend its usage directly here.
+### Validate privilege-presuming data received over IPC
+If it is not possible to avoid sending privilege-presuming data over IPC (see
+the previous section), then such data should be verified before being used.
+* Browser process:
+    - Use `ChildProcessSecurityPolicy`'s methods like
+      `CanAccessDataForOrigin` or `CanReadFile` to verify IPC messages
+      received from less privileged processes.
+    - When verification fails, ignore the IPC and terminate the renderer process
+      using `mojo::ReportBadMessage` (or using `mojo::GetBadMessageCallback` for
+      messages handled asynchronously).  For legacy IPC, the renderer process
+      may be terminated by calling the `ReceivedBadMessage` function (separate
+      implementations exist for `//content`, `//chrome` and other layers).
+* NetworkService process:
+    - Do not trust `network::ResourceRequest::request_initiator` - verify it
+      using `VerifyRequestInitiatorLock` and fall back to a fail-safe origin
+      (e.g. an opaque origin) when verification fails.
 ### Do not define unused or unimplemented things
 Mojo interfaces often cross privilege boundaries. Having well-defined interfaces
@@ -779,4 +800,4 @@ safe, vulnerabilities could arise.
 [security-tips-for-ipc]: https://www.chromium.org/Home/chromium-security/education/security-tips-for-ipc
 [NfcTypeConverter.java]: https://chromium.googlesource.com/chromium/src/+/e97442ee6e8c4cf6bcf7f5623c6fb2cc8cce92ac/services/device/nfc/android/java/src/org/chromium/device/nfc/NfcTypeConverter.java
 [mojo-doc-process-crashes]: https://chromium.googlesource.com/chromium/src/+/master/mojo/public/cpp/bindings#Best-practices-for-dealing-with-process-crashes-and-callbacks
 [serialize-struct-tm-safely]: https://chromium-review.googlesource.com/c/chromium/src/+/679441
\ No newline at end of file