Skip to content
Permalink
Browse files

all: add trk: prefixes to possibly evil connections

Prefix URLs to Google services with trk: so that whenever something
tries to load them, the developer will be informed via printf and
dialog about this infraction.

If you see such dialog, we know that (a) either the URL needs to be
whitelisted, or (b) the feature that triggered it needs to be disabled
by default.
  • Loading branch information
jengelh committed Sep 30, 2019
1 parent f634b50 commit 0662c6379e3eae07129a01c9c006ae0cbd17d834
Showing with 80 additions and 79 deletions.
  1. +1 −1 build/mac/tweak_info_plist.py
  2. +1 −1 chrome/browser/chromeos/customization/customization_document.cc
  3. +1 −1 chrome/browser/chromeos/extensions/file_manager/private_api_drive.cc
  4. +1 −1 chrome/browser/chromeos/extensions/file_manager/private_api_misc.cc
  5. +2 −2 chrome/browser/extensions/api/cryptotoken_private/cryptotoken_private_api.cc
  6. +1 −1 chrome/browser/extensions/install_signer.cc
  7. +1 −1 chrome/browser/nacl_host/nacl_infobar_delegate.cc
  8. +1 −1 chrome/browser/profiles/profile_avatar_downloader.cc
  9. +2 −2 chrome/browser/resources/chromeos/chromevox/chromevox/background/prefs.js
  10. +3 −3 chrome/browser/resources/default_apps/external_extensions.json
  11. +2 −2 chrome/browser/safe_browsing/client_side_detection_service.cc
  12. +1 −1 chrome/browser/safe_browsing/download_protection/download_feedback.cc
  13. +1 −1 chrome/browser/spellchecker/spellcheck_hunspell_dictionary.cc
  14. +1 −1 chrome/browser/supervised_user/supervised_user_service.cc
  15. +1 −1 chrome/browser/tracing/crash_service_uploader.cc
  16. +1 −1 chrome/browser/ui/views/outdated_upgrade_bubble_view.cc
  17. +4 −4 chrome/browser/ui/webui/ntp/ntp_resource_cache.cc
  18. +2 −2 chrome/common/extensions/chrome_extensions_client.cc
  19. +1 −1 chrome/installer/setup/google_chrome_behaviors.cc
  20. +1 −1 chromecast/browser/service/cast_service_simple.cc
  21. +1 −1 chromeos/geolocation/simple_geolocation_provider.cc
  22. +4 −4 components/cloud_devices/common/cloud_devices_urls.cc
  23. +1 −1 components/crash/content/app/breakpad_linux.cc
  24. +2 −2 components/drive/service/drive_api_service.cc
  25. +1 −1 components/feedback/feedback_uploader.cc
  26. +2 −2 components/gcm_driver/gcm_account_tracker.cc
  27. +3 −3 components/history/core/browser/web_history_service.cc
  28. +1 −1 components/invalidation/impl/gcm_network_channel.cc
  29. +1 −1 components/metrics/url_constants.cc
  30. +4 −4 components/password_manager/core/browser/password_store.cc
  31. +1 −1 components/policy/core/common/policy_loader_win.cc
  32. +1 −1 components/rappor/rappor_service_impl.cc
  33. +1 −1 components/safe_search_api/safe_search/safe_search_url_checker_client.cc
  34. +1 −1 components/safe_search_api/stub_url_checker.cc
  35. +1 −0 components/translate/core/browser/translate_url_fetcher.cc
  36. +1 −1 components/translate/core/common/translate_util.cc
  37. +1 −1 components/variations/variations_url_constants.cc
  38. +1 −1 content/browser/speech/speech_recognition_engine.cc
  39. +2 −2 content/browser/webauth/authenticator_common.cc
  40. +1 −1 content/shell/browser/shell_browser_main_parts.cc
  41. +10 −10 google_apis/gaia/gaia_constants.cc
  42. +3 −3 google_apis/gcm/engine/gservices_settings.cc
  43. +1 −1 jingle/notifier/base/gaia_token_pre_xmpp_auth.cc
  44. +1 −1 remoting/base/breakpad_mac.mm
  45. +1 −1 remoting/protocol/jingle_messages.cc
  46. +1 −1 remoting/webapp/base/js/xmpp_login_handler.js
  47. +1 −1 remoting/webapp/crd/manifest.json.jinja2
  48. +1 −1 rlz/lib/lib_values.cc
  49. +1 −1 ui/views/examples/webview_example.cc
@@ -211,7 +211,7 @@ def _AddKeystoneKeys(plist, bundle_identifier):
also requires the |bundle_identifier| argument (com.example.product)."""
plist['KSVersion'] = plist['CFBundleShortVersionString']
plist['KSProductID'] = bundle_identifier
plist['KSUpdateURL'] = 'https://tools.google.com/service/update2'
plist['KSUpdateURL'] = 'trk:132:https://tools.google.com/service/update2'

_RemoveKeys(plist, 'KSChannelID')
for tag_suffix in _TagSuffixes():
@@ -175,7 +175,7 @@ std::string ReadFileInBackground(const base::FilePath& file) {

// Template URL where to fetch OEM services customization manifest from.
const char ServicesCustomizationDocument::kManifestUrl[] =
"https://ssl.gstatic.com/chrome/chromeos-customization/%s.json";
"trk:151:https://ssl.gstatic.com/chrome/chromeos-customization/%s.json";

// A custom extensions::ExternalLoader that the ServicesCustomizationDocument
// creates and uses to publish OEM default apps to the extensions system.
@@ -1817,7 +1817,7 @@ void FileManagerPrivateInternalGetDownloadUrlFunction::OnGotDownloadUrl(
IdentityManagerFactory::GetForProfile(chrome_details.GetProfile());
const std::string& account_id = identity_manager->GetPrimaryAccountId();
std::vector<std::string> scopes;
scopes.emplace_back("https://www.googleapis.com/auth/drive.readonly");
scopes.emplace_back("trk:208:https://www.googleapis.com/auth/drive.readonly");

scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory =
content::BrowserContext::GetDefaultStoragePartition(
@@ -84,7 +84,7 @@ namespace {

using api::file_manager_private::ProfileInfo;

const char kCWSScope[] = "https://www.googleapis.com/auth/chromewebstore";
const char kCWSScope[] = "trk:209:https://www.googleapis.com/auth/chromewebstore";

// Thresholds for mountCrostini() API.
constexpr base::TimeDelta kMountCrostiniSlowOperationThreshold =
@@ -48,8 +48,8 @@ enum class U2FAttestationPromptResult {

const char kGoogleDotCom[] = "google.com";
constexpr const char* kGoogleGstaticAppIds[] = {
"https://www.gstatic.com/securitykey/origins.json",
"https://www.gstatic.com/securitykey/a/google.com/origins.json"};
"trk:273:https://www.gstatic.com/securitykey/origins.json",
"trk:274:https://www.gstatic.com/securitykey/a/google.com/origins.json"};

// ContainsAppIdByHash returns true iff the SHA-256 hash of one of the
// elements of |list| equals |hash|.
@@ -65,7 +65,7 @@ const int kSignatureFormatVersion = 2;
const size_t kSaltBytes = 32;

const char kBackendUrl[] =
"https://www.googleapis.com/chromewebstore/v1.1/items/verify";
"trk:222:https://www.googleapis.com/chromewebstore/v1.1/items/verify";

const char kPublicKeyPEM[] = \
"-----BEGIN PUBLIC KEY-----" \
@@ -42,5 +42,5 @@ base::string16 NaClInfoBarDelegate::GetLinkText() const {
}

GURL NaClInfoBarDelegate::GetLinkURL() const {
return GURL("https://support.google.com/chrome/?p=ib_nacl");
return GURL("trk:143:https://support.google.com/chrome/?p=ib_nacl");
}
@@ -18,7 +18,7 @@

namespace {
const char kHighResAvatarDownloadUrlPrefix[] =
"https://www.gstatic.com/chrome/profile_avatars/";
"trk:271:https://www.gstatic.com/chrome/profile_avatars/";
}

ProfileAvatarDownloader::ProfileAvatarDownloader(
@@ -87,9 +87,9 @@ cvox.ChromeVoxPrefs.DEFAULT_PREFS = {
'position': '{}',
'siteSpecificEnhancements': true,
'siteSpecificScriptBase':
'https://ssl.gstatic.com/accessibility/javascript/ext/',
'trk:152:https://ssl.gstatic.com/accessibility/javascript/ext/',
'siteSpecificScriptLoader':
'https://ssl.gstatic.com/accessibility/javascript/ext/loader.js',
'trk:153:https://ssl.gstatic.com/accessibility/javascript/ext/loader.js',
'speakTextUnderMouse': false,
'sticky': false,
'typingEcho': 0,
@@ -24,15 +24,15 @@
},
// Google Sheets
"aapocclcgogkmnckokdopfmhonfmgoek" : {
"external_update_url": "https://clients2.google.com/service/update2/crx"
"external_update_url": "trk:03:https://clients2.google.com/service/update2/crx"
},
// Google Slides
"felcaaldnbdncclmgdcncolpebgiejap" : {
"external_update_url": "https://clients2.google.com/service/update2/crx"
"external_update_url": "trk:04:https://clients2.google.com/service/update2/crx"
},
// Drive extension
"ghbmnnjooekpmoecnnnilnnbdlolhkhi" : {
"external_update_url": "https://clients2.google.com/service/update2/crx"
"external_update_url": "trk:04:https://clients2.google.com/service/update2/crx"
}
}

@@ -78,9 +78,9 @@ const int ClientSideDetectionService::kNegativeCacheIntervalDays = 1;
const int ClientSideDetectionService::kPositiveCacheIntervalMinutes = 30;

const char ClientSideDetectionService::kClientReportPhishingUrl[] =
"https://sb-ssl.google.com/safebrowsing/clientreport/phishing";
"trk:148:https://sb-ssl.google.com/safebrowsing/clientreport/phishing";
const char ClientSideDetectionService::kClientReportMalwareUrl[] =
"https://sb-ssl.google.com/safebrowsing/clientreport/malware-check";
"trk:149:https://sb-ssl.google.com/safebrowsing/clientreport/malware-check";

struct ClientSideDetectionService::ClientPhishingReportInfo {
std::unique_ptr<network::SimpleURLLoader> loader;
@@ -256,7 +256,7 @@ const int64_t DownloadFeedback::kMaxUploadSize = 50 * 1024 * 1024;

// static
const char DownloadFeedback::kSbFeedbackURL[] =
"https://safebrowsing.google.com/safebrowsing/uploads/chrome";
"trk:164:https://safebrowsing.google.com/safebrowsing/uploads/chrome";

// static
DownloadFeedbackFactory* DownloadFeedback::factory_ = nullptr;
@@ -264,7 +264,7 @@ GURL SpellcheckHunspellDictionary::GetDictionaryURL() {
DCHECK(!bdict_file.empty());

static const char kDownloadServerUrl[] =
"https://redirector.gvt1.com/edgedl/chrome/dict/";
"trk:173:https://redirector.gvt1.com/edgedl/chrome/dict/";

return GURL(std::string(kDownloadServerUrl) +
base::ToLowerASCII(bdict_file));
@@ -84,7 +84,7 @@ namespace {

// The URL from which to download a host blacklist if no local one exists yet.
const char kBlacklistURL[] =
"https://www.gstatic.com/chrome/supervised_user/blacklist-20141001-1k.bin";
"trk:272:https://www.gstatic.com/chrome/supervised_user/blacklist-20141001-1k.bin";
// The filename under which we'll store the blacklist (in the user data dir).
const char kBlacklistFilename[] = "su-blacklist.bin";

@@ -41,7 +41,7 @@ using std::string;

namespace {

const char kUploadURL[] = "https://clients2.google.com/cr/report";
const char kUploadURL[] = "trk:109:https://clients2.google.com/cr/report";
const char kCrashUploadContentType[] = "multipart/form-data";
const char kCrashMultipartBoundary[] =
"----**--yradnuoBgoLtrapitluMklaTelgooG--**----";
@@ -34,7 +34,7 @@ namespace {

// The URL to be used to re-install Chrome when auto-update failed for too long.
constexpr char kDownloadChromeUrl[] =
"https://www.google.com/chrome/?&brand=CHWL"
"trk:242:https://www.google.com/chrome/?&brand=CHWL"
"&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_medium=et";

// The maximum number of ignored bubble we track in the NumLaterPerReinstall
@@ -69,17 +69,17 @@ namespace {
// The URL for the the Learn More page shown on incognito new tab.
const char kLearnMoreIncognitoUrl[] =
#if defined(OS_CHROMEOS)
"https://support.google.com/chromebook/?p=incognito";
"trk:246:https://support.google.com/chromebook/?p=incognito";
#else
"https://support.google.com/chrome/?p=incognito";
"trk:247:https://support.google.com/chrome/?p=incognito";
#endif

// The URL for the Learn More page shown on guest session new tab.
const char kLearnMoreGuestSessionUrl[] =
#if defined(OS_CHROMEOS)
"https://support.google.com/chromebook/?p=chromebook_guest";
"trk:248:https://support.google.com/chromebook/?p=chromebook_guest";
#else
"https://support.google.com/chrome/?p=ui_guest";
"trk:261:https://support.google.com/chrome/?p=ui_guest";
#endif

SkColor GetThemeColor(const ui::ThemeProvider& tp, int id) {
@@ -46,9 +46,9 @@ namespace {

// TODO(battre): Delete the HTTP URL once the blacklist is downloaded via HTTPS.
const char kExtensionBlocklistUrlPrefix[] =
"http://www.gstatic.com/chrome/extensions/blacklist";
"trk:269:http://www.gstatic.com/chrome/extensions/blacklist";
const char kExtensionBlocklistHttpsUrlPrefix[] =
"https://www.gstatic.com/chrome/extensions/blacklist";
"trk:270:https://www.gstatic.com/chrome/extensions/blacklist";

const char kThumbsWhiteListedExtension[] = "khopmbdjffemhegeeobelklnbglcdgfh";

@@ -44,7 +44,7 @@ base::string16 LocalizeUrl(const wchar_t* url) {

base::string16 GetUninstallSurveyUrl() {
static constexpr wchar_t kSurveyUrl[] =
L"https://support.google.com/chrome/contact/chromeuninstall3?hl=$1";
L"trk:253:https://support.google.com/chrome/contact/chromeuninstall3?hl=$1";
return LocalizeUrl(kSurveyUrl);
}

@@ -27,7 +27,7 @@ GURL GetStartupURL() {
const base::CommandLine::StringVector& args = command_line->GetArgs();

if (args.empty())
return GURL("http://www.google.com/");
return GURL("trk:255:http://www.google.com/");

GURL url(args[0]);
if (url.is_valid() && url.has_scheme())
@@ -20,7 +20,7 @@ namespace chromeos {
namespace {

const char kDefaultGeolocationProviderUrl[] =
"https://www.googleapis.com/geolocation/v1/geolocate?";
"trk:215:https://www.googleapis.com/geolocation/v1/geolocate?";

} // namespace

@@ -14,20 +14,20 @@
namespace cloud_devices {

const char kCloudPrintAuthScope[] =
"https://www.googleapis.com/auth/cloudprint";
"trk:197:https://www.googleapis.com/auth/cloudprint";

const char kCloudPrintLearnMoreURL[] =
"https://www.google.com/support/cloudprint";
"trk:199:https://www.google.com/support/cloudprint";

const char kCloudPrintTestPageURL[] =
"http://www.google.com/landing/cloudprint/enable.html?print=true";
"trk:200:http://www.google.com/landing/cloudprint/enable.html?print=true";

namespace {

// Url must not be matched by "urls" section of
// cloud_print_app/manifest.json. If it's matched, print driver dialog will
// open sign-in page in separate window.
const char kCloudPrintURL[] = "https://www.google.com/cloudprint";
const char kCloudPrintURL[] = "trk:201:https://www.google.com/cloudprint";

}

@@ -103,7 +103,7 @@ namespace {
// while we do have functions to deal with uint64_t's.
uint64_t g_crash_loop_before_time = 0;
#else
const char kUploadURL[] = "https://clients2.google.com/cr/report";
const char kUploadURL[] = "trk:06:https://clients2.google.com/cr/report";
#endif

bool g_is_crash_reporter_enabled = false;
@@ -74,9 +74,9 @@ namespace drive {
namespace {

// OAuth2 scopes for Drive API.
const char kDriveScope[] = "https://www.googleapis.com/auth/drive";
const char kDriveScope[] = "trk:217:https://www.googleapis.com/auth/drive";
const char kDriveAppsReadonlyScope[] =
"https://www.googleapis.com/auth/drive.apps.readonly";
"trk:218:https://www.googleapis.com/auth/drive.apps.readonly";
const char kDriveAppsScope[] = "https://www.googleapis.com/auth/drive.apps";

// Mime type to create a directory.
@@ -26,7 +26,7 @@ constexpr base::FilePath::CharType kFeedbackReportPath[] =
FILE_PATH_LITERAL("Feedback Reports");

constexpr char kFeedbackPostUrl[] =
"https://www.google.com/tools/feedback/chrome/__submit";
"trk:232:https://www.google.com/tools/feedback/chrome/__submit";

constexpr char kProtoBufMimeType[] = "application/x-protobuf";

@@ -26,9 +26,9 @@ namespace gcm {
namespace {

// Scopes needed by the OAuth2 access tokens.
const char kGCMGroupServerScope[] = "https://www.googleapis.com/auth/gcm";
const char kGCMGroupServerScope[] = "trk:230:https://www.googleapis.com/auth/gcm";
const char kGCMCheckinServerScope[] =
"https://www.googleapis.com/auth/android_checkin";
"trk:231:https://www.googleapis.com/auth/android_checkin";
// Name of the GCM account tracker for fetching access tokens.
const char kGCMAccountTrackerName[] = "gcm_account_tracker";
// Minimum token validity when sending to GCM groups server.
@@ -40,13 +40,13 @@ namespace history {
namespace {

const char kHistoryOAuthScope[] =
"https://www.googleapis.com/auth/chromesync";
"trk:138:https://www.googleapis.com/auth/chromesync";

const char kHistoryQueryHistoryUrl[] =
"https://history.google.com/history/api/lookup?client=chrome";
"trk:139:https://history.google.com/history/api/lookup?client=chrome";

const char kHistoryDeleteHistoryUrl[] =
"https://history.google.com/history/api/delete?client=chrome";
"trk:140:https://history.google.com/history/api/delete?client=chrome";

const char kHistoryAudioHistoryUrl[] =
"https://history.google.com/history/api/lookup?client=audio";
@@ -40,7 +40,7 @@ namespace syncer {
namespace {

const char kCacheInvalidationEndpointUrl[] =
"https://clients4.google.com/invalidation/android/request/";
"trk:264:https://clients4.google.com/invalidation/android/request/";
const char kCacheInvalidationPackageName[] = "com.google.chrome.invalidations";

// Register backoff policy.
@@ -7,7 +7,7 @@
namespace metrics {

const char kNewMetricsServerUrl[] =
"https://clientservices.googleapis.com/uma/v2";
"trk:265:https://clientservices.googleapis.com/uma/v2";

const char kNewMetricsServerUrlInsecure[] =
"http://clientservices.googleapis.com/uma/v2";
@@ -222,10 +222,10 @@ void PasswordStore::GetLogins(const FormDigest& form,
// TODO(mdm): actually delete them at some point, say M24 or so.
base::Time cutoff; // the null time
if (form.scheme == PasswordForm::Scheme::kHtml &&
(form.signon_realm == "http://www.google.com" ||
form.signon_realm == "http://www.google.com/" ||
form.signon_realm == "https://www.google.com" ||
form.signon_realm == "https://www.google.com/")) {
(form.signon_realm == "trk:187:http://www.google.com" ||
form.signon_realm == "trk:188:http://www.google.com/" ||
form.signon_realm == "trk:189:https://www.google.com" ||
form.signon_realm == "trk:190:https://www.google.com/")) {
static const base::Time::Exploded exploded_cutoff = {
2012, 1, 0, 1, 0, 0, 0, 0}; // 00:00 Jan 1 2012
base::Time out_time;
@@ -57,7 +57,7 @@ const char kKeyThirdParty[] = "3rdparty";

// The web store url that is the only trusted source for extensions.
const char kExpectedWebStoreUrl[] =
";https://clients2.google.com/service/update2/crx";
";trk:15:https://cache.iridiumbrowser.de/clients2.google.com/service/update2/crx";
// String to be prepended to each blocked entry.
const char kBlockedExtensionPrefix[] = "[BLOCKED]";

@@ -32,7 +32,7 @@ const char kMimeType[] = "application/vnd.chrome.rappor";
const char kRapporDailyEventHistogram[] = "Rappor.DailyEvent.IntervalType";

// The rappor server's URL.
const char kDefaultServerUrl[] = "https://clients4.google.com/rappor";
const char kDefaultServerUrl[] = "trk:266:https://clients4.google.com/rappor";

} // namespace

@@ -30,7 +30,7 @@ namespace safe_search_api {
namespace {

const char kSafeSearchApiUrl[] =
"https://safesearch.googleapis.com/v1:classify";
"trk:238:https://safesearch.googleapis.com/v1:classify";
const char kDataContentType[] = "application/x-www-form-urlencoded";
const char kDataFormat[] = "key=%s&urls=%s&region_code=%s";

@@ -20,7 +20,7 @@ namespace safe_search_api {
namespace {

constexpr char kSafeSearchApiUrl[] =
"https://safesearch.googleapis.com/v1:classify";
"trk:238:https://safesearch.googleapis.com/v1:classify";

std::string BuildResponse(bool is_porn) {
base::DictionaryValue dict;
@@ -99,6 +99,7 @@ bool TranslateURLFetcher::Request(const GURL& url,
if (!extra_request_header_.empty())
resource_request->headers.AddHeaderFromString(extra_request_header_);

fprintf(stderr, "translator: fetching something from %s\n", url_.spec().c_str());
simple_loader_ =
variations::CreateSimpleURLLoaderWithVariationsHeaderUnknownSignedIn(
std::move(resource_request),
@@ -18,7 +18,7 @@

namespace translate {

const char kSecurityOrigin[] = "https://translate.googleapis.com/";
const char kSecurityOrigin[] = "trk:220:https://translate.googleapis.com/";

GURL GetTranslateSecurityOrigin() {
std::string security_origin(kSecurityOrigin);
@@ -8,7 +8,7 @@ namespace variations {

// Default server of Variations seed info.
const char kDefaultServerUrl[] =
"https://clientservices.googleapis.com/chrome-variations/seed";
"trk:142:https://clientservices.googleapis.com/chrome-variations/seed";

const char kDefaultInsecureServerUrl[] =
"http://clientservices.googleapis.com/chrome-variations/seed";

0 comments on commit 0662c63

Please sign in to comment.
You can’t perform that action at this time.