Skip to content

Commit

Permalink
all: add trk: prefixes to possibly evil connections
Browse files Browse the repository at this point in the history
Prefix URLs to Google services with trk: so that whenever something
tries to load them, the developer will be informed via printf and
dialog about this infraction.

If you see such dialog, we know that (a) either the URL needs to be
whitelisted, or (b) the feature that triggered it needs to be disabled
by default.
  • Loading branch information
jengelh committed Apr 9, 2019
1 parent f070d6a commit 3ec775a
Show file tree
Hide file tree
Showing 51 changed files with 81 additions and 80 deletions.
2 changes: 1 addition & 1 deletion build/mac/tweak_info_plist.py
Expand Up @@ -209,7 +209,7 @@ def _AddKeystoneKeys(plist, bundle_identifier):
also requires the |bundle_identifier| argument (com.example.product)."""
plist['KSVersion'] = plist['CFBundleShortVersionString']
plist['KSProductID'] = bundle_identifier
plist['KSUpdateURL'] = 'https://tools.google.com/service/update2'
plist['KSUpdateURL'] = 'trk:132:https://tools.google.com/service/update2'

_RemoveKeys(plist, 'KSChannelID')
for tag_suffix in _TagSuffixes():
Expand Down
Expand Up @@ -174,7 +174,7 @@ std::string ReadFileInBackground(const base::FilePath& file) {

// Template URL where to fetch OEM services customization manifest from.
const char ServicesCustomizationDocument::kManifestUrl[] =
"https://ssl.gstatic.com/chrome/chromeos-customization/%s.json";
"trk:151:https://ssl.gstatic.com/chrome/chromeos-customization/%s.json";

// A custom extensions::ExternalLoader that the ServicesCustomizationDocument
// creates and uses to publish OEM default apps to the extensions system.
Expand Down
Expand Up @@ -1639,7 +1639,7 @@ void FileManagerPrivateInternalGetDownloadUrlFunction::OnGotDownloadUrl(
IdentityManagerFactory::GetForProfile(GetProfile());
const std::string& account_id = identity_manager->GetPrimaryAccountId();
std::vector<std::string> scopes;
scopes.emplace_back("https://www.googleapis.com/auth/drive.readonly");
scopes.emplace_back("trk:208:https://www.googleapis.com/auth/drive.readonly");

scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory =
content::BrowserContext::GetDefaultStoragePartition(GetProfile())
Expand Down
Expand Up @@ -77,7 +77,7 @@ namespace {

using api::file_manager_private::ProfileInfo;

const char kCWSScope[] = "https://www.googleapis.com/auth/chromewebstore";
const char kCWSScope[] = "trk:209:https://www.googleapis.com/auth/chromewebstore";

// Obtains the current app window.
AppWindow* GetCurrentAppWindow(UIThreadExtensionFunction* function) {
Expand Down
Expand Up @@ -47,8 +47,8 @@ enum class U2FAttestationPromptResult {

const char kGoogleDotCom[] = "google.com";
constexpr const char* kGoogleGstaticAppIds[] = {
"https://www.gstatic.com/securitykey/origins.json",
"https://www.gstatic.com/securitykey/a/google.com/origins.json"};
"trk:273:https://www.gstatic.com/securitykey/origins.json",
"trk:274:https://www.gstatic.com/securitykey/a/google.com/origins.json"};

// ContainsAppIdByHash returns true iff the SHA-256 hash of one of the
// elements of |list| equals |hash|.
Expand Down
2 changes: 1 addition & 1 deletion chrome/browser/extensions/install_signer.cc
Expand Up @@ -65,7 +65,7 @@ const int kSignatureFormatVersion = 2;
const size_t kSaltBytes = 32;

const char kBackendUrl[] =
"https://www.googleapis.com/chromewebstore/v1.1/items/verify";
"trk:222:https://www.googleapis.com/chromewebstore/v1.1/items/verify";

const char kPublicKeyPEM[] = \
"-----BEGIN PUBLIC KEY-----" \
Expand Down
2 changes: 1 addition & 1 deletion chrome/browser/nacl_host/nacl_infobar_delegate.cc
Expand Up @@ -42,5 +42,5 @@ base::string16 NaClInfoBarDelegate::GetLinkText() const {
}

GURL NaClInfoBarDelegate::GetLinkURL() const {
return GURL("https://support.google.com/chrome/?p=ib_nacl");
return GURL("trk:143:https://support.google.com/chrome/?p=ib_nacl");
}
2 changes: 1 addition & 1 deletion chrome/browser/profiles/profile_avatar_downloader.cc
Expand Up @@ -18,7 +18,7 @@

namespace {
const char kHighResAvatarDownloadUrlPrefix[] =
"https://www.gstatic.com/chrome/profile_avatars/";
"trk:271:https://www.gstatic.com/chrome/profile_avatars/";
}

ProfileAvatarDownloader::ProfileAvatarDownloader(
Expand Down
Expand Up @@ -85,9 +85,9 @@ cvox.ChromeVoxPrefs.DEFAULT_PREFS = {
'position': '{}',
'siteSpecificEnhancements': true,
'siteSpecificScriptBase':
'https://ssl.gstatic.com/accessibility/javascript/ext/',
'trk:152:https://ssl.gstatic.com/accessibility/javascript/ext/',
'siteSpecificScriptLoader':
'https://ssl.gstatic.com/accessibility/javascript/ext/loader.js',
'trk:153:https://ssl.gstatic.com/accessibility/javascript/ext/loader.js',
'speakTextUnderMouse': false,
'sticky': false,
'typingEcho': 0,
Expand Down
Expand Up @@ -24,15 +24,15 @@
},
// Google Sheets
"aapocclcgogkmnckokdopfmhonfmgoek" : {
"external_update_url": "https://clients2.google.com/service/update2/crx"
"external_update_url": "trk:03:https://clients2.google.com/service/update2/crx"
},
// Google Slides
"felcaaldnbdncclmgdcncolpebgiejap" : {
"external_update_url": "https://clients2.google.com/service/update2/crx"
"external_update_url": "trk:04:https://clients2.google.com/service/update2/crx"
},
// Drive extension
"ghbmnnjooekpmoecnnnilnnbdlolhkhi" : {
"external_update_url": "https://clients2.google.com/service/update2/crx"
"external_update_url": "trk:04:https://clients2.google.com/service/update2/crx"
}
}

4 changes: 2 additions & 2 deletions chrome/browser/safe_browsing/client_side_detection_service.cc
Expand Up @@ -81,9 +81,9 @@ const int ClientSideDetectionService::kNegativeCacheIntervalDays = 1;
const int ClientSideDetectionService::kPositiveCacheIntervalMinutes = 30;

const char ClientSideDetectionService::kClientReportPhishingUrl[] =
"https://sb-ssl.google.com/safebrowsing/clientreport/phishing";
"trk:148:https://sb-ssl.google.com/safebrowsing/clientreport/phishing";
const char ClientSideDetectionService::kClientReportMalwareUrl[] =
"https://sb-ssl.google.com/safebrowsing/clientreport/malware-check";
"trk:149:https://sb-ssl.google.com/safebrowsing/clientreport/malware-check";

struct ClientSideDetectionService::ClientPhishingReportInfo {
std::unique_ptr<network::SimpleURLLoader> loader;
Expand Down
Expand Up @@ -231,7 +231,7 @@ const int64_t DownloadFeedback::kMaxUploadSize = 50 * 1024 * 1024;

// static
const char DownloadFeedback::kSbFeedbackURL[] =
"https://safebrowsing.google.com/safebrowsing/uploads/chrome";
"trk:164:https://safebrowsing.google.com/safebrowsing/uploads/chrome";

// static
DownloadFeedbackFactory* DownloadFeedback::factory_ = nullptr;
Expand Down
Expand Up @@ -258,7 +258,7 @@ GURL SpellcheckHunspellDictionary::GetDictionaryURL() {
DCHECK(!bdict_file.empty());

static const char kDownloadServerUrl[] =
"https://redirector.gvt1.com/edgedl/chrome/dict/";
"trk:173:https://redirector.gvt1.com/edgedl/chrome/dict/";

return GURL(std::string(kDownloadServerUrl) +
base::ToLowerASCII(bdict_file));
Expand Down
2 changes: 1 addition & 1 deletion chrome/browser/supervised_user/supervised_user_service.cc
Expand Up @@ -82,7 +82,7 @@ namespace {

// The URL from which to download a host blacklist if no local one exists yet.
const char kBlacklistURL[] =
"https://www.gstatic.com/chrome/supervised_user/blacklist-20141001-1k.bin";
"trk:272:https://www.gstatic.com/chrome/supervised_user/blacklist-20141001-1k.bin";
// The filename under which we'll store the blacklist (in the user data dir).
const char kBlacklistFilename[] = "su-blacklist.bin";

Expand Down
2 changes: 1 addition & 1 deletion chrome/browser/tracing/crash_service_uploader.cc
Expand Up @@ -41,7 +41,7 @@ using std::string;

namespace {

const char kUploadURL[] = "https://clients2.google.com/cr/report";
const char kUploadURL[] = "trk:109:https://clients2.google.com/cr/report";
const char kCrashUploadContentType[] = "multipart/form-data";
const char kCrashMultipartBoundary[] =
"----**--yradnuoBgoLtrapitluMklaTelgooG--**----";
Expand Down
2 changes: 1 addition & 1 deletion chrome/browser/ui/views/outdated_upgrade_bubble_view.cc
Expand Up @@ -31,7 +31,7 @@ namespace {

// The URL to be used to re-install Chrome when auto-update failed for too long.
constexpr char kDownloadChromeUrl[] =
"https://www.google.com/chrome/?&brand=CHWL"
"trk:242:https://www.google.com/chrome/?&brand=CHWL"
"&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_medium=et";

// The maximum number of ignored bubble we track in the NumLaterPerReinstall
Expand Down
8 changes: 4 additions & 4 deletions chrome/browser/ui/webui/ntp/ntp_resource_cache.cc
Expand Up @@ -67,17 +67,17 @@ namespace {
// The URL for the the Learn More page shown on incognito new tab.
const char kLearnMoreIncognitoUrl[] =
#if defined(OS_CHROMEOS)
"https://support.google.com/chromebook/?p=incognito";
"trk:246:https://support.google.com/chromebook/?p=incognito";
#else
"https://support.google.com/chrome/?p=incognito";
"trk:247:https://support.google.com/chrome/?p=incognito";
#endif

// The URL for the Learn More page shown on guest session new tab.
const char kLearnMoreGuestSessionUrl[] =
#if defined(OS_CHROMEOS)
"https://support.google.com/chromebook/?p=chromebook_guest";
"trk:248:https://support.google.com/chromebook/?p=chromebook_guest";
#else
"https://support.google.com/chrome/?p=ui_guest";
"trk:261:https://support.google.com/chrome/?p=ui_guest";
#endif

SkColor GetThemeColor(const ui::ThemeProvider& tp, int id) {
Expand Down
4 changes: 2 additions & 2 deletions chrome/common/extensions/chrome_extensions_client.cc
Expand Up @@ -45,9 +45,9 @@ namespace {

// TODO(battre): Delete the HTTP URL once the blacklist is downloaded via HTTPS.
const char kExtensionBlocklistUrlPrefix[] =
"http://www.gstatic.com/chrome/extensions/blacklist";
"trk:269:http://www.gstatic.com/chrome/extensions/blacklist";
const char kExtensionBlocklistHttpsUrlPrefix[] =
"https://www.gstatic.com/chrome/extensions/blacklist";
"trk:270:https://www.gstatic.com/chrome/extensions/blacklist";

const char kThumbsWhiteListedExtension[] = "khopmbdjffemhegeeobelklnbglcdgfh";

Expand Down
2 changes: 1 addition & 1 deletion chrome/installer/setup/google_chrome_behaviors.cc
Expand Up @@ -44,7 +44,7 @@ base::string16 LocalizeUrl(const wchar_t* url) {

base::string16 GetUninstallSurveyUrl() {
static constexpr wchar_t kSurveyUrl[] =
L"https://support.google.com/chrome/contact/chromeuninstall3?hl=$1";
L"trk:253:https://support.google.com/chrome/contact/chromeuninstall3?hl=$1";
return LocalizeUrl(kSurveyUrl);
}

Expand Down
2 changes: 1 addition & 1 deletion chromecast/browser/service/cast_service_simple.cc
Expand Up @@ -27,7 +27,7 @@ GURL GetStartupURL() {
const base::CommandLine::StringVector& args = command_line->GetArgs();

if (args.empty())
return GURL("http://www.google.com/");
return GURL("trk:255:http://www.google.com/");

GURL url(args[0]);
if (url.is_valid() && url.has_scheme())
Expand Down
2 changes: 1 addition & 1 deletion chromeos/geolocation/simple_geolocation_provider.cc
Expand Up @@ -20,7 +20,7 @@ namespace chromeos {
namespace {

const char kDefaultGeolocationProviderUrl[] =
"https://www.googleapis.com/geolocation/v1/geolocate?";
"trk:215:https://www.googleapis.com/geolocation/v1/geolocate?";

} // namespace

Expand Down
8 changes: 4 additions & 4 deletions components/cloud_devices/common/cloud_devices_urls.cc
Expand Up @@ -14,20 +14,20 @@
namespace cloud_devices {

const char kCloudPrintAuthScope[] =
"https://www.googleapis.com/auth/cloudprint";
"trk:197:https://www.googleapis.com/auth/cloudprint";

const char kCloudPrintLearnMoreURL[] =
"https://www.google.com/support/cloudprint";
"trk:199:https://www.google.com/support/cloudprint";

const char kCloudPrintTestPageURL[] =
"http://www.google.com/landing/cloudprint/enable.html?print=true";
"trk:200:http://www.google.com/landing/cloudprint/enable.html?print=true";

namespace {

// Url must not be matched by "urls" section of
// cloud_print_app/manifest.json. If it's matched, print driver dialog will
// open sign-in page in separate window.
const char kCloudPrintURL[] = "https://www.google.com/cloudprint";
const char kCloudPrintURL[] = "trk:201:https://www.google.com/cloudprint";

}

Expand Down
2 changes: 1 addition & 1 deletion components/crash/content/app/breakpad_linux.cc
Expand Up @@ -88,7 +88,7 @@ namespace breakpad {
namespace {

#if !defined(OS_CHROMEOS)
const char kUploadURL[] = "https://clients2.google.com/cr/report";
const char kUploadURL[] = "trk:06:https://clients2.google.com/cr/report";
#endif

bool g_is_crash_reporter_enabled = false;
Expand Down
4 changes: 2 additions & 2 deletions components/drive/service/drive_api_service.cc
Expand Up @@ -74,9 +74,9 @@ namespace drive {
namespace {

// OAuth2 scopes for Drive API.
const char kDriveScope[] = "https://www.googleapis.com/auth/drive";
const char kDriveScope[] = "trk:217:https://www.googleapis.com/auth/drive";
const char kDriveAppsReadonlyScope[] =
"https://www.googleapis.com/auth/drive.apps.readonly";
"trk:218:https://www.googleapis.com/auth/drive.apps.readonly";
const char kDriveAppsScope[] = "https://www.googleapis.com/auth/drive.apps";

// Mime type to create a directory.
Expand Down
2 changes: 1 addition & 1 deletion components/feedback/feedback_uploader.cc
Expand Up @@ -26,7 +26,7 @@ constexpr base::FilePath::CharType kFeedbackReportPath[] =
FILE_PATH_LITERAL("Feedback Reports");

constexpr char kFeedbackPostUrl[] =
"https://www.google.com/tools/feedback/chrome/__submit";
"trk:232:https://www.google.com/tools/feedback/chrome/__submit";

constexpr char kProtoBufMimeType[] = "application/x-protobuf";

Expand Down
4 changes: 2 additions & 2 deletions components/gcm_driver/gcm_account_tracker.cc
Expand Up @@ -25,9 +25,9 @@ namespace gcm {
namespace {

// Scopes needed by the OAuth2 access tokens.
const char kGCMGroupServerScope[] = "https://www.googleapis.com/auth/gcm";
const char kGCMGroupServerScope[] = "trk:230:https://www.googleapis.com/auth/gcm";
const char kGCMCheckinServerScope[] =
"https://www.googleapis.com/auth/android_checkin";
"trk:231:https://www.googleapis.com/auth/android_checkin";
// Name of the GCM account tracker for fetching access tokens.
const char kGCMAccountTrackerName[] = "gcm_account_tracker";
// Minimum token validity when sending to GCM groups server.
Expand Down
2 changes: 1 addition & 1 deletion components/google/core/browser/google_url_tracker.cc
Expand Up @@ -34,7 +34,7 @@
* (So the naming problem was spotted, yet remains unfixed even today…)
*/
const char GoogleURLTracker::kDefaultGoogleHomepage[] =
"https://www.google.com/";
"trk:192:https://www.google.com/";
const char GoogleURLTracker::kSearchDomainCheckURL[] =
/* trk:193 */ "https://www.google.com/searchdomaincheck?format=domain&type=chrome";
const base::Feature GoogleURLTracker::kNoSearchDomainCheck{
Expand Down
6 changes: 3 additions & 3 deletions components/history/core/browser/web_history_service.cc
Expand Up @@ -41,13 +41,13 @@ namespace history {
namespace {

const char kHistoryOAuthScope[] =
"https://www.googleapis.com/auth/chromesync";
"trk:138:https://www.googleapis.com/auth/chromesync";

const char kHistoryQueryHistoryUrl[] =
"https://history.google.com/history/api/lookup?client=chrome";
"trk:139:https://history.google.com/history/api/lookup?client=chrome";

const char kHistoryDeleteHistoryUrl[] =
"https://history.google.com/history/api/delete?client=chrome";
"trk:140:https://history.google.com/history/api/delete?client=chrome";

const char kHistoryAudioHistoryUrl[] =
"https://history.google.com/history/api/lookup?client=audio";
Expand Down
2 changes: 1 addition & 1 deletion components/invalidation/impl/gcm_network_channel.cc
Expand Up @@ -40,7 +40,7 @@ namespace syncer {
namespace {

const char kCacheInvalidationEndpointUrl[] =
"https://clients4.google.com/invalidation/android/request/";
"trk:264:https://clients4.google.com/invalidation/android/request/";
const char kCacheInvalidationPackageName[] = "com.google.chrome.invalidations";

// Register backoff policy.
Expand Down
2 changes: 1 addition & 1 deletion components/invalidation/impl/p2p_invalidator.cc
Expand Up @@ -21,7 +21,7 @@

namespace syncer {

const char kSyncP2PNotificationChannel[] = "http://www.google.com/chrome/sync";
const char kSyncP2PNotificationChannel[] = "trk:191:http://www.google.com/chrome/sync";

namespace {

Expand Down
2 changes: 1 addition & 1 deletion components/metrics/url_constants.cc
Expand Up @@ -7,7 +7,7 @@
namespace metrics {

const char kNewMetricsServerUrl[] =
"https://clientservices.googleapis.com/uma/v2";
"trk:265:https://clientservices.googleapis.com/uma/v2";

const char kNewMetricsServerUrlInsecure[] =
"http://clientservices.googleapis.com/uma/v2";
Expand Down
8 changes: 4 additions & 4 deletions components/password_manager/core/browser/password_store.cc
Expand Up @@ -228,10 +228,10 @@ void PasswordStore::GetLogins(const FormDigest& form,
// TODO(mdm): actually delete them at some point, say M24 or so.
base::Time ignore_logins_cutoff; // the null time
if (form.scheme == PasswordForm::SCHEME_HTML &&
(form.signon_realm == "http://www.google.com" ||
form.signon_realm == "http://www.google.com/" ||
form.signon_realm == "https://www.google.com" ||
form.signon_realm == "https://www.google.com/")) {
(form.signon_realm == "trk:187:http://www.google.com" ||
form.signon_realm == "trk:188:http://www.google.com/" ||
form.signon_realm == "trk:189:https://www.google.com" ||
form.signon_realm == "trk:190:https://www.google.com/")) {
static const base::Time::Exploded exploded_cutoff =
{ 2012, 1, 0, 1, 0, 0, 0, 0 }; // 00:00 Jan 1 2012
base::Time out_time;
Expand Down
2 changes: 1 addition & 1 deletion components/policy/core/common/policy_loader_win.cc
Expand Up @@ -57,7 +57,7 @@ const char kKeyThirdParty[] = "3rdparty";

// The web store url that is the only trusted source for extensions.
const char kExpectedWebStoreUrl[] =
";https://clients2.google.com/service/update2/crx";
";trk:15:https://cache.iridiumbrowser.de/clients2.google.com/service/update2/crx";
// String to be prepended to each blocked entry.
const char kBlockedExtensionPrefix[] = "[BLOCKED]";

Expand Down
2 changes: 1 addition & 1 deletion components/rappor/rappor_service_impl.cc
Expand Up @@ -32,7 +32,7 @@ const char kMimeType[] = "application/vnd.chrome.rappor";
const char kRapporDailyEventHistogram[] = "Rappor.DailyEvent.IntervalType";

// The rappor server's URL.
const char kDefaultServerUrl[] = "https://clients4.google.com/rappor";
const char kDefaultServerUrl[] = "trk:266:https://clients4.google.com/rappor";

} // namespace

Expand Down
2 changes: 1 addition & 1 deletion components/safe_search_api/stub_url_checker.cc
Expand Up @@ -17,7 +17,7 @@ namespace safe_search_api {
namespace {

constexpr char kSafeSearchApiUrl[] =
"https://safesearch.googleapis.com/v1:classify";
"trk:238:https://safesearch.googleapis.com/v1:classify";

std::string BuildResponse(bool is_porn) {
base::DictionaryValue dict;
Expand Down
2 changes: 1 addition & 1 deletion components/safe_search_api/url_checker.cc
Expand Up @@ -32,7 +32,7 @@ namespace safe_search_api {
namespace {

const char kSafeSearchApiUrl[] =
"https://safesearch.googleapis.com/v1:classify";
"trk:238:https://safesearch.googleapis.com/v1:classify";
const char kDataContentType[] = "application/x-www-form-urlencoded";
const char kDataFormat[] = "key=%s&urls=%s&region_code=%s";

Expand Down
1 change: 1 addition & 0 deletions components/translate/core/browser/translate_url_fetcher.cc
Expand Up @@ -100,6 +100,7 @@ bool TranslateURLFetcher::Request(const GURL& url,
if (!extra_request_header_.empty())
resource_request->headers.AddHeaderFromString(extra_request_header_);

fprintf(stderr, "translator: fetching something from %s\n", url_.spec().c_str());
simple_loader_ =
variations::CreateSimpleURLLoaderWithVariationsHeadersUnknownSignedIn(
std::move(resource_request),
Expand Down

0 comments on commit 3ec775a

Please sign in to comment.