Block external protocol handler with sandbox. #7124
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Developers are surprised that sandboxed iframe can navigate and/or redirect the user toward an external application. General iframe navigation in the sandboxed iframe are not blocked normally, because they stay within the iframe. However they can be seen as a popup or a top-level navigation when it opens an external application. In this case, it makes sense to extend the scope of sandbox flags, and block malvertisers. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture.
|
Screenshot of the change: |
ArthurSonzogni
force-pushed
the
external-protocol
branch
from
7400f31
to
2e01096
Compare
annevk
reviewed
Sep 28, 2021
|
Thanks!
I am wondering how hard it would be for me to make it (I might try one day). |
pull bot
pushed a commit
to FairyWorld/tool_chromium
that referenced
this pull request
Sep 30, 2021
Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Change-Id: I0c3f130d084e7a23555178f3a172efb3607e87b6 Bug: 1148777, 1253379 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3162979 Reviewed-by: Colin Blundell <blundell@chromium.org> Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Dominick Ng <dominickn@chromium.org> Reviewed-by: Richard Coles <torne@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#926684}
blueboxd
pushed a commit
to blueboxd/chromium-legacy
that referenced
this pull request
Sep 30, 2021
This reverts commit ad1f7db. Reason for revert: ExternalProtocolHandlerSandboxBrowserTest failed on Mac and Win7, more links can be found in crbug.com/1254729 Original change's description: > Block external protocol handler with sandbox. > > Developers are surprised that sandboxed iframe can navigate the user > toward an external protocol. > The navigation in the sandbox is not blocked by sandbox normally, only > top-level navigation and opening popups are blocked. So not blocking > iframe navigations in general is working as intended. However sandboxed > iframe navigation toward external protocol handler are navigating the > user toward a different application. Somehow, this can be seen as a new > popup or a new top-level navigation. > > This patch gates access to external protocol behind one of: > - allow-popup > - allow-top-level-navigation > - allow-top-level-navigation-by-user-activation + UserGesture. > > This is not enforced by content/. So this is not a web feature. > This is implemented by chrome/ only. > > The reason is that Android Webview may do not want to apply these > restrictions. Android Webview do not support external protocol by > itself, but it let the Android app to listen and intercept the request. > We decided to let the Android app full power here, to avoid breaking > the existing users. > > Spec: > whatwg/html#7124 > > Mozilla position: > mozilla/standards-positions#581 > > Webkit position: > https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html > > Chrome feature: > https://chromestatus.com/guide/edit/5680742077038592 > > Change-Id: I0c3f130d084e7a23555178f3a172efb3607e87b6 > Bug: 1148777, 1253379 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3162979 > Reviewed-by: Colin Blundell <blundell@chromium.org> > Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> > Reviewed-by: Devlin <rdevlin.cronin@chromium.org> > Reviewed-by: Dominick Ng <dominickn@chromium.org> > Reviewed-by: Richard Coles <torne@chromium.org> > Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> > Cr-Commit-Position: refs/heads/main@{#926684} Bug: 1148777, 1253379, 1254729 Change-Id: I646705d2adc6375243caaa4b7ba4102dcd1b468c No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Auto-Submit: Owen Min <zmin@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Owen Min <zmin@chromium.org> Owners-Override: Owen Min <zmin@chromium.org> Cr-Commit-Position: refs/heads/main@{#926739}
blueboxd
pushed a commit
to blueboxd/chromium-legacy
that referenced
this pull request
Oct 7, 2021
Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379 Change-Id: Iea92eb8ae6bf1da997dd1433aab4f93fecd879fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3198263 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Richard Coles <torne@chromium.org> Reviewed-by: Dominick Ng <dominickn@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Colin Blundell <blundell@chromium.org> Cr-Commit-Position: refs/heads/main@{#929176}
domenic
reviewed
Oct 12, 2021
| <ul class=brief> | ||
| <li><p><var>sandboxFlags</var> contains the <code | ||
| data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code> | ||
| token and <var>hasTransientActivation</var> is true</p></li> |
There was a problem hiding this comment.
Nit: missing period.
However, a larger issue: I don't think these are the right sandboxing flags to consult. Shouldn't we consult sandboxFlags computed in step 15 of navigate? That also avoids issues where the sandboxing flags change between the start of the navigation, and the end of it. (Not sure exactly when that could happen, but I think it can... redirects, maybe.)
There was a problem hiding this comment.
I agree, and that's what is implemented in Chrome. I will plumb it.
There was a problem hiding this comment.
This required significant plumbing. This goes from navigate toward hand-off-to-external-software, but there are several paths.
Here are the call sites:
navigate -> process-a-navigate-URL-scheme
navigate -> process-a-navigate-fetch
navigate -> process-a-navigate-response
process-a-navigate-fetch -> process-a-navigate-URL-scheme
process-a-navigate-fetch -> process-a-navigate-response
process-a-navigate-URL-scheme ->hand-off-to-external-software
process-a-navigate-response -> hand-off-to-external-software
read-multipart-x-mixed-replace -> process-a-navigate-response
┌───────────────────────────────────┐┌──────────────────────────────┐
│navigate ││read-multipart-x-mixed-replace│
└┬─────────────┬───────────────────┬┘└──────────┬───────────────────┘
│┌────────────▽──────────────────┐│ │
││process-a-navigate-fetch ││ │
│└────────────┬────────────────┬─┘│ │
┌▽─────────────▽──────────────┐┌▽──▽────────────▽──────────┐
│process-a-navigate-URL-scheme││process-a-navigate-response│
└──────────────┬──────────────┘└┬──────────────────────────┘
┌────▽────────────────▽──────────┐
│hand-off-to-external-software │
└────────────────────────────────┘
I plumbed sandboxFlags for every call. Please note an exception for:
read-multipart-x-mixed-replace -> process-a-navigate-response. The latter is already not clearly/implicitly defined by:
using the same setup as the navigate attempt that caused this section to be invoked in the first place.
So, I let it this way.
There was a problem hiding this comment.
Thanks! This looks almost perfect, except we can eliminate the explicit sandboxFlags parameter to "process a navigate response" since it's already contained in the navigationParams parameter. We just need to pull it out and pass navigationParams's final sandboxing flag set to "hand-off-to-external-software".
|
Thanks @domenic! |
domenic
approved these changes
Oct 15, 2021
mariospr
added a commit
to brave/brave-core
that referenced
this pull request
Oct 15, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
|
Thanks both of you for the reviews! |
mariospr
added a commit
to brave/brave-core
that referenced
this pull request
Oct 18, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mariospr
added a commit
to brave/brave-core
that referenced
this pull request
Oct 18, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mariospr
added a commit
to brave/brave-core
that referenced
this pull request
Oct 19, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mkarolin
pushed a commit
to brave/brave-core
that referenced
this pull request
Oct 20, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mariospr
added a commit
to brave/brave-core
that referenced
this pull request
Oct 21, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mariospr
added a commit
to brave/brave-core
that referenced
this pull request
Oct 21, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mariospr
added a commit
to brave/brave-core
that referenced
this pull request
Oct 22, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mkarolin
pushed a commit
to brave/brave-core
that referenced
this pull request
Oct 22, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mkarolin
pushed a commit
to brave/brave-core
that referenced
this pull request
Oct 25, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mkarolin
pushed a commit
to brave/brave-core
that referenced
this pull request
Oct 26, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mariospr
added a commit
to brave/brave-core
that referenced
this pull request
Oct 28, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mkarolin
pushed a commit
to brave/brave-core
that referenced
this pull request
Oct 29, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mkarolin
pushed a commit
to brave/brave-core
that referenced
this pull request
Nov 1, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mkarolin
pushed a commit
to brave/brave-core
that referenced
this pull request
Nov 2, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
mkarolin
pushed a commit
to brave/brave-core
that referenced
this pull request
Nov 2, 2021
It expects an additional network::mojom::WebSandboxFlags parameter now. Chromium change: https://source.chromium.org/chromium/chromium/src/+/038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f commit 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f Author: Arthur Sonzogni <arthursonzogni@chromium.org> Date: Thu Oct 7 13:51:34 2021 +0000 Reland "Block external protocol handler with sandbox." Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379
|
Sorry if I missed this but are there WPT tests for this? The original description mentions existing tests but I am not sure where they are. |
|
The original description mentions that we can't really write WPTs for this:
|
ArthurSonzogni
added a commit
to ArthurSonzogni/html
that referenced
this pull request
Feb 23, 2022
For security reasons, web browsers started to block navigations toward custom protocols initiated from within a sandboxed iframe. They are allowed, only when normal navigations are already allowed in top-level frame and when opening new popups. See: whatwg#7124 And: whatwg#2191 (comment) So far so good, but it is hard for some website like https://teams.microsoft.com/ to handle this change. They would like not to block custom scheme, while continuing to block supported ones. An escape hatch could be to mint a new "allow-custom-protocol-navigation" sandbox flags. This would allow web browser to ship the initial security mitigation without breaking them. Bug: whatwg#7468
3 tasks
ArthurSonzogni
added a commit
to ArthurSonzogni/html
that referenced
this pull request
Feb 23, 2022
For security reasons, web browsers started to block navigations toward custom protocols initiated from within a sandboxed iframe. They are allowed, only when normal navigations are already allowed in top-level frame and when opening new popups. See: whatwg#7124 And: whatwg#2191 (comment) So far so good, but it is hard for some website like https://teams.microsoft.com/ to handle this change. They would like not to block custom scheme, while continuing to block supported ones. An escape hatch could be to mint a new "allow-custom-protocol-navigation" sandbox flags. This would allow web browser to ship the initial security mitigation without breaking them. Bug: whatwg#7468
domenic
pushed a commit
that referenced
this pull request
Mar 7, 2022
For security reasons, web browsers started to block navigations toward custom protocols initiated from within a sandboxed iframe. They are allowed, only when normal navigations are already allowed in top-level frame and when opening new popups. See #7124 and #2191 (comment) for that background. It is hard for some websites to handle this change. They would like to not block custom schemes, while continuing to block supported ones. This adds a new "allow-custom-protocol-navigation" value for the sandbox="" attribute, which such sites can use. Closes #7468.
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Mar 9, 2022
This patch: - Implements the following HTML spec PR: whatwg/html#7654 - Add warning behind a flag. I plan to use them for two versions. - Delay Enterprise policy removal to M117 (~1 year) For security reasons, web browsers started to block navigations toward custom protocols initiated from within a sandboxed iframe. They are allowed, only when normal navigations are already allowed in top-level frame and when opening new popups. See: whatwg/html#7124 And: whatwg/html#2191 (comment) So far so good, but it is hard for some website like https://teams.microsoft.com/ to handle this change. They would like not to block custom scheme, while continuing to block supported ones. An escape hatch could be to mint a new `top-navigation-to-external-protocols` sandbox flags. This would allow web browser to ship the initial security mitigation without breaking them. Bug: whatwg/html#7468 Bug: https://crbug.com/1253379 Change-Id: If32169f5d30651b78a3251f0ec5e174a8a1a8101 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3483941 Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#979138}
mfreed7
pushed a commit
to mfreed7/html
that referenced
this pull request
Jun 3, 2022
For security reasons, web browsers started to block navigations toward custom protocols initiated from within a sandboxed iframe. They are allowed, only when normal navigations are already allowed in top-level frame and when opening new popups. See whatwg#7124 and whatwg#2191 (comment) for that background. It is hard for some websites to handle this change. They would like to not block custom schemes, while continuing to block supported ones. This adds a new "allow-custom-protocol-navigation" value for the sandbox="" attribute, which such sites can use. Closes whatwg#7468.
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Change-Id: I0c3f130d084e7a23555178f3a172efb3607e87b6 Bug: 1148777, 1253379 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3162979 Reviewed-by: Colin Blundell <blundell@chromium.org> Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Dominick Ng <dominickn@chromium.org> Reviewed-by: Richard Coles <torne@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#926684} NOKEYCHECK=True GitOrigin-RevId: ad1f7dbbaa99230cf8637fc035461466a3fc0237
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
This reverts commit ad1f7dbbaa99230cf8637fc035461466a3fc0237. Reason for revert: ExternalProtocolHandlerSandboxBrowserTest failed on Mac and Win7, more links can be found in crbug.com/1254729 Original change's description: > Block external protocol handler with sandbox. > > Developers are surprised that sandboxed iframe can navigate the user > toward an external protocol. > The navigation in the sandbox is not blocked by sandbox normally, only > top-level navigation and opening popups are blocked. So not blocking > iframe navigations in general is working as intended. However sandboxed > iframe navigation toward external protocol handler are navigating the > user toward a different application. Somehow, this can be seen as a new > popup or a new top-level navigation. > > This patch gates access to external protocol behind one of: > - allow-popup > - allow-top-level-navigation > - allow-top-level-navigation-by-user-activation + UserGesture. > > This is not enforced by content/. So this is not a web feature. > This is implemented by chrome/ only. > > The reason is that Android Webview may do not want to apply these > restrictions. Android Webview do not support external protocol by > itself, but it let the Android app to listen and intercept the request. > We decided to let the Android app full power here, to avoid breaking > the existing users. > > Spec: > whatwg/html#7124 > > Mozilla position: > mozilla/standards-positions#581 > > Webkit position: > https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html > > Chrome feature: > https://chromestatus.com/guide/edit/5680742077038592 > > Change-Id: I0c3f130d084e7a23555178f3a172efb3607e87b6 > Bug: 1148777, 1253379 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3162979 > Reviewed-by: Colin Blundell <blundell@chromium.org> > Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> > Reviewed-by: Devlin <rdevlin.cronin@chromium.org> > Reviewed-by: Dominick Ng <dominickn@chromium.org> > Reviewed-by: Richard Coles <torne@chromium.org> > Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> > Cr-Commit-Position: refs/heads/main@{#926684} Bug: 1148777, 1253379, 1254729 Change-Id: I646705d2adc6375243caaa4b7ba4102dcd1b468c No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Auto-Submit: Owen Min <zmin@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Owen Min <zmin@chromium.org> Owners-Override: Owen Min <zmin@chromium.org> Cr-Commit-Position: refs/heads/main@{#926739} NOKEYCHECK=True GitOrigin-RevId: 40bca4ef13bbf28a3802dce9fce3d35ad557d676
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
Reland: ------- See diff: https://chromium-review.googlesource.com/c/chromium/src/+/3198263/1..19 On Linux, external protocols calls are delegated to the OS without additional security check. On Windows and Mac (possibly more), it needs to be allowed by the the PolicyBlocklistService explicitely, or it would go through a permission prompt, causing the test to fail. Revert: ------- https://chromium-review.googlesource.com/c/chromium/src/+/3196851 Due to failing test on Windows and Mac. Original commit: ---------------- Developers are surprised that sandboxed iframe can navigate the user toward an external protocol. The navigation in the sandbox is not blocked by sandbox normally, only top-level navigation and opening popups are blocked. So not blocking iframe navigations in general is working as intended. However sandboxed iframe navigation toward external protocol handler are navigating the user toward a different application. Somehow, this can be seen as a new popup or a new top-level navigation. This patch gates access to external protocol behind one of: - allow-popup - allow-top-level-navigation - allow-top-level-navigation-by-user-activation + UserGesture. This is not enforced by content/. So this is not a web feature. This is implemented by chrome/ only. The reason is that Android Webview may do not want to apply these restrictions. Android Webview do not support external protocol by itself, but it let the Android app to listen and intercept the request. We decided to let the Android app full power here, to avoid breaking the existing users. Spec: whatwg/html#7124 Mozilla position: mozilla/standards-positions#581 Webkit position: https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html Chrome feature: https://chromestatus.com/guide/edit/5680742077038592 Bug: 1148777, 1253379 Change-Id: Iea92eb8ae6bf1da997dd1433aab4f93fecd879fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3198263 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Richard Coles <torne@chromium.org> Reviewed-by: Dominick Ng <dominickn@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Colin Blundell <blundell@chromium.org> Cr-Commit-Position: refs/heads/main@{#929176} NOKEYCHECK=True GitOrigin-RevId: 038f0de5070fb6c4ccab88ca89aaffa4b41d8d1f
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
This patch: - Implements the following HTML spec PR: whatwg/html#7654 - Add warning behind a flag. I plan to use them for two versions. - Delay Enterprise policy removal to M117 (~1 year) For security reasons, web browsers started to block navigations toward custom protocols initiated from within a sandboxed iframe. They are allowed, only when normal navigations are already allowed in top-level frame and when opening new popups. See: whatwg/html#7124 And: whatwg/html#2191 (comment) So far so good, but it is hard for some website like https://teams.microsoft.com/ to handle this change. They would like not to block custom scheme, while continuing to block supported ones. An escape hatch could be to mint a new `top-navigation-to-external-protocols` sandbox flags. This would allow web browser to ship the initial security mitigation without breaking them. Bug: whatwg/html#7468 Bug: https://crbug.com/1253379 Change-Id: If32169f5d30651b78a3251f0ec5e174a8a1a8101 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3483941 Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#979138} NOKEYCHECK=True GitOrigin-RevId: 4ba3104f482c2d234db65b3b86a0ba1b364dfbf5
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Developers are surprised that sandboxed iframe can navigate and/or
redirect the user toward an external application.
General iframe navigation in the sandboxed iframe are not blocked
normally, because they stay within the iframe. However they can be seen
as a popup or a top-level navigation when it opens an external
application. In this case, it makes sense to extend the scope of sandbox
flags, and block malvertisers.
This patch gates access to external protocol from sandboxed iframe behind any of:
This addresses:
#2191
At least two implementers are interested (and none opposed):
Tests are written and can be reviewed and commented upon at:
Hand-off to external applicationis a at the boundary. Invoking external application or not is not observable from within the web platform.Implementation bugs are filed:
(See WHATWG Working Mode: Changes for more details.)
/acknowledgements.html ( diff )
/browsing-the-web.html ( diff )