To unsubscribe from this group and stop receiving emails from it, send an email to apps-dev+u...@chromium.org.
Other code in both the renderer process and browser process should continue to see the URL as the chrome-extension:// URL, not as what's shown to the user. This means we should not use replaceState in Blink, nor the VirtualURL methods on NavigationEntry (since those are exposed to other code from methods like WebContents::GetLastCommittedURL). Instead, this should probably be strictly a display override in the omnibox code.
3) We can't allow this API to set the URL to chrome:// URLs. Are content scripts already blocked for chrome:// URLs?
4) Like content scripts, this would require having host permissions for the URLs displayed. kalman@ made a comment about moving away from host permissions in future extension APIs. Will adding this API make future plans be more difficult, or is there a way forward?
On Tue, Feb 10, 2015 at 11:08 AM, Charlie Reis <cr...@chromium.org> wrote:Other code in both the renderer process and browser process should continue to see the URL as the chrome-extension:// URL, not as what's shown to the user. This means we should not use replaceState in Blink, nor the VirtualURL methods on NavigationEntry (since those are exposed to other code from methods like WebContents::GetLastCommittedURL). Instead, this should probably be strictly a display override in the omnibox code.It's going to be a mess if the omnibox can't use the virtual URL to decide this. "Virtual URL" seemed to me to be exactly what this called for -- the "visible" URL rather than the "actual" URL. Isn't it wrong for code to use the virtual URL to make security decisions and the like?
Also, if the omnibox displays some URL <x>, then if the user does something like hit enter on that string, we're going to try to load that directly, not some secret underlying URL. In other words, if an extension can rewrite the visible URL to look like "foo.com", user edits to the address bar are going to load foo.com, not some extension URL. If that's not acceptable, this whole API isn't really going to fly, because there's no easy way around this.
I've said this at other times, but it seems that, ultimately, the feature we actually want is to allow extensions to install Service Workers for sites they have host permissions for. This would, I think, resolve a lot of Peter's comments and other thoughts on this thread, as well as a variety of other extension use cases. And I think it would avoid a lot of this internal tooling and complexity that we're discussing.On the other hand, I've heard, though, that it would be a very large amount of work to get that done, and it would probably introduce a world of its own complexity, so perhaps it's not really an option.--Joel
On Tue Feb 10 2015 at 1:32:06 PM Peter Kasting <pkas...@chromium.org> wrote:On Tue, Feb 10, 2015 at 11:08 AM, Charlie Reis <cr...@chromium.org> wrote:Other code in both the renderer process and browser process should continue to see the URL as the chrome-extension:// URL, not as what's shown to the user. This means we should not use replaceState in Blink, nor the VirtualURL methods on NavigationEntry (since those are exposed to other code from methods like WebContents::GetLastCommittedURL). Instead, this should probably be strictly a display override in the omnibox code.It's going to be a mess if the omnibox can't use the virtual URL to decide this. "Virtual URL" seemed to me to be exactly what this called for -- the "visible" URL rather than the "actual" URL. Isn't it wrong for code to use the virtual URL to make security decisions and the like?
Also, if the omnibox displays some URL <x>, then if the user does something like hit enter on that string, we're going to try to load that directly, not some secret underlying URL. In other words, if an extension can rewrite the visible URL to look like "foo.com", user edits to the address bar are going to load foo.com, not some extension URL. If that's not acceptable, this whole API isn't really going to fly, because there's no easy way around this.
PK
Issue 2 needs to be accounted for, at the implementation stage every corner case needs to be explored and tested, and fixed if needed.Issue 1 is not a problem at all, because if an extension can use this API, then it can also insert a content script on that host and do whatever it want while the omnibox displays a non-extension URL.2. The possibility that code expects the tab to not be very privileged, and allows others to access it, while in reality the tab is a privileged chrome-extension:-URL ("example.com? This site cannot do anything, let's give X access to the tab").Security concerns about the spoofed URL roughly falls in two categories:1. The fact that the extension inherits the trust from the spoofed URL ("Omnibox says google.com, so it is probably google.com").
On Tue, Feb 10, 2015 at 11:08 AM, Charlie Reis <cr...@chromium.org> wrote:Other code in both the renderer process and browser process should continue to see the URL as the chrome-extension:// URL, not as what's shown to the user. This means we should not use replaceState in Blink, nor the VirtualURL methods on NavigationEntry (since those are exposed to other code from methods like WebContents::GetLastCommittedURL). Instead, this should probably be strictly a display override in the omnibox code.It's going to be a mess if the omnibox can't use the virtual URL to decide this. "Virtual URL" seemed to me to be exactly what this called for -- the "visible" URL rather than the "actual" URL. Isn't it wrong for code to use the virtual URL to make security decisions and the like?
// The virtual URL, when nonempty, will override the actual URL of the page // when we display it to the user. This allows us to have nice and friendly // URLs that the user sees for things like about: URLs, but actually feed // the renderer a data URL that results in the content loading.
2015-02-10 22:32 GMT+01:00 Peter Kasting <pkas...@chromium.org>:
On Tue, Feb 10, 2015 at 11:08 AM, Charlie Reis <cr...@chromium.org> wrote:Other code in both the renderer process and browser process should continue to see the URL as the chrome-extension:// URL, not as what's shown to the user. This means we should not use replaceState in Blink, nor the VirtualURL methods on NavigationEntry (since those are exposed to other code from methods like WebContents::GetLastCommittedURL). Instead, this should probably be strictly a display override in the omnibox code.It's going to be a mess if the omnibox can't use the virtual URL to decide this. "Virtual URL" seemed to me to be exactly what this called for -- the "visible" URL rather than the "actual" URL. Isn't it wrong for code to use the virtual URL to make security decisions and the like?
VirtualURL seems like the most suitable way to implement this API without reinventing the wheel. Things like bookmarks will then also work out of the box. Security decisions should be based on URL, not VirtualURL, since URL is the true (internal) representation of the resource, right?(that having said, why does WebContentsImpl::GetURL return VirtualURL instead of URL?)
Also, if the omnibox displays some URL <x>, then if the user does something like hit enter on that string, we're going to try to load that directly, not some secret underlying URL. In other words, if an extension can rewrite the visible URL to look like "foo.com", user edits to the address bar are going to load foo.com, not some extension URL. If that's not acceptable, this whole API isn't really going to fly, because there's no easy way around this.
That is perfect, and exactly the reason why I want such an API. The URL in the omnibox is supposed to be a representation of the displayed content, and if an extension uses this API to spoof the omnibox, then the extension should try to make sure that the displayed content is indeed a representation of the content.
The complexity is making me uneasy.
I'm surprised by this. Generally reload or session restore puts you back in the state you were in, but this would end up returning the actual URL's content and not the extension's content.