Re: Intent to Implement: Treat plugin-initiated requests as "blockable" mixed content.

[Mike West]

+blink-dev, to whom I should have sent this to begin with.

On Thu, Jul 30, 2015 at 4:05 PM, Mike West <mk...@chromium.org> wrote:

Hello, security-dev@!

Currently, we treat plugin-initiated requests as "optionally-blockable" mixed content, in violation of the mixed content specification. We do this mostly because we can't easily distinguish between "safe" plugin-initiated requests (for images), and super-dangerous plugin-initiated requests (for SWFs to include): everything comes through the Pepper subresource loading code as "plugin content". We've been erring on the side of allowing the content, but I believe we need to change that. In particular, allowing insecure SWF content to infiltrate an otherwise secure context is bad (especially when users have opted to allow Flash out of it's tight sandbox).

Given that mixed content plugin-initiated requests occur on something like 0.1% of page views[1], it's likely to break things out there on The Internets if we begin blocking these requests outright. I'd like to ease into things by setting up a field trial to begin ramping our way up to blocking plugin-initiated mixed content requests entirely.

WDYT, of the approach?

[1]: https://www.chromestatus.com/metrics/feature/timeline/popularity/616

-mike

[Philip Jägenstedt]

Sounds like a hole well worth plugging. What would the "field trial" amount to?

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

[Mike West]

On Thu, Jul 30, 2015 at 4:19 PM, Philip Jägenstedt <phi...@opera.com> wrote:

Sounds like a hole well worth plugging. What would the "field trial" amount to?

https://codereview.chromium.org/1265953002 and https://codereview.chromium.org/1260163005 will enable Google to change the behavior of the Canary/Dev/Beta/Stable channels individually. This would, for instance, allow us to slowly roll out a change like this one to X% of users in order to gauge the breakage and strategize about the right way to ship it by default.

(Does Opera implement a server-side backend for `base::FieldTrial`?)

-mike

[Mike West]

+tanvi

[Tanvi Vyas]

I've filed a bug to see if we can do the same in Firefox.
https://bugzilla.mozilla.org/show_bug.cgi?id=1190623

If so, that only leaves images and media in the mixed display category!  Please do let me know how your experiment goes.

Thanks!

~Tanvi

[Chris Palmer]

Regarding Justin's point about people being able to override with the
Shield Page Action: Is that still going away, or...?

> To unsubscribe from this group and stop receiving emails from it, send an

> email to security-dev...@chromium.org.

[Philip Jägenstedt]

That sounds cool! It doesn't look like Opera has a backend, at least
from a quick grep of the diff.

Philip

[Mike West]

On Tue, Aug 4, 2015 at 1:42 AM, Chris Palmer <pal...@google.com> wrote:

Regarding Justin's point about people being able to override with the
Shield Page Action: Is that still going away, or...?

My suggestion would be to proceed with the plan to kill the shield for the types of blockable mixed content which we currently block (scripts, etc), and to retain the shield for plugin-initiated requests for some period of time while we evaluate the impact of treating those requests as blockable.

-mike