Sketching `[InjectionMitigated]`. WIP, DNC, etc. [chromium/src : main]

0 views
Skip to first unread message

Mike West (Gerrit)

unread,
Apr 24, 2024, 9:29:43 AMApr 24
to AyeAye, Chromium LUCI CQ, chromium...@chromium.org, Kentaro Hara, tommyw+w...@chromium.org, feature-me...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org, jmedle...@chromium.org

Mike West added 1 comment

Patchset-level comments
File-level comment, Patchset 2:
Mike West . resolved

Hey Simon! If I clean this up and get it past our friendly bindings team (and update all the tests), would you accept it as a replacement for the check we agreed upon in https://chromium-review.googlesource.com/c/chromium/src/+/5287414?

TL;DR: Same model as `SecureContext`: skip runtime checks by limiting the API's exposure in the first place.

Open in Gerrit

Related details

Attention set is empty
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Review
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I507722b13219defc8c7b8fd2ead230c1259cbac3
Gerrit-Change-Number: 5458758
Gerrit-PatchSet: 3
Gerrit-Owner: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Mike West <mk...@chromium.org>
Gerrit-CC: Kentaro Hara <har...@chromium.org>
Gerrit-Comment-Date: Wed, 24 Apr 2024 13:29:32 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
satisfied_requirement
unsatisfied_requirement
open
diffy

Mike West (Gerrit)

unread,
Apr 24, 2024, 9:30:17 AMApr 24
to Simon Hangl, AyeAye, Chromium LUCI CQ, chromium...@chromium.org, Kentaro Hara, tommyw+w...@chromium.org, feature-me...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org, jmedle...@chromium.org
Attention needed from Simon Hangl

Mike West added 1 comment

Patchset-level comments
File-level comment, Patchset 3 (Latest):
Mike West . resolved

Ugh. Actually adding you, Simon. 😊

Copy/pasting from the comment I didn't send you: Hey Simon! If I clean this up and get it past our friendly bindings team (and update all the tests), would you accept it as a replacement for the check we agreed upon in https://chromium-review.googlesource.com/c/chromium/src/+/5287414?

TL;DR: Same model as `SecureContext`: skip runtime checks by limiting the API's exposure in the first place.

Open in Gerrit

Related details

Attention is currently required from:
  • Simon Hangl
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Review
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I507722b13219defc8c7b8fd2ead230c1259cbac3
Gerrit-Change-Number: 5458758
Gerrit-PatchSet: 3
Gerrit-Owner: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Simon Hangl <sim...@google.com>
Gerrit-Attention: Simon Hangl <sim...@google.com>
Gerrit-Comment-Date: Wed, 24 Apr 2024 13:30:05 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
satisfied_requirement
unsatisfied_requirement
open
diffy

Simon Hangl (Gerrit)

unread,
Apr 24, 2024, 9:46:15 AMApr 24
to Mike West, Artur Janc, AyeAye, Chromium LUCI CQ, chromium...@chromium.org, Kentaro Hara, tommyw+w...@chromium.org, feature-me...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org, jmedle...@chromium.org
Attention needed from Artur Janc and Mike West

Simon Hangl voted and added 4 comments

Votes added by Simon Hangl

Code-Review+1

4 comments

Patchset-level comments
Mike West . unresolved

Ugh. Actually adding you, Simon. 😊

Copy/pasting from the comment I didn't send you: Hey Simon! If I clean this up and get it past our friendly bindings team (and update all the tests), would you accept it as a replacement for the check we agreed upon in https://chromium-review.googlesource.com/c/chromium/src/+/5287414?

TL;DR: Same model as `SecureContext`: skip runtime checks by limiting the API's exposure in the first place.

Simon Hangl

If I understand this right, the only difference would be that the API doesn't even show up in non-strict-csp-contexts (instead of the current runtime check)? Are there any other differences?

If not, I think this is cool, thanks.

Simon Hangl . resolved

LGTM % nits

File third_party/blink/renderer/core/execution_context/execution_context.cc
Line 705, Patchset 3 (Latest): return GetContentSecurityPolicy()->IsStrictPolicyEnforced();
Simon Hangl . unresolved

Do we also want to check `RequiresTrustedTypes` here? If not, I'd suggest to name the idl attribute something along the lines of `StrictCsp`.

File third_party/blink/renderer/modules/mediastream/media_devices.idl
Line 34, Patchset 3 (Latest): MeasureAs = GetAllScreensMedia, InjectionMitigated
Simon Hangl . unresolved

Based on my conversations with the security folks, I'd be hesitant naming this `InjectionMitigated`. To my understanding CSP (and trusted types?) is mostly a mitigation for client side xss attacks.

@a...@google.com do you have an opinion on this?

Open in Gerrit

Related details

Attention is currently required from:
  • Artur Janc
  • Mike West
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I507722b13219defc8c7b8fd2ead230c1259cbac3
Gerrit-Change-Number: 5458758
Gerrit-PatchSet: 3
Gerrit-Owner: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Simon Hangl <sim...@google.com>
Gerrit-CC: Artur Janc <a...@google.com>
Gerrit-Attention: Mike West <mk...@chromium.org>
Gerrit-Attention: Artur Janc <a...@google.com>
Gerrit-Comment-Date: Wed, 24 Apr 2024 13:45:59 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: Mike West <mk...@chromium.org>
satisfied_requirement
unsatisfied_requirement
open
diffy

Artur Janc (Gerrit)

unread,
Apr 24, 2024, 10:23:15 AMApr 24
to Mike West, Simon Hangl, AyeAye, Chromium LUCI CQ, chromium...@chromium.org, Kentaro Hara, tommyw+w...@chromium.org, feature-me...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org, jmedle...@chromium.org
Attention needed from Mike West and Simon Hangl

Artur Janc added 1 comment

File third_party/blink/renderer/modules/mediastream/media_devices.idl
Line 34, Patchset 3 (Latest): MeasureAs = GetAllScreensMedia, InjectionMitigated
Simon Hangl . unresolved

Based on my conversations with the security folks, I'd be hesitant naming this `InjectionMitigated`. To my understanding CSP (and trusted types?) is mostly a mitigation for client side xss attacks.

@a...@google.com do you have an opinion on this?

Artur Janc

I'd be fine with `InjectionMitigated` - XSS almost always depends on an injection of HTML into a page, and CSP (and Trusted Types) is meant to mitigate the impact of such injections (i.e. not allow them to lead to script execution on the page). So the name makes sense to me.

Open in Gerrit

Related details

Attention is currently required from:
  • Mike West
  • Simon Hangl
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I507722b13219defc8c7b8fd2ead230c1259cbac3
Gerrit-Change-Number: 5458758
Gerrit-PatchSet: 3
Gerrit-Owner: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Simon Hangl <sim...@google.com>
Gerrit-CC: Artur Janc <a...@google.com>
Gerrit-CC: Kentaro Hara <har...@chromium.org>
Gerrit-Attention: Simon Hangl <sim...@google.com>
Gerrit-Attention: Mike West <mk...@chromium.org>
Gerrit-Comment-Date: Wed, 24 Apr 2024 14:22:58 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Simon Hangl <sim...@google.com>
satisfied_requirement
unsatisfied_requirement
open
diffy

Simon Hangl (Gerrit)

unread,
Apr 24, 2024, 11:54:37 AMApr 24
to Mike West, Artur Janc, AyeAye, Chromium LUCI CQ, chromium...@chromium.org, Kentaro Hara, tommyw+w...@chromium.org, feature-me...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org, jmedle...@chromium.org
Attention needed from Mike West

Simon Hangl added 1 comment

File third_party/blink/renderer/core/execution_context/execution_context.cc
Line 705, Patchset 3 (Latest): return GetContentSecurityPolicy()->IsStrictPolicyEnforced();
Simon Hangl . unresolved

One further remark: we will need to support `getAllScreensMedia` in CSP and isolated web apps for some time (to enable developers to pivot to IWAs) and I think the strict CSP we check here does not 1to1 match the [IWA CSP](https://github.com/WICG/isolated-web-apps).

This makes me wonder if this function should also return true if we are in an isolated context:

```
const auto* csp = GetContentSecurityPolicy();
return (csp->IsStrictPolicyEnforced() && csp->RequiresTrustedTypes) || IsIsolatedContext();
```

Open in Gerrit

Related details

Attention is currently required from:
  • Mike West
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I507722b13219defc8c7b8fd2ead230c1259cbac3
Gerrit-Change-Number: 5458758
Gerrit-PatchSet: 3
Gerrit-Owner: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Simon Hangl <sim...@google.com>
Gerrit-CC: Artur Janc <a...@google.com>
Gerrit-CC: Kentaro Hara <har...@chromium.org>
Gerrit-Attention: Mike West <mk...@chromium.org>
Gerrit-Comment-Date: Wed, 24 Apr 2024 15:54:25 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
satisfied_requirement
unsatisfied_requirement
open
diffy

Blink W3C Test Autoroller (Gerrit)

unread,
Apr 25, 2024, 3:15:42 AMApr 25
to Mike West, Rijubrata Bhaumik, Andrew Rayskiy, Simon Hangl, Artur Janc, AyeAye, Chromium LUCI CQ, chromium...@chromium.org, Kentaro Hara, chfreme...@chromium.org, phoglun...@chromium.org, blink-revie...@chromium.org, blundell+...@chromium.org, tommyw+w...@chromium.org, feature-me...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org, jmedle...@chromium.org
Attention needed from Mike West and Simon Hangl

Message from Blink W3C Test Autoroller

Exportable changes to web-platform-tests were detected in this CL and a pull request in the upstream repo has been made: https://github.com/web-platform-tests/wpt/pull/45902.

When this CL lands, the bot will automatically merge the PR on GitHub if the required GitHub checks pass; otherwise, ecosystem-infra@ team will triage the failures and may contact you.

WPT Export docs:
https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md#Automatic-export-process

Open in Gerrit

Related details

Attention is currently required from:
  • Mike West
  • Simon Hangl
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I507722b13219defc8c7b8fd2ead230c1259cbac3
Gerrit-Change-Number: 5458758
Gerrit-PatchSet: 6
Gerrit-Owner: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Mike West <mk...@chromium.org>
Gerrit-Reviewer: Simon Hangl <sim...@google.com>
Gerrit-CC: Andrew Rayskiy <green...@google.com>
Gerrit-CC: Artur Janc <a...@google.com>
Gerrit-CC: Blink W3C Test Autoroller <blink-w3c-te...@chromium.org>
Gerrit-CC: Kentaro Hara <har...@chromium.org>
Gerrit-CC: Rijubrata Bhaumik <rijubrat...@intel.com>
Gerrit-Attention: Simon Hangl <sim...@google.com>
Gerrit-Attention: Mike West <mk...@chromium.org>
Gerrit-Comment-Date: Thu, 25 Apr 2024 07:15:30 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: No
satisfied_requirement
unsatisfied_requirement
open
diffy
Reply all
Reply to author
Forward
0 new messages