Exposing icons to web pages with chrome://fileicon

418 views
Skip to first unread message

Pierre-Antoine LaFayette

unread,
Jan 23, 2010, 4:31:41 PM1/23/10
to Chromium-dev
This is related to my previous post http://groups.google.com/group/chromium-dev/browse_thread/thread/35a37278116cd0ff

Firefox has a moz-icon://<extention>?size=<size> URL scheme that will return appropriate icons based on file extensions, size, etc. Any HTML page can use this scheme to retrieve icons. The mozicon.html file contains the following:

<html>
<body>
 <img src="moz-icon://.zip?size=16" alt="File:"/>
</body>
</html> 

This will render a 16x16 png icon for zip files when opened in Firefox. 

I'm aware there is a similar internal URL scheme in Chromium, namely chrome://fileicon/<path>, that is used in DOM UI pages. Why could we not simply have something like moz-icon, that takes simply an extension and a size rather than the file path and make it web accessible? This way web developers can access the platform icons in their HTML pages.

Thanks.
--
Pierre.
mozicon.html

Brett Wilson

unread,
Jan 23, 2010, 8:18:30 PM1/23/10
to pierre.l...@gmail.com, Chromium-dev

We can't expose chrome: URLs to web pages for security reasons
("chrome:" has special security rules). We could expose a different
scheme for this type of thing if we wanted. It seems nice but a low
priority to me.

Brett

Pierre-Antoine LaFayette

unread,
Jan 23, 2010, 8:49:10 PM1/23/10
to Brett Wilson, Chromium-dev
We could expose a different scheme for this type of thing if we wanted. It seems nice but a low
priority to me.

Well I'd be the one implementing it :) Just wanted confirmation that this approach would be okay. Say a chrome-icon:// scheme that works exactly like moz-icon? I believe this new scheme would provide a nicer solution to crbug.com/24421 than IPC from the webkit glue layer requesting icon data from the Browser.

Thanks for the feedback.

2010/1/23 Brett Wilson <bre...@chromium.org>



--
Pierre.

Brett Wilson

unread,
Jan 23, 2010, 10:27:02 PM1/23/10
to Pierre-Antoine LaFayette, Chromium-dev
On Sat, Jan 23, 2010 at 5:49 PM, Pierre-Antoine LaFayette
<pierre.l...@gmail.com> wrote:
>> We could expose a different scheme for this type of thing if we wanted. It
>> seems nice but a low
>>
>> priority to me.
>
> Well I'd be the one implementing it :) Just wanted confirmation that this
> approach would be okay. Say a chrome-icon:// scheme that works exactly like
> moz-icon? I believe this new scheme would provide a nicer solution
> to crbug.com/24421 than IPC from the webkit glue layer requesting icon data
> from the Browser.

I'm not sur ehow the mozilla one works. Does it just go off the
extension of the file? I think you can implement that in a reasonable
way, although you have to be careful not to block the network thread
on the file I/O or system calls. If this actually needs to go to disk,
there are a bunch of security checks you will have to do very
carefully since we don't want regular web pages to request this for
random local files.

Brett

Pierre-Antoine LaFayette

unread,
Jan 23, 2010, 11:13:28 PM1/23/10
to Brett Wilson, Chromium-dev
The moz-icon implementation actually allows moz-icon://<identifier> to be:

// (1) file://<some valid platform specific file url>
// (2) //<some dummy file with an extension>
// (3) stock/<icon-identifier>

So not only just extensions, but file:// URLs and Mozilla specific icon identifiers. I guess we do need the file path unless we have a cache of common extension icons always available.

2010/1/23 Brett Wilson <bre...@chromium.org>



--
Pierre.

Pierre-Antoine LaFayette

unread,
Jan 23, 2010, 11:22:17 PM1/23/10
to Brett Wilson, Chromium-dev
Even more informative:

/**
   * nsIIconURI
   *
   * This interface derives from nsIURI, to provide additional information
   * about moz-icon URIs.
   *
   * What *is* a moz-icon URI you ask?  Well, it has the following syntax:
   *
   * moz-icon://[<file-uri> | <file-with-extension> | <stock-image>]? ['?'[<parameter-value-pairs>]]
   *
   * <file-uri> is a legal file: URI spec.  You only need to specify a file: URI inside the icon
   * if the file you want the icon for actually exists.
   *
   * <file-with-extension> is any filename with an extension, e.g. "dummy.html".
   * If the file you want an icon for isn't known to exist, you can omit the file URI, and just
   * place a dummy file name with the extension or content type you want: moz-icon://dummy.html.
   *
   * <stock-image> is of the format:   stock/<icon-name>
   *
   * <icon-name> is a valid icon name, such as 'ok', 'cancel', 'yes', 'no'.
   * XXXcaa Should these considered platform dependent or can we share and document them?
   *
   * Legal parameter value pairs are listed below:
   *
   *   Parameter:   size
   *   Values:      [<integer> | button | toolbar | toolbarsmall | menu | dialog]
   *   Description: If integer, this is the desired size in square pixels of the icon
   *                Else, use the OS default for the specified keyword context.
   *
   *   Parameter:   state
   *   Values:      [normal | disabled]
   *   Description: The state of the icon.
   *
   *   Parameter:   contentType
   *   Values:      <mime-type>
   *   Description: The mime type we want an icon for. This is ignored by stock images.
   */

2010/1/23 Pierre-Antoine LaFayette <pierre.l...@gmail.com>



--
Pierre.

Adam Barth

unread,
Jan 24, 2010, 5:32:55 AM1/24/10
to pierre.l...@gmail.com, Brett Wilson, Chromium-dev
On general principles, I don't think we should be adding non-standard
extensions to the web platform, especially if they require new magical
schemes.

The proper path forward for this feature is to create an open standard
that every browser can implement and put it through the W3C or IETF
process.

Adam


On Sat, Jan 23, 2010 at 5:49 PM, Pierre-Antoine LaFayette

> --
> Chromium Developers mailing list: chromi...@chromium.org
> View archives, change email options, or unsubscribe:
> http://groups.google.com/a/chromium.org/group/chromium-dev
>

TAMURA, Kent

unread,
Jan 24, 2010, 8:21:37 PM1/24/10
to pierre.l...@gmail.com, Chromium-dev

On Sun, Jan 24, 2010 at 06:31, Pierre-Antoine LaFayette <pierre.l...@gmail.com> wrote:
I'm aware there is a similar internal URL scheme in Chromium, namely chrome://fileicon/<path>, that is used in DOM UI pages. Why could we not simply have something like moz-icon, that takes simply an extension and a size rather than the file path and make it web accessible? This way web developers can access the platform icons in their HTML pages.
 
I'm afraid malicious web pages can steal platform icons.  They are not free basically.
I have a similar bug, http://crbug.com/13225 , and I'm implementing new IPC messages because exposing icons via URL is dangerous.
 
--
TAMURA Kent
Software Engineer, Google



James Bliss

unread,
Jan 24, 2010, 8:56:19 PM1/24/10
to Chromium-dev
On Sun, Jan 24, 2010 at 8:21 PM, TAMURA, Kent <tk...@chromium.org> wrote:
> I'm afraid malicious web pages can steal platform icons.  They are not free
> basically.

Can someone clarify for the new guy why it's dangerous for a malicious
page to have access to platform-specific images?

-- James

Glen Murphy

unread,
Jan 24, 2010, 9:00:48 PM1/24/10
to james...@astro73.com, Chromium-dev
>> I'm afraid malicious web pages can steal platform icons.  They are not free
>> basically.
>
> Can someone clarify for the new guy why it's dangerous for a malicious
> page to have access to platform-specific images?

In this case it would be able to tell what software you have installed
by figuring out what shows up for files associated with those
applications.

Pierre-Antoine LaFayette

unread,
Jan 24, 2010, 10:22:10 PM1/24/10
to glen, james.bliss, Chromium-dev
Interesting perspective... But isn't it the the user that sees the icon not the web page? The icon data isn't going out to the web server it is simply being rendered in the browser. Am I missing something?

2010/1/24 Glen Murphy <gl...@chromium.org>
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
   http://groups.google.com/a/chromium.org/group/chromium-dev



--
Pierre.

Glen Murphy

unread,
Jan 24, 2010, 11:09:57 PM1/24/10
to Pierre-Antoine LaFayette, james.bliss, Chromium-dev
> Interesting perspective... But isn't it the the user that sees the icon not
> the web page? The icon data isn't going out to the web server it is simply
> being rendered in the browser. Am I missing something?

I'm not aware of the full extent of the security worries that the
others in the thread were referring to (and I am definitely not a
security person), but you do have to do things like make sure that
when the image is written to a canvas, that canvas is marked as
read-only so that getImageData can't read it (like what happens for
cross domain images are today), so it is another layer of checks you
have to add.

The only other attack I can think of off the top of my head (which
also exists for cross domain images) is super contrived as it exploits
vision and relies on user interaction:

1. Assume that the 'no app' icon has a pixel at 8,8 that is color A
(e.g the middle of a blank page icon).
2. Assume that the app you want to detect has an icon with a color B
pixel at 8,8.
3. Set it up so that there are two links of color A and B, each with
the 8,8 pixel of the icon stretched as a background.
4. This makes only one of the links visible, those links can then
entice the user to click.

<div style="-webkit-border-image: url(icon://file.type) 7 7 8 8 repeat
repeat; width:200px; height:20px; border:1px;">
<a style="color:B;" href="#" onclick="alert('you do not have X
installed'); return false;" />free pony!</a>
</div>
<div style="-webkit-border-image: url(icon://file.type) 7 7 8 8 repeat
repeat; width:200px; height:20px; border:1px;">
<a style="color:A;" href="#" onclick="alert('AHAR! You have App XXX
installed! How embarassing for you!'); return false;" />free pony!</a>
</div>

As I said though, there are probably other attacks that people are
worried about, I was just pointing out why exposing the icons could be
bad.

Pierre-Antoine LaFayette

unread,
Jan 24, 2010, 11:36:57 PM1/24/10
to glen, james.bliss, Chromium-dev
It seems that the first attack should no longer be an issues according to http://scarybeastsecurity.blogspot.com/2008/11/firefox-cross-domain-image-theft-and.html. The second is a bit more interesting. I've made a post to public-...@w3.org regarding a potential open standard and I'm sure they'll bring up all the possible security risks. But we do know that Firefox already has this scheme and your second attack does work in Firefox using this code:

<html>
<body>
<div style="-moz-border-image: url(moz-icon://file.zip?size=16) 7 7 8 8 repeat
repeat; width:200px; height:20px; border:1px;">
 <a style="color:blue;" href="#" onclick="alert('you do not have X installed'); return false;" />free pony!</a>
</div>
<div style="-moz-border-image: url(moz-icon://file.zip?size=16) 7 7 8 8 repeat
repeat; width:200px; height:20px; border:1px;">
 <a style="color:red;" href="#" onclick="alert('AHAR! You have App XXX installed! How embarassing for you!'); return false;" />free pony!</a>
</div>
</body>
</html> 

Thanks for your input Glen.

2010/1/24 Glen Murphy <gl...@chromium.org>



--
Pierre.
Reply all
Reply to author
Forward
0 new messages