Chrome 66 ERR_UNSAFE_REDIRECT when redirecting to extension

[Matt Senter]

I have a Chrome extension with a sign-in flow like this:

1) Popup shows a Login button

2) Clicking Login button sends the user to a hosted site https://somesite.blah/oauth for an implicit OAuth grant.

3) Upon successful login on site, user is redirected back to a chrome-extension:// url for post-processing of the granted auth token.

In Chrome 65 this worked great. Now, in Chrome 66, that final redirect in step 3 is saying:  ERR_UNSAFE_REDIRECT. 

It would seem Chrome 66 does not trust redirects to its own extensions? What is the recommended method for implementing this type of flow now that this security restriction is in place?

Thanks,

-Matt

[PhistucK]

This makes sense to me, sounds like the ability to redirect from web content to extension content was a security issue. I am surprised it worked before, perhaps it was a regression.

It is not that Chrome does not trust its own extensions - it does not trust web content to interact with extensions this way. In order to interact with extensions, you have chrome.runtime.sendMessage in combination with the externally_connectable manifest key.

I guess you should put something else as a redirect URL and get the URL parameters from it (POST is not supported in Chrome extensions anyway, I believe).

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Matt Senter]

Oh ok. Yeah I'd thought about using sendMessage(extensionId, ...) in combination with onExternalMessage() on the extension side to make sure only my extension could receive the generated access token. I suppose in the end it's the same as redirecting to my chrome extension's url (which was a GET btw, so no issue with POST there), i.e. both methods are demarcated by the extension id, so rogue extensions should not be able to receive the access token.

Thanks!

-Matt

[Torne (Richard Coles)]

Loading the chrome extension URL is not forbidden because of rogue extensions, it's forbidden because of the potential of rogue *web pages* tricking extensions (which have access to privileges that web pages don't) into doing something bad.

[David Robertson]

if there is a chromium developer out there who could come on my computer and get rid of chromium I would appreciate it.  I am a 70 yr old chemo brained non techie without even a cell phone and I need help.  This particular version of chromium takes me to the yahoo search engine.  I thought chromium was pretty cool until it installed itself on top of my page whenever I started the computer and didn't allow me to shut it down.  It is faster but that is about the only good thing I can say about it.  It needs to get rid of the on top only, no way to close it and it needs an uninstall button.< PLEASE HELP ME>

[Zelená Žaba]

Hi Matt,

I believe you need to add "web_accessible_resources" in your chrome extension manifest file to include the file that is post-processing the granted auth token.

After you do this, you will no longer get ERR_UNSAFE_REDIRECT.

It will work.

Cheers,

Neo