Restricting use of file: URLs in tabs and windows APIs

[Jun Kokatsu]

Chromium extensions are currently allowed to navigate to file URLs through chrome.tabs and chrome.windows APIs. However, most extensions do not use these, and they can sometimes introduce a vulnerability where an extension unexpectedly navigates to a file URL of an attacker’s choice. This can result in a number of issues, such as local file disclosure.

Following discussions in the WECG, we plan to restrict navigation to file URLs (in Chromium 118), unless the “Allow access to file URLs” option is enabled on the extension’s details page. The use of navigation to file URLs is low in Chrome (approximately 0.02%), and we expect that for most extensions there will be no impact. In the small number of other cases, we believe that the toggle is a reasonable requirement.

Firefox already restricts file URLs, and Safari supports the change.

Along similar lines, we recently landed a change to expand restrictions on javascript URLs to all API methods. This was already blocked for tabs.update, and opening these URLs outside of an existing tab has limited use. This will land in 117 and we do not expect any impact.

As always, please do let us know if you have any feedback.

Thanks,

Jun on behalf of Chrome Extension team

[Don Schmitt]

Hi,

I believe you should provide a Group Policy to enable this enterprise wide.  We have customers who have tools that download files that they then open locally with our extension as a viewer.  Can you provide a policy for this?

Thanks!

Don

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/c9085e6f-d021-4516-93bd-61f360898b0en%40chromium.org.

[Patrick Kettner]

Hey Don

Do you mean an enterprise policy to not restrict the use of file URLs in extensions?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAM7AMpL4HrPBoZvRmYu8OFh_-Wm8qqvh%3DsYQfRHNAt5iR7ZyvQ%40mail.gmail.com.

[Don Schmitt]

Hi Patrick,

Allow me to clarify.  If I understand this change announcement, this change makes it so that an extension cannot navigate to a file URL unless the following permission has been enabled on the extension page for that extension:  "Allow access to file URLs” .  However, unless something has changed there is no way to enable that option with enterprise policy for an extension and it's impractical for an enterprise to have their end users manually change settings.

The lack of ability to enable this option has come up in the past and I don't recall what the resistance was to providing enterprise policy for enabling that option.  I think perhaps it was difficult before there was an ExtensionSettings policy (i.e. the ability to set per-extension values).

Does that make sense?

--

Don

[Jun Kokatsu]

Hi Don!

Sorry it took sometime to get back on this.

I've added a new field in ExtensionSettings policy to allow navigation to file URLs from configured extensions.

https://chromium.googlesource.com/chromium/src/+/82587db58baf602d7eb8ae208f6937401cc320a3

Unfortunately, this policy change will not land in time for Chrome 118. Meanwhile, you can disable the RestrictFileURLNavigation feature.

Hope this helps!

Jun

[Don Schmitt]

Wow, what a quick response.  Great work, thank you!

[David]

Hi Jun,

I tried to test this new feature on the latest Chrome Canary.

The policy loaded and the schema was validated correctly. The extension is force-installed by the enterprise.
I expected the "Allow access to file URLs" to be enabled once I did it but there was no change.

How should I test it?

Tried running chrome.extension.isAllowedFileSchemeAccess as well to verify.

Our enterprise has a self-hosted extension installed on enterprise enrolled devices, and we wish to allow access to file URLs without user intervention.

Thanks.

[Jun Kokatsu]

Hi David,

The new enterprise policy does not allow access to file URLs. It just allows navigation to file URLs from specified extensions, which is being deprecated in Chrome 118.

Thanks,

Jun

[iza]

Hi, I'm the developer of Humble New Tab Page.

Some of my users have bookmarks to local files, and have complained that they can no longer open them from my extension new tab page.

Am I correct in understanding that for the "Allow access to file URLs" toggle to show up for my extension, I would need to declare
"host_permissions": ["file:///*"] in my extension manifest? Because I really don't want or need such a broad permission. Is there no way to request navigation permission without full read access?

[iza]

On further investigation, it looks like I can add the "activeTab" permission instead to make the "Allow access to file URLs" toggle available. Still an unnecessary permission for my extension, but less invasive.

[Jackie Han]

Hi Jun Kokatsu,

I noticed that there is no "Allow access to file URLs" option for my extensions from Web Store, but there is this option for all unpacked extensions.

Above screenshot is an extension from Web Store. There is no "Allow access to file URLs" option!

Above screenshot is an unpacked extension. All unpacked extensions have this option.

So how can users enable "Allow access to file URLs" for extensions installed from CWS?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/8a1f4a40-acd4-49a7-8319-bb9c6255d42en%40chromium.org.

[Jackie Han]

Hi, iza

For unpacked extension, just enable "Allow access to file URLs", it works. It doesn't need any permissions (like "file:///*" or "activeTab"). But extensions from CWS don't show this option. That is a problem.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/7905701f-ba06-4e7c-8153-d7875bcd377en%40chromium.org.

[Flozzl 51]

Hi,

ive tried the solution but somehow "file_url_navigation" is not working for the extension " Enable local file links". 

This is how its configured in GPO

Here you can see that only the Pin to toolbar command is working.

Am i doing something wrong here?

[Jun Kokatsu]

Hi All!

To iza and Jackie, I think requesting "file:///*" permission is the best option here, as it does not provide file access to the extension until users enable the "allow access to file URLs" option.

The reason why we didn't expose new toggle specific to file URL navigations is that we think normal users wouldn't understand what navigation to file URLs mean in terms of granting access. Therefore, we wanted to tie navigation to file URLs with the file URL access itself, which seems more clearer.

To Flozzl 51, unfortunately, the request for enterprise policy came a month after we announced the change, and therefore it didn't land on time for Chrome 118. But it will be available from Chrome 119.

Thanks,

Jun

[iza]

I ended up adding "optional_host_permissions": [ "file:///*" ]

This way the "Allow access to file URLs" is shown, navigation works, but I don't actually get read permission.

[Jun Kokatsu]

That's amazing iza! Thank you for sharing your tips!

Jun

[Jackie Han]

Great! I just published a new version of my extension which added the "optional_host_permissions": [ "file:///*" ] in manifest. After upgrading from CWS, the extension details page shows the "Allow access to file URLs" option now.

Although this solves the problem, I think many people don't know this difference between unpacked extensions and packed extensions from CWS.

[MH]

Hello

I have tested the new policy with chrome 119 beta:

The Registrykey ("file_url_navigation_allowed"=dword:00000001) seems to be valid, but the behevior has not changed.

Is it true, that its still necessary to enable the file access in the extension settings?

If so, how can I force this settings without user interaction. (Company with ~6k employees)?

Thanks for your respond.

[Jun Kokatsu]

Hi,

Unfortunately, I currently don't have access to windows PC to verify this issue.

But I think it is not working because you have not set the extension ID. Since file_url_navigation_allowed is a part of the ExtensionSettings policy, you'd need to set the extension ID for which you want to allow file: URL navigation.

I can try to repro this next week if you still see the same issue.

Thanks,

Jun

[MH]

Hi Jun

I think i did it correctly, this is what it shows in chrome://policy (valid):

{
  "nikfmfgobenbhmocjaaboihbeocackld": {
    "file_url_navigation_allowed": true,
    "installation_mode": "force_installed",
    "update_url": "file:////[Path to xml]//ChromeExtensions.xml"
  }
}

Still have the same issue.

Thanks

[Jun Kokatsu]

Hi,

I was successfully able to apply `file_url_navigation_allowed` on Chrome Beta for Windows.

I followed these steps to download and apply Admin template. This guide from Edge actually goes more details into how to make a JSON to apply to ExtensionSettings policy, but I basically applied `{"hinmcgipjjndkedddmmpidnjikjebejj":{"file_url_navigation_allowed":true}}` and it worked. Make sure that Chrome is restarted and the policy changes appears in chrome://policy.

Thanks,

Jun

[ELU Konsult]

I have tried both Chrome Beta (version 119.0.6045.59) and Edge for Business Beta (119.0.2151.38) and i can't get the policy 'file_url_navigation_allowed' to work.

This is what i have in my Group policy setting "Extension management settings":
{"nikfmfgobenbhmocjaaboihbeocackld":{"file_url_navigation_allowed":true}}

In Chrome Beta i get no Policy error, but the policy does not Enable "Allow access to file URLs".
In Edge for Business Beta i get a Policy error: " ErrorError at ExtensionSettings.nikfmfgobenbhmocjaaboihbeocackld: Schema validation error: Unknown property: file_url_navigation_allowed"

Am i doing something wrong?

[Jun Kokatsu]

Hi,

The policy addition for each release channel can be checked here.

On Chrome Beta, it starts support from 119.0.6045.9 onwards, which is probably why it did not work on your version (i.e. 119.0.6045.59).

Please try on version 119.0.6045.9 or up and let me know if it works!

Thanks,

Jun

[ELU Konsult]

Hello Jun,

I have tried the latest beta build " Version 119.0.6045.105 (Official Build) beta (64-bit)" and the issue still is the same.
The policy does not have any effect on enabling "Allow access to file URLs"

Also tried downloading the Chrome Canary version of the browser, but it doesn't work in that either.
This is the JSON value from Chrome policy page: 
{ "nikfmfgobenbhmocjaaboihbeocackld": { "file_url_navigation_allowed": true } }

[Flozzl 51]

Hi,

same preconditions and problems like @ELU_Konsult .

Policy have been set and i have the newest version ( 119.0.6045.106).

[Oliver Dunk]

Hi both,

My understanding is that this does not affect the "Allow access to file URL" toggle, and only impacts the ability to navigate to file:// URLs using the different APIs.

Have you tried to use those APIs since applying the policy?

Thanks,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/3c6986c6-d5da-44f8-9ae0-f3a1610fce95n%40chromium.org.

[Flozzl 51]

We are using the same APIs since a very long time

[Oliver Dunk]

Can you confirm the code that you are running and what error messaging you are getting with this policy applied?

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Flozzl 51]

Sorry, what do you want me to do?

The policy is active but its not working. 

[Oliver Dunk]

Could you share:

• The code you are running to test if this is working (just the snippet navigating to a file:// URL is ok)
• What error message you see when this fails to work

Thanks,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Flozzl 51]

For example : file://ourdomain.local/file.pdf

Then a new site opens "chrome-extension://nikfmfgobenbhmocjaaboihbeocackld/options/index.html#need-file-scheme-access"

This is what you need?

[Oliver Dunk]

How are you navigating to that URL? tabs.create, tabs.update, windows.create etc.

Just want to understand the exact issue you're having.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Flozzl 51]

Yes ok and im not into coding but i hope the screenshot will be helpful.

Otherwise let me know, which steps i can do.

[Oliver Dunk]

Thanks for sharing that screenshot, along with the extension ID it provides some helpful context.

It looks like the extension was updated with support for the original change but not support for the policy, so this may need a change from the developer of that extension. You could try reaching out to them using the email address on their Chrome Web Store listing.

In particular, there is some code here which basically prevents things from working unless the file access checkbox is enabled. Unfortunately since the policy and checkbox aren't linked that check is failing. Hopefully that makes a bit of sense?

Thanks,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Flozzl 51]

Thanks Oliver, i will get in touch with the developer and inform you here, if i get some new informations about this problem.

It makes sense for me.

[Flozzl 51]

Ive got a reply from the developer of that extension.

It seems to be that it will be fixed in the next release.

Dear Sir,

 

Thank you for contacting me.
I updated the extension.
I think it's fixed in version 0.9.4.

 

Takashi Sugimoto

[Oliver Dunk]

That's great news, thanks for the update!

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Uladzimir Yankovich]

Colleagues, I already have 119 Chrome, but in my extension (jbfeongihppeenfnaofmdeikahaefljd) everything still works. In addition, I don’t see any toggles in our extension settings - https://gang.manganum.app/GpFGbTgN

How is this possible?

[Oliver Dunk]

Hi Uladzimir,

I'm not sure what to suggest - this is working for me, including with Manganum.

I notice in the video you shared previously you had some enterprise policy. Do you see anything at chrome://policy that could affect this?

Thanks,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Uladzimir Yankovich]

https://gang.manganum.app/LTrnZ3j9 🤔

--

Uladzimir Yankovich,

Founder @ Manganum (manganum.app).

[Oliver Dunk]

Strange. My suggestion for now would be to open a Chrome bug - that way we can at least see if this is happening for anyone else.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Jun Kokatsu]

> In addition, I don’t see any toggles in our extension settings

You can add the following, and it should show the allow file access toggle.

"optional_host_permissions": [ "file:///*" ]

Thanks,

Jun

[Uladzimir Yankovich]

I asked 3 random users with 120 Chrome to send screenshots, and still nothing.

Could it be that this update does not affect the all_host extension? 🤔

[Oliver Dunk]

Hi Uladzimir,

I'm definitely seeing this in the Manganum extension so I don't think it's permission related.

Could you confirm exactly what you asked users to test? There are some things (duplicating tabs or re-opening closed ones) that I believe still work so the focus on this is very much navigation through methods like `chrome.tabs.update`.

Appreciate your patience, clearly we're seeing very different things so I appreciate your persistence in trying to figure out what's happening.

Thanks,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Uladzimir Yankovich]

I asked them if they saw the "Allow access to file URLs" toggle. No, they don't.

At the same time, I see it on my devices with other extensions (https://gang.manganum.app/q0PpJXWs). But I don’t see it in Manganum (https://gang.manganum.app/6TwsXS9S).

Oliver, could you share a screenshot?

[Oliver Dunk]

Ah, got it. I assumed you were still talking about not being able to see the new behaviour in general.

It looks like Manganum doesn't have the optional_host_permissions key Jun suggested yet?

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Uladzimir Yankovich]

Yes, but other extensions don’t have it either 😂

[Oliver Dunk]

Do you have an example of an extension that doesn't have that but does show the toggle?

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Uladzimir Yankovich]

For example:

— https://chrome.google.com/webstore/detail/eesel-chatgpt-document-se/jffaiidojfhflballoapgofphkadiono

— https://gang.manganum.app/56hmz6CM

[Oliver Dunk]

I think that one is because it's requesting "*://*/*", which includes file:// URLs :)

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Uladzimir Yankovich]

What about it? 🤔

https://chrome.google.com/webstore/detail/calendly-meeting-scheduli/cbhilkcodigmigfbnphipnnmamjfkipp — https://gang.manganum.app/JFPqFFWB

https://chrome.google.com/webstore/detail/eye-dropper/hmdcmlfkchdmnmnmheododdhjedfccka — https://gang.manganum.app/HGJSDrsR

[Oliver Dunk]

It looks like requesting the activeTab permission will show the setting as well.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[MH]

Can we please have an enterprise policy to manage the allow file acces toggle for specific extensions.

I cant request all my employees to activate it.

[Oliver Dunk]

Do you mean the file access toggle, or specifically being able to navigate to file URLs?

For the latter, which is the only thing we have changed recently, we added a policy that you can find here: https://support.google.com/chrome/a/answer/9867568?hl=en#:~:text=file_url_navigation_allowed

For the file access toggle, that would be a more general feature request. I don't think we'd prioritize it since nothing has changed there recently, but feel free to file something on the bug tracker :)

Thanks,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Seema Habib]

Oky

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAOsQqBmAppNCKOXEnmk7%3DMz3dk6Y4oWc4996CNKfwTs759Wr7A%40mail.gmail.com.

[David]

Added a feature request to control extension toggles via enterprise policy here:
https://bugs.chromium.org/p/chromium/issues/detail?id=1501780

[Pedro Pinho]

To elaborate on MH's comment above, while it's true we now have the file_url_navigation_allowed ExtensionSettings policy field to toggle the "Allow access to file URLs" extension setting, the toggle is not enabled in the UI, as any other policy control setting is usually seen in Chrome. This causes some confusion to IT admins and more tech savvy users, as it's expected that the toggle is set if affected by a policy setting.

I'm unsure that https://bugs.chromium.org/p/chromium/issues/detail?id=1501780 targets this specific issue, as it seems like a more generic feature request.

[Jun Kokatsu]

file_url_navigation_allowed ExtensionSettings policy and "Allow access to file URLs" toggle are two different things.

file_url_navigation_allowed only allows navigations to file URLs, but it does not provide file URL access.

If you'd like to control file URL access through enterprise policy, this bug has the past discussions on that topic and reason for those decisions.

Thanks,

Jun

[Pedro Pinho]

Thanks Jun, but that's a rather old bug. My feedback was more in the sense that, for most (if not all) browser settings controlled via policy, the UI is updated accordingly (usually graying out options, lock icon, etc). This is usually the expectation of IT admins and the quickest way to assess a given policy setting takes effect. If this is not something that should be pursued, for technical/design reasons, I guess that's an evaluation that may need to be done, as this is more of an UX thing. What matters the most is that the new field is indeed taking effect and working as intended, just not the UI part IT admins are accustomed to when deploying browser policies.

[Oliver Dunk]

Hi Pedro,

I just wanted to reiterate what Jun said here, since I think there might be some confusion.

Enabling the file access toggle in the UI gives extensions access to read data on file:// URLs. Setting file_url_navigation_allowed does not, so it would be confusing if the UI changed (since that would imply the extension has access it doesn't).

I hope that makes sense.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Pedro Pinho]

Thanks Oliver and Jun, this is clear now. Sorry for the confusion.

[Maximilian Hansen]

Hello everyone,

Our Windows GPO for the Google Chrome extension: chrome://extensions/?id=nikfmfgobenbhmocjaaboihbeocackld, doesn't seem to work.

We need the toggle for the users: Allow access to file URLs

Attached is an excerpt from the GPO. The extension is also displayed in Chrome as installed by company policy.

Is there any way to troubleshoot?

[Oliver Dunk]

Hi Maximilian,

To confirm, are you trying to use APIs like `chrome.tabs.update` or specifically to enable the file access toggle? The policy removes some restrictions from the APIs but does not enable the toggle or allow unrestricted access to files.

Thanks,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Maximilian Hansen]

Hello Oliver, thanks for the quick feedback.

Is there a way to customize this toggle via GPO? 

[Oliver Dunk]

There isn't currently a way to control that I'm afraid.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Maximilian Hansen]

Hi Oliver, thanks for the feedback.
Will this be possible again in the near future?

Max

[Oliver Dunk]

There aren't any plans at the moment.

Would you be comfortable sharing your use case in more detail? It would be interesting to know.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Justin Jaeger]

Hi Oliver,

My facility is having the same issue as Maximilian. We are trying to use an extension called "Enable local file links" for use with our company intranet to open files from our company's shared drive. We have a number of links to specific points in our shared drive but the extension requires you to set "Allow access to file URLs" before it can be used. We use this within a Citrix environment and when you log off, it resets that permission. We're looking for a way to enable this in group policy but everything we have found says that it cannot be done. Is there a way to request this feature be added? We used to use this with IE without a problem but with the switch to Chrome, I believe this functionality was turned off for security reasons. Unfortunately, it creates a large barrier for us as most of our users are not well versed with looking for the files they need in the shared drive.

Thank you,

Justin Jaeger