Restricting use of file: URLs in tabs and windows APIs

10,696 vistas
Ir al primer mensaje no leído

Jun Kokatsu

no leída,
10 ago 2023, 2:00:04 p.m.10/8/23
para Chromium Extensions

Chromium extensions are currently allowed to navigate to file URLs through chrome.tabs and chrome.windows APIs. However, most extensions do not use these, and they can sometimes introduce a vulnerability where an extension unexpectedly navigates to a file URL of an attacker’s choice. This can result in a number of issues, such as local file disclosure.


Following discussions in the WECG, we plan to restrict navigation to file URLs (in Chromium 118), unless the “Allow access to file URLs” option is enabled on the extension’s details page. The use of navigation to file URLs is low in Chrome (approximately 0.02%), and we expect that for most extensions there will be no impact. In the small number of other cases, we believe that the toggle is a reasonable requirement.


Firefox already restricts file URLs, and Safari supports the change.


Along similar lines, we recently landed a change to expand restrictions on javascript URLs to all API methods. This was already blocked for tabs.update, and opening these URLs outside of an existing tab has limited use. This will land in 117 and we do not expect any impact.


As always, please do let us know if you have any feedback.


Thanks,


Jun on behalf of Chrome Extension team


Don Schmitt

no leída,
16 sept 2023, 7:00:47 p.m.16/9/23
para Jun Kokatsu,Chromium Extensions
Hi,

I believe you should provide a Group Policy to enable this enterprise wide.  We have customers who have tools that download files that they then open locally with our extension as a viewer.  Can you provide a policy for this?

Thanks!
Don



--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/c9085e6f-d021-4516-93bd-61f360898b0en%40chromium.org.

Patrick Kettner

no leída,
27 sept 2023, 3:31:12 p.m.27/9/23
para Don Schmitt,Jun Kokatsu,Chromium Extensions
Hey Don
Do you mean an enterprise policy to not restrict the use of file URLs in extensions?

Don Schmitt

no leída,
27 sept 2023, 3:47:18 p.m.27/9/23
para Patrick Kettner,Jun Kokatsu,Chromium Extensions
Hi Patrick,

Allow me to clarify.  If I understand this change announcement, this change makes it so that an extension cannot navigate to a file URL unless the following permission has been enabled on the extension page for that extension:  "Allow access to file URLs” .  However, unless something has changed there is no way to enable that option with enterprise policy for an extension and it's impractical for an enterprise to have their end users manually change settings.

The lack of ability to enable this option has come up in the past and I don't recall what the resistance was to providing enterprise policy for enabling that option.  I think perhaps it was difficult before there was an ExtensionSettings policy (i.e. the ability to set per-extension values).

Does that make sense?

--
Don


Jun Kokatsu

no leída,
29 sept 2023, 1:37:04 p.m.29/9/23
para Chromium Extensions,Don Schmitt,Jun Kokatsu,Chromium Extensions,Patrick Kettner
Hi Don!

Sorry it took sometime to get back on this.
I've added a new field in ExtensionSettings policy to allow navigation to file URLs from configured extensions.
Unfortunately, this policy change will not land in time for Chrome 118. Meanwhile, you can disable the RestrictFileURLNavigation feature.

Hope this helps!

Jun

Don Schmitt

no leída,
30 sept 2023, 11:38:36 a.m.30/9/23
para Jun Kokatsu,Chromium Extensions,Patrick Kettner
Wow, what a quick response.  Great work, thank you!


David

no leída,
2 oct 2023, 12:10:25 p.m.2/10/23
para Chromium Extensions,Don Schmitt,Chromium Extensions,Patrick Kettner,Jun Kokatsu
Hi Jun,

I tried to test this new feature on the latest Chrome Canary.
The policy loaded and the schema was validated correctly. The extension is force-installed by the enterprise.
I expected the "Allow access to file URLs" to be enabled once I did it but there was no change.

How should I test it?
Tried running chrome.extension.isAllowedFileSchemeAccess as well to verify.

Our enterprise has a self-hosted extension installed on enterprise enrolled devices, and we wish to allow access to file URLs without user intervention.

Thanks.

Jun Kokatsu

no leída,
2 oct 2023, 6:33:19 p.m.2/10/23
para David,Chromium Extensions,Don Schmitt,Patrick Kettner
Hi David,

The new enterprise policy does not allow access to file URLs. It just allows navigation to file URLs from specified extensions, which is being deprecated in Chrome 118.

Thanks,

Jun

iza

no leída,
15 oct 2023, 12:08:01 a.m.15/10/23
para Chromium Extensions,Jun Kokatsu,Chromium Extensions
Hi, I'm the developer of Humble New Tab Page.
Some of my users have bookmarks to local files, and have complained that they can no longer open them from my extension new tab page.

Am I correct in understanding that for the "Allow access to file URLs" toggle to show up for my extension, I would need to declare
"host_permissions": ["file:///*"] in my extension manifest? Because I really don't want or need such a broad permission. Is there no way to request navigation permission without full read access?

iza

no leída,
15 oct 2023, 12:54:53 a.m.15/10/23
para Chromium Extensions,iza,Jun Kokatsu,Chromium Extensions
On further investigation, it looks like I can add the "activeTab" permission instead to make the "Allow access to file URLs" toggle available. Still an unnecessary permission for my extension, but less invasive.

Jackie Han

no leída,
16 oct 2023, 4:02:14 a.m.16/10/23
para Jun Kokatsu,Chromium Extensions,iza
Hi Jun Kokatsu,

I noticed that there is no "Allow access to file URLs" option for my extensions from Web Store, but there is this option for all unpacked extensions.

Screenshot 2023-10-16 at 15.55.38.png
Above screenshot is an extension from Web Store. There is no "Allow access to file URLs" option!

Screenshot 2023-10-16 at 15.56.07.png
Above screenshot is an unpacked extension. All unpacked extensions have this option.

So how can users enable "Allow access to file URLs" for extensions installed from CWS?


Jackie Han

no leída,
16 oct 2023, 4:09:29 a.m.16/10/23
para iza,Chromium Extensions,Jun Kokatsu
Hi, iza

For unpacked extension, just enable "Allow access to file URLs", it works. It doesn't need any permissions (like "file:///*" or "activeTab"). But extensions from CWS don't show this option. That is a problem.

Flozzl 51

no leída,
16 oct 2023, 6:02:14 a.m.16/10/23
para Chromium Extensions,Jackie Han,Chromium Extensions,Jun Kokatsu,iza
Hi,
ive tried the solution but somehow "file_url_navigation" is not working for the extension " Enable local file links". 


Screenshot 2023-10-16 115314.jpg

This is how its configured in GPO

Screenshot 2023-10-16 120040.jpg

Here you can see that only the Pin to toolbar command is working.
Am i doing something wrong here?

Jun Kokatsu

no leída,
16 oct 2023, 2:32:16 p.m.16/10/23
para Chromium Extensions,Flozzl 51,Jackie Han,Chromium Extensions,Jun Kokatsu,iza
Hi All!

To iza and Jackie, I think requesting "file:///*" permission is the best option here, as it does not provide file access to the extension until users enable the "allow access to file URLs" option.
The reason why we didn't expose new toggle specific to file URL navigations is that we think normal users wouldn't understand what navigation to file URLs mean in terms of granting access. Therefore, we wanted to tie navigation to file URLs with the file URL access itself, which seems more clearer.

To Flozzl 51, unfortunately, the request for enterprise policy came a month after we announced the change, and therefore it didn't land on time for Chrome 118. But it will be available from Chrome 119.

Thanks,

Jun

iza

no leída,
16 oct 2023, 2:58:09 p.m.16/10/23
para Chromium Extensions,Jun Kokatsu,Jackie Han,Chromium Extensions,iza
I ended up adding "optional_host_permissions": [ "file:///*" ]
This way the "Allow access to file URLs" is shown, navigation works, but I don't actually get read permission.

Jun Kokatsu

no leída,
16 oct 2023, 3:11:31 p.m.16/10/23
para Chromium Extensions,iza,Jun Kokatsu,Jackie Han,Chromium Extensions
That's amazing iza! Thank you for sharing your tips!

Jun

Jackie Han

no leída,
17 oct 2023, 1:12:15 a.m.17/10/23
para Jun Kokatsu,Chromium Extensions,iza
Great! I just published a new version of my extension which added the "optional_host_permissions": [ "file:///*" ] in manifest. After upgrading from CWS, the extension details page shows the "Allow access to file URLs" option now.

Although this solves the problem, I think many people don't know this difference between unpacked extensions and packed extensions from CWS.

MH

no leída,
20 oct 2023, 6:45:48 a.m.20/10/23
para Chromium Extensions,Jackie Han,Chromium Extensions,iza,Jun Kokatsu
Hello

I have tested the new policy with chrome 119 beta:
The Registrykey ("file_url_navigation_allowed"=dword:00000001) seems to be valid, but the behevior has not changed.
Is it true, that its still necessary to enable the file access in the extension settings?
If so, how can I force this settings without user interaction. (Company with ~6k employees)?

Thanks for your respond.

Jun Kokatsu

no leída,
20 oct 2023, 8:30:23 p.m.20/10/23
para MH,Chromium Extensions,Jackie Han,iza
Hi,

Unfortunately, I currently don't have access to windows PC to verify this issue.
But I think it is not working because you have not set the extension ID. Since file_url_navigation_allowed is a part of the ExtensionSettings policy, you'd need to set the extension ID for which you want to allow file: URL navigation.
I can try to repro this next week if you still see the same issue.

Thanks,

Jun

MH

no leída,
26 oct 2023, 2:42:19 a.m.26/10/23
para Chromium Extensions,Jun Kokatsu,Chromium Extensions,Jackie Han,iza,MH
Hi Jun

I think i did it correctly, this is what it shows in chrome://policy (valid):

{
  "nikfmfgobenbhmocjaaboihbeocackld": {
    "file_url_navigation_allowed": true,
    "installation_mode": "force_installed",
    "update_url": "file:////[Path to xml]//ChromeExtensions.xml"
  }
}


Still have the same issue.
Thanks

Jun Kokatsu

no leída,
30 oct 2023, 8:26:04 p.m.30/10/23
para Chromium Extensions,MH,Jun Kokatsu,Chromium Extensions,Jackie Han,iza
Hi,

I was successfully able to apply `file_url_navigation_allowed` on Chrome Beta for Windows.
I followed these steps to download and apply Admin template. This guide from Edge actually goes more details into how to make a JSON to apply to ExtensionSettings policy, but I basically applied `{"hinmcgipjjndkedddmmpidnjikjebejj":{"file_url_navigation_allowed":true}}` and it worked. Make sure that Chrome is restarted and the policy changes appears in chrome://policy.

Thanks,

Jun

ELU Konsult

no leída,
31 oct 2023, 3:50:03 a.m.31/10/23
para Chromium Extensions,Jun Kokatsu,MH,Chromium Extensions,Jackie Han,iza
I have tried both Chrome Beta (version 119.0.6045.59) and Edge for Business Beta (119.0.2151.38) and i can't get the policy 'file_url_navigation_allowed' to work.

This is what i have in my Group policy setting "Extension management settings":
{"nikfmfgobenbhmocjaaboihbeocackld":{"file_url_navigation_allowed":true}}

In Chrome Beta i get no Policy error, but the policy does not Enable "Allow access to file URLs".
In Edge for Business Beta i get a Policy error: " ErrorError at ExtensionSettings.nikfmfgobenbhmocjaaboihbeocackld: Schema validation error: Unknown property: file_url_navigation_allowed"

Am i doing something wrong?
Edge_beta.png
Chrome_Beta_Plugin.png
Chrome_Beta_Policy.png
Chrome_Beta.png
Edge_Beta_policy_Error.png
GPO.png

Jun Kokatsu

no leída,
31 oct 2023, 12:49:59 p.m.31/10/23
para Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Chromium Extensions,Jackie Han,iza
Hi,

The policy addition for each release channel can be checked here.
On Chrome Beta, it starts support from 119.0.6045.9 onwards, which is probably why it did not work on your version (i.e. 119.0.6045.59).

Please try on version 119.0.6045.9 or up and let me know if it works!

Thanks,

Jun

ELU Konsult

no leída,
1 nov 2023, 4:27:03 a.m.1/11/23
para Chromium Extensions,Jun Kokatsu,ELU Konsult,MH,Chromium Extensions,Jackie Han,iza
Hello Jun,

I have tried the latest beta build " Version 119.0.6045.105 (Official Build) beta (64-bit)" and the issue still is the same.
The policy does not have any effect on enabling "Allow access to file URLs"

Also tried downloading the Chrome Canary version of the browser, but it doesn't work in that either.
This is the JSON value from Chrome policy page: 
{ "nikfmfgobenbhmocjaaboihbeocackld": { "file_url_navigation_allowed": true } }
Chrome_Beta_6045.105.png
Chrome_Beta_Policy_105.png

Flozzl 51

no leída,
1 nov 2023, 5:50:32 a.m.1/11/23
para Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Chromium Extensions,Jackie Han,iza
Hi,

same preconditions and problems like @ELU_Konsult .
Policy have been set and i have the newest version ( 119.0.6045.106).

Oliver Dunk

no leída,
1 nov 2023, 6:48:38 a.m.1/11/23
para Flozzl 51,Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Jackie Han,iza
Hi both,

My understanding is that this does not affect the "Allow access to file URL" toggle, and only impacts the ability to navigate to file:// URLs using the different APIs.

Have you tried to use those APIs since applying the policy?

Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB


Flozzl 51

no leída,
1 nov 2023, 8:37:25 a.m.1/11/23
para Chromium Extensions,Oliver Dunk,Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Jackie Han,iza,Flozzl 51
We are using the same APIs since a very long time

Oliver Dunk

no leída,
1 nov 2023, 8:39:29 a.m.1/11/23
para Flozzl 51,Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Jackie Han,iza
Can you confirm the code that you are running and what error messaging you are getting with this policy applied?
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Flozzl 51

no leída,
1 nov 2023, 8:47:52 a.m.1/11/23
para Chromium Extensions,Oliver Dunk,Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Jackie Han,iza,Flozzl 51
Sorry, what do you want me to do?
The policy is active but its not working. 

Screenshot 2023-11-01 134630.jpg

Oliver Dunk

no leída,
1 nov 2023, 9:16:29 a.m.1/11/23
para Flozzl 51,Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Jackie Han,iza
Could you share:
  • The code you are running to test if this is working (just the snippet navigating to a file:// URL is ok)
  • What error message you see when this fails to work
Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Flozzl 51

no leída,
1 nov 2023, 9:28:57 a.m.1/11/23
para Chromium Extensions,Oliver Dunk,Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Jackie Han,iza,Flozzl 51
For example : file://ourdomain.local/file.pdf
Then a new site opens "chrome-extension://nikfmfgobenbhmocjaaboihbeocackld/options/index.html#need-file-scheme-access"

This is what you need?
Screenshot 2023-11-01 142756.jpg

Oliver Dunk

no leída,
1 nov 2023, 9:38:30 a.m.1/11/23
para Flozzl 51,Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Jackie Han,iza
How are you navigating to that URL? tabs.create, tabs.update, windows.create etc.

Just want to understand the exact issue you're having.
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Flozzl 51

no leída,
1 nov 2023, 9:50:30 a.m.1/11/23
para Chromium Extensions,Oliver Dunk,Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Jackie Han,iza,Flozzl 51
Yes ok and im not into coding but i hope the screenshot will be helpful.
Otherwise let me know, which steps i can do.

Screenshot 2023-11-01 144720.jpg

Oliver Dunk

no leída,
1 nov 2023, 10:02:25 a.m.1/11/23
para Flozzl 51,Chromium Extensions,ELU Konsult,Jun Kokatsu,MH,Jackie Han,iza
Thanks for sharing that screenshot, along with the extension ID it provides some helpful context.

It looks like the extension was updated with support for the original change but not support for the policy, so this may need a change from the developer of that extension. You could try reaching out to them using the email address on their Chrome Web Store listing.

In particular, there is some code here which basically prevents things from working unless the file access checkbox is enabled. Unfortunately since the policy and checkbox aren't linked that check is failing. Hopefully that makes a bit of sense?

Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB