Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disable chrome.webstore.install for inline extensions #614

Closed
diracdeltas opened this issue Jul 20, 2018 · 4 comments
Closed

disable chrome.webstore.install for inline extensions #614

diracdeltas opened this issue Jul 20, 2018 · 4 comments
Assignees
@bbondy @bsclifton @AilinLiao
Labels
audit-beta feature/extensions QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release/blocking sec-high security
Milestone
0.55.x - Release ...

Comments

@diracdeltas
Copy link
Member

context: https://blog.chromium.org/2018/06/improving-extension-transparency-for.html

inline extensions are a huge malware risk. we should disable them in Brave.

AFAIK it is sufficient to disable the chrome.webstore.install method

note that in c71, chrome will disable it as well (possibly with a redirect to CWS which would be slightly better UX than silently failing).
@diracdeltas diracdeltas changed the title disable chrome.webstore.install Jul 23, 2018
@bbondy
Copy link
Member

bbondy commented Jul 23, 2018

Noting possibly the right thing is to redirect instead of remove the API.
@bbondy bbondy added this to the Releasable builds milestone Jul 26, 2018
@jumde jumde added this to Beta channel blockers in Security & Privacy Jul 26, 2018
@bbondy bbondy added this to Brian Bondy in 0.55.x - Release Jul 30, 2018
@diracdeltas diracdeltas mentioned this issue Aug 17, 2018
Closed
bbondy added a commit to brave/brave-core that referenced this issue Aug 18, 2018
@bbondy
Redirect users to extension store for inline install requests
bcd988c 
Fix brave/brave-browser#614
@bbondy bbondy mentioned this issue Aug 18, 2018
Merged
9 tasks
@bbondy
Copy link
Member

bbondy commented Aug 18, 2018

@AilinLiao @bsclifton after this lands you'll have to rebase your patch I think.
@bbondy bbondy added the QA/Yes label Aug 21, 2018
@bbondy
Copy link
Member

bbondy commented Aug 21, 2018

QA note: zenhub has an extension on their page which uses this API.
@bbondy bbondy removed this from Brian Bondy in 0.55.x - Release Sep 3, 2018
@btlechowski
Copy link

btlechowski commented Sep 24, 2018
edited by kjozwiak
Loading

Verification passes on

Brave 0.55.6 Chromium: 70.0.3538.16 (Official Build) dev (64-bit)
Revision 16ed95b41bb05e565b11fb66ac33c660b721f778-refs/branch-heads/3538@{#306}
OS Windows 7

redirected to ZenHub for GitHub on chrome web store

Verification Passed on

Brave 0.55.6 Chromium: 70.0.3538.16 (Official Build) dev (64-bit)
Revision 16ed95b41bb05e565b11fb66ac33c660b721f778-refs/branch-heads/3538@{#306}
OS Linux
  • Verified installing Zenhub from their website redirects to CWS on a new tab and installs the extension

Went through verification using the following build under macOS 10.13.6 x64 - PASSED

Brave 0.55.6 Chromium: 70.0.3538.16 (Official Build) dev (64-bit)
Revision 16ed95b41bb05e565b11fb66ac33c660b721f778-refs/branch-heads/3538@{#306}
OS Mac OS X
@bbondy bbondy added the QA/Yes label Sep 27, 2018
@bbondy bbondy moved this from Beta channel blockers to Completed in Security & Privacy Oct 30, 2018
@rebron rebron removed this from Completed in Security & Privacy Nov 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
audit-beta feature/extensions QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release/blocking sec-high security
7 participants
@diracdeltas @bbondy @kjozwiak @bsclifton @AilinLiao @srirambv @btlechowski