Google Git
Sign in
chromium / chromium / src / 0481d82f2174bfa46c4ad93c529bd7ad0639103e^! / .
commit0481d82f2174bfa46c4ad93c529bd7ad0639103e[log] [tgz]
authorLukasz Anforowicz <[email protected]>Wed May 27 22:08:24 2020
committerCommit Bot <[email protected]>Wed May 27 22:08:24 2020
tree1e97a2f239a6e57f4dd17dff958883ab638a873e
parentc4afdf275b0371753d4a1ab778c505b07eb30441 [diff]
Describing compromised renderer threat model for the DevTools frontend.

Bug: 1015882
Change-Id: I4cd7d39808c4e2ac6df1d159fe91da8803f5209d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2216598
Reviewed-by: Yang Guo <[email protected]>
Reviewed-by: Nasko Oskov <[email protected]>
Reviewed-by: Andrey Kosyakov <[email protected]>
Commit-Queue: Ɓukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#772424}

diff --git a/docs/security/compromised-renderers.md b/docs/security/compromised-renderers.md
index 8114b6c..5b21ec9 100644
--- a/docs/security/compromised-renderers.md
+++ b/docs/security/compromised-renderers.md

@@ -388,3 +388,24 @@
   processes on Android (for example affecting protections of CORB, CORP,
   Sec-Fetch-Site and in the future SameSite cookies and Origin
   protections).  See also https://crbug.com/891872.
+
+
+## Renderer processes hosting DevTools frontend
+
+If an attacker could take control over the DevTools frontend then the attacker
+would gain access to all the cookies, storage, etc. of any origin within the
+page and would be able to execute arbitrary scripts in any frame of the page.
+This means that treating the DevTools renderer as untrustworthy wouldn't in
+practice offer additional protection for the same-origin-policy.
+
+Because of the above:
+
+- Chrome ensures that the DevTools frontend is always hosted in a renderer
+  process separate from renderers hosting web origins.
+- Chrome assumes that the DevTools frontend is always trustworthy
+  (i.e. never compromised, or under direct control of an attacker).
+  For example, when the DevTools process asks to initiate a HTTP request on
+  behalf of https://example.com, the browser process trusts the DevTools
+  renderer to claim authority to initiate requests of behalf of this origin
+  (e.g. attach SameSite cookies, send appropriate Sec-Fetch-Site request header,
+  etc.).