Validate `source_url` in ExtensionHostMsg_OpenChannelToExtension.
After this CL, the handler of the
ExtensionHostMsg_OpenChannelToExtension IPC will validate `source_url`
of its payload using ChildProcessSecurityPolicy::CanCommitURL.
Bug: 1038996
Change-Id: I6f07d85f590785ff2caef0626208f9768340cfa9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3858024
Commit-Queue: Ćukasz Anforowicz <[email protected]>
Reviewed-by: Devlin Cronin <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1064650}
diff --git a/docs/security/compromised-renderers.md b/docs/security/compromised-renderers.md
index 334416c0..c1783338 100644
--- a/docs/security/compromised-renderers.md
+++ b/docs/security/compromised-renderers.md
@@ -213,9 +213,9 @@
- Spoof the `MessageEvent.origin` seen by a recipient of a `postMessage`.
- Bypass enforcement of the `targetOrigin` argument of `postMessage`.
- Send or receive `BroadcastChannel` messages for another origin.
-- Spoof the `MessageSender.origin`, nor `MessageSender.id` (i.e. an
- extension id which can differ from the origin when the message is sent
- from a content script), as seen by a recipient of a
+- Spoof the `MessageSender.url`, nor `MessageSender.origin`, nor
+ `MessageSender.id` (i.e. an extension id which can differ from the origin when
+ the message is sent from a content script), as seen by a recipient of a
`chrome.runtime.sendMessage`.
See also [MessageSender documentation](https://developers.chrome.com/extensions/runtime#type-MessageSender) and [content script security guidance](https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/0ei-UCHNm34).
- Spoof the id of a Chrome extension initiating
