| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame] | 1 | # The browser process should not handle messages from web content |
| 2 | |
| 3 | Sometimes features are proposed in which the Chrome user interface (in the |
| 4 | browser process) handles messages directly from web content (JavaScript, HTML |
| 5 | etc.). For example, this could be done using the `postMessage` APIs which have |
| 6 | been put in place for Android WebView apps. This is not allowed, because: |
| 7 | |
| 8 | * Overall system security relies on simple and predictable security properties. |
| 9 | Adding extra message channels causes complexity, non-discoverability and |
| 10 | non-predictability. |
| 11 | * Chrome's security strategy relies on isolating web content using sandboxed |
| 12 | renderer processes and site isolation. Any communication outside of that |
| 13 | renderer process presents a risk of a sandbox escape. All such communication |
| 14 | has to be via Mojo such that the `mojom` interface definition files go through |
| 15 | our [IPC security review process](mojo.md) (and will benefit from other future |
| 16 | Mojo security improvements). |
| Adrian Taylor | 0933042b | 2021-05-04 20:59:07 | [diff] [blame^] | 17 | * Websites are untrustworthy. TLS can’t guarantee the provenance of a website — |
| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame] | 18 | even pinning has limits — and so you must assume any messages from websites |
| 19 | are malicious. Processing such messages in the browser process in C++ is |
| 20 | likely a violation of the [Rule of Two](rule-of-2.md) and is extremely |
| 21 | dangerous. |
| 22 | * Even if you can comply with the Rule of Two (for example by using a safe |
| 23 | language) it's simply difficult to produce robust APIs that are safe against |
| Adrian Taylor | 0933042b | 2021-05-04 20:59:07 | [diff] [blame^] | 24 | malicious data: the open web platform [API review |
| 25 | process](https://www.chromium.org/blink/launching-features) is designed to |
| 26 | flush out any concerns. Any APIs or functionality accessible to web content |
| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame] | 27 | therefore needs to go via that process to give the best chance of spotting |
| 28 | danger. |
| 29 | * There are non-security concerns: It does not comply with the spirit of an open |
| 30 | web platform which should be equally available on all user agents. |
| 31 | |
| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame] | 32 | In order to support WebView, WebLayer, and CCT, APIs exist in Chrome to |
| 33 | establish web message channels between the embedding application and web page. |
| 34 | These exist only to support these "embedding the web" scenarios, which are often |
| 35 | used to build site- or purpose-specific browsers. General browser features |
| 36 | should not use them because of the reasons stated above. |
| 37 | |
| Adrian Taylor | 0933042b | 2021-05-04 20:59:07 | [diff] [blame^] | 38 | Other mechanisms of bypassing normal processes might include exposing unreviewed |
| 39 | APIs to a component extension, and making its APIs available to web content. |
| 40 | These are similarly not allowed. |
