| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame^] | 1 | # The browser process should not handle messages from web content |
| 2 | |
| 3 | Sometimes features are proposed in which the Chrome user interface (in the |
| 4 | browser process) handles messages directly from web content (JavaScript, HTML |
| 5 | etc.). For example, this could be done using the `postMessage` APIs which have |
| 6 | been put in place for Android WebView apps. This is not allowed, because: |
| 7 | |
| 8 | * Overall system security relies on simple and predictable security properties. |
| 9 | Adding extra message channels causes complexity, non-discoverability and |
| 10 | non-predictability. |
| 11 | * Chrome's security strategy relies on isolating web content using sandboxed |
| 12 | renderer processes and site isolation. Any communication outside of that |
| 13 | renderer process presents a risk of a sandbox escape. All such communication |
| 14 | has to be via Mojo such that the `mojom` interface definition files go through |
| 15 | our [IPC security review process](mojo.md) (and will benefit from other future |
| 16 | Mojo security improvements). |
| 17 | * Websites are untrustworthy. TLS can’t guarantee the identity of a website — |
| 18 | even pinning has limits — and so you must assume any messages from websites |
| 19 | are malicious. Processing such messages in the browser process in C++ is |
| 20 | likely a violation of the [Rule of Two](rule-of-2.md) and is extremely |
| 21 | dangerous. |
| 22 | * Even if you can comply with the Rule of Two (for example by using a safe |
| 23 | language) it's simply difficult to produce robust APIs that are safe against |
| 24 | malicious data: the open web platform API review process is designed to flush |
| 25 | out any concerns. Any APIs or functionality accessible to web content |
| 26 | therefore needs to go via that process to give the best chance of spotting |
| 27 | danger. |
| 28 | * There are non-security concerns: It does not comply with the spirit of an open |
| 29 | web platform which should be equally available on all user agents. |
| 30 | |
| 31 | Historically, there have been some instances where this rule has been violated |
| 32 | and complexity has resulted. For example, the U2F short-cut caused long-term |
| 33 | pain for the entire industry in moving to the open standard WebAuthn |
| 34 | replacement. |
| 35 | |
| 36 | In order to support WebView, WebLayer, and CCT, APIs exist in Chrome to |
| 37 | establish web message channels between the embedding application and web page. |
| 38 | These exist only to support these "embedding the web" scenarios, which are often |
| 39 | used to build site- or purpose-specific browsers. General browser features |
| 40 | should not use them because of the reasons stated above. |
| 41 | |
