| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame] | 1 | # The browser process should not handle messages from web content |
| 2 | |
| Adrian Taylor | 46683d8c | 2021-05-04 22:30:22 | [diff] [blame] | 3 |  |
| 6 | |
| 7 | (drawing source |
| 8 | [here](https://docs.google.com/drawings/d/1SmqvOvLY_DnDxeJHKQRB3rACO0aVSHpyfTycV2v1P1w/edit?usp=sharing)) |
| 9 | |
| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame] | 10 | Sometimes features are proposed in which the Chrome user interface (in the |
| 11 | browser process) handles messages directly from web content (JavaScript, HTML |
| 12 | etc.). For example, this could be done using the `postMessage` APIs which have |
| 13 | been put in place for Android WebView apps. This is not allowed, because: |
| 14 | |
| 15 | * Overall system security relies on simple and predictable security properties. |
| 16 | Adding extra message channels causes complexity, non-discoverability and |
| 17 | non-predictability. |
| 18 | * Chrome's security strategy relies on isolating web content using sandboxed |
| 19 | renderer processes and site isolation. Any communication outside of that |
| 20 | renderer process presents a risk of a sandbox escape. All such communication |
| 21 | has to be via Mojo such that the `mojom` interface definition files go through |
| 22 | our [IPC security review process](mojo.md) (and will benefit from other future |
| 23 | Mojo security improvements). |
| Adrian Taylor | 0933042b | 2021-05-04 20:59:07 | [diff] [blame] | 24 | * Websites are untrustworthy. TLS can’t guarantee the provenance of a website — |
| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame] | 25 | even pinning has limits — and so you must assume any messages from websites |
| 26 | are malicious. Processing such messages in the browser process in C++ is |
| 27 | likely a violation of the [Rule of Two](rule-of-2.md) and is extremely |
| 28 | dangerous. |
| 29 | * Even if you can comply with the Rule of Two (for example by using a safe |
| 30 | language) it's simply difficult to produce robust APIs that are safe against |
| Adrian Taylor | 0933042b | 2021-05-04 20:59:07 | [diff] [blame] | 31 | malicious data: the open web platform [API review |
| 32 | process](https://www.chromium.org/blink/launching-features) is designed to |
| 33 | flush out any concerns. Any APIs or functionality accessible to web content |
| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame] | 34 | therefore needs to go via that process to give the best chance of spotting |
| 35 | danger. |
| 36 | * There are non-security concerns: It does not comply with the spirit of an open |
| 37 | web platform which should be equally available on all user agents. |
| 38 | |
| Adrian Taylor | 094e3dd | 2021-05-04 17:09:06 | [diff] [blame] | 39 | In order to support WebView, WebLayer, and CCT, APIs exist in Chrome to |
| 40 | establish web message channels between the embedding application and web page. |
| 41 | These exist only to support these "embedding the web" scenarios, which are often |
| 42 | used to build site- or purpose-specific browsers. General browser features |
| 43 | should not use them because of the reasons stated above. |
| 44 | |
| Adrian Taylor | 0933042b | 2021-05-04 20:59:07 | [diff] [blame] | 45 | Other mechanisms of bypassing normal processes might include exposing unreviewed |
| 46 | APIs to a component extension, and making its APIs available to web content. |
| 47 | These are similarly not allowed. |
