
Google apps whitelist hardcoded into Chromium open source project - RyanZAG
https://code.google.com/p/chromium/codesearch#chromium/src/chrome/renderer/chrome_content_renderer_client.cc&q=plus.google.com&sq=package:chromium&dr=C&l=830
======
mwill
Throwing some more info here, this is the NaCl whitelist, looks like it was
originally added Feb last year [1]. There's a discussion on Chromium Code
Reviews here [2], and an issue on the project itself here [3]

The original commit includes the comment 'We should remove this code when
PNaCl ships' which got removed somewhere along the way.

[1]
[http://src.chromium.org/viewvc/chrome/trunk/src/chrome/rende...](http://src.chromium.org/viewvc/chrome/trunk/src/chrome/renderer/chrome_content_renderer_client.cc?revision=122709)

[2]
[https://codereview.chromium.org/9368046](https://codereview.chromium.org/9368046)

[3]
[https://code.google.com/p/chromium/issues/detail?id=113668](https://code.google.com/p/chromium/issues/detail?id=113668)

~~~
mtrimpe
Does anybody know why (variations on copies of) leokun's comment are
automatically marked as dead?

The comment seems perfectly valid so I can't figure out why that would
happen...

~~~
voltagex_
The shortened link seems to do it.

------
hidamon
Why would they check if Adblock is installed or not?

[https://code.google.com/p/chromium/codesearch#chromium/src/c...](https://code.google.com/p/chromium/codesearch#chromium/src/chrome/renderer/chrome_content_renderer_client.cc&l=1261)

    
    
      bool ChromeContentRendererClient::IsAdblockInstalled() {
        return g_current_client->extension_dispatcher_->extensions()->Contains(
            "gighmmpiobklfepjocnamgkkbiglidom");
      }
    
      bool ChromeContentRendererClient::IsAdblockPlusInstalled() {
        return g_current_client->extension_dispatcher_->extensions()->Contains(
            "cfhdojbkjhnklbpkdaibdccddilifddb");
      }

~~~
elq
They were apparently trying to understand performance issues with adblock, so
they can fix them...

    
    
      // TODO(mpcomplete): remove the extension-related histograms after we collect
      // enough data. http://crbug.com/100411
      
      const bool use_adblock_histogram =
          ChromeContentRendererClient::IsAdblockInstalled();
    

[https://code.google.com/p/chromium/issues/detail?id=100411](https://code.google.com/p/chromium/issues/detail?id=100411)

------
oddshocks
Very uncool. Google's association with Chromium is why I still recommend
FireFox over Chromium, even though they are both open source. Now that I see
this, I'm glad I do.

------
theboss
I mean. Google is so large it will always be making mistakes like this. A lot
of people look at Google as a whole like it is the greatest set of technical
minds in any room on the planet. Sure they have lots of smart people etc.etc
but with >10,000 engineers it's impossible.

Also, with >10,000 engineers (even assuming they are the best 10k in the
world), mistakes will be made which is why vulnerabilities exist in the real
world.

I guess what I'm trying to say is. Don't act surprised. We've seen it before
and we will see it again.

~~~
ryanhuff
I agree, but lets also be sure they don't get a pass just because they are
large. In Google's case, being a behemoth corporation is in itself a business
risk that they need to manage, and one way to motivate them self-police is by
holding them accountable for bad decisions.

------
rurounijones
What whitelist?

JS Execution? No popup blocking? Something else?

~~~
RyanZAG
Did a bit of digging - it lets NACL apps downloaded from those whitelisted
Google apis have access to "dev interfaces". Brief search shows that these dev
interfaces would have the ability to access the user's PC outside of the
Chrome sandbox.

In effect, this gives Google remote code execution rights from their domains
on anybody running Chromium.

~~~
darren_
> Brief search shows that these dev interfaces would have the ability to
> access the user's PC outside of the Chrome sandbox.

Aren't they just the APIs in
[https://code.google.com/p/chromium/codesearch#chromium/src/p...](https://code.google.com/p/chromium/codesearch#chromium/src/ppapi/c/dev/&sq=package:chromium&type=cs)?
By the looks of it they're just things that aren't ready for primetime, not
things that are special dev-only debug tools or whatever.

~~~
RyanZAG
Well there is

[https://code.google.com/p/chromium/codesearch#chromium/src/p...](https://code.google.com/p/chromium/codesearch#chromium/src/ppapi/c/dev/ppb_testing_dev.h&sq=package:chromium&type=cs)

and

[https://src.chromium.org/chrome/trunk/src/ppapi/c/extensions...](https://src.chromium.org/chrome/trunk/src/ppapi/c/extensions/dev/ppb_ext_events_dev.h)

I haven't looked deeply, but both seem to allow for access outside the
sandbox. Maybe a chromium committer could give more detail on the safety of
the dev interfaces. They are blocked from public usage for a reason though.

~~~
yzshen
They don't enable access outside the sandbox and should be pretty safe.

PPB_Testing_Dev is a set of helpers for writing tests: querying status of the
plugin; running nested message loop to wait for results of async operations;
simulate input events which are received _only by the plugin itself_.

PPB_Ext_Events_Dev is for registering/unregistering events provided by Chrome
apps apis
([http://developer.chrome.com/apps/api_index.html](http://developer.chrome.com/apps/api_index.html)).
It will only be accessible when the NaCl module is included in a Chrome app.
This interface hasn't been implemented yet.

------
e12e
Apparently not patched out in Debian either (according to apt-get source
chromium-browser). I've got a bit of a mongrel system, so I can't rebuild from
source -- but it looks like it should be easy to patch that line to read:

    
    
          bool is_whitelisted_url = false;
    

(If one should be so inclined).

------
andyzweb
Code never lies, comments sometimes do.

    
    
            — Ron Jeffries

------
steve-slicify
From the source: _Allow Chrome Web Store extensions, built-in extensions and
extensions under development_ (for calls from whitelisted apps amongst others)

~~~
josteink
That, and give Google special treatment.

------
denzil_correa
An important comment in the code

    
    
        // Whitelisted apps must be served over https.

~~~
josteink
Security issues aside, it still reeks bad taste though.

Google is saying that everyone on the internet has to dump plugins, dump Flash
and create pure HTML solutions. HTML should be good enough for everyone!
Everyone except themselves, apparently.

They can just jump to native code on their websites whenever they like. So
much for their credibility when it comes to web-standards, eh?

~~~
true_religion
Isn't it entirely possible they want to dog food their own new code via Chrome
before they open up the API to the world?

~~~
josteink
If they were genuinely interested in dogfooding their own stuff to ensure it
works properly, they should also be dogfooding the process of white-listing
plugins and websites, not to mention handling graceful fallback when the user
cant or wont do that.

That's a big part of getting the end-user experience to work well and can't
just be "tacked on" later.

~~~
true_religion
You're just adding things that probably aren't within the scope of the
project.

For instance graceful fallback is a 'nice to have' but not necessary. If you
deny flash or javascript, essentially most sites simply break. I imagine a
native client plugin would have the same results if you don't enable it.

As for white listing, why can't it simply be handled with the same dialogs
used for whitelisting all the other existing extensions per site?

------
skimmas
So it's a... Backdoor

------
mkhpalm
A lot of things are hodecoded into chrome/chromeium. For example the font
types and sizes of the tab area. Their browser is practically unusable on a 4k
monitor at full resolution.

------
semjada
be evil

~~~
kdot
You have to remember that Chrome an OS aswell.

------
gcb1
since google started silently removing all the referrer removal options
developers contributed to chromium over time, I've started to call it Google's
Chromium open source project.

------
mavdi
I'm more horrified by how ugly that code is

