Add WebUI allowlist for Alloy-style browsers (fixes #3763)

2024-08-07 14:12:08 -04:00 · 2024-08-07 14:12:08 -04:00 · 5c235a209f
parent 6d71342015
commit 5c235a209f
1 changed files with 52 additions and 2 deletions
--- a/libcef/browser/alloy/alloy_browser_host_impl.cc
+++ b/libcef/browser/alloy/alloy_browser_host_impl.cc
@ -33,6 +33,7 @@
 #include "cef/libcef/common/values_impl.h"
 #include "chrome/browser/file_select_helper.h"
 #include "chrome/browser/picture_in_picture/picture_in_picture_window_manager.h"
+#include "chrome/common/webui_url_constants.h"
 #include "components/input/native_web_keyboard_event.h"
 #include "components/zoom/page_zoom.h"
 #include "content/browser/gpu/compositor_util.h"
@ -57,6 +58,47 @@ namespace {

 static constexpr base::TimeDelta kRecentlyAudibleTimeout = base::Seconds(2);

+// List of WebUI hosts that have been tested to work in Alloy-style browsers.
+// Do not add new hosts to this list without also manually testing all related
+// functionality in CEF.
+const char* kAllowedWebUIHosts[] = {
+    chrome::kChromeUIAccessibilityHost,
+    content::kChromeUIBlobInternalsHost,
+    chrome::kChromeUIChromeURLsHost,
+    chrome::kChromeUICreditsHost,
+    content::kChromeUIGpuHost,
+    content::kChromeUIHistogramHost,
+    content::kChromeUIIndexedDBInternalsHost,
+    chrome::kChromeUILicenseHost,
+    content::kChromeUIMediaInternalsHost,
+    chrome::kChromeUINetExportHost,
+    chrome::kChromeUINetInternalsHost,
+    content::kChromeUINetworkErrorHost,
+    content::kChromeUINetworkErrorsListingHost,
+    chrome::kChromeUIPrintHost,
+    content::kChromeUIProcessInternalsHost,
+    content::kChromeUIResourcesHost,
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_LINUX)
+    chrome::kChromeUISandboxHost,
+#endif
+    content::kChromeUIServiceWorkerInternalsHost,
+    chrome::kChromeUISystemInfoHost,
+    chrome::kChromeUITermsHost,
+    chrome::kChromeUIThemeHost,
+    content::kChromeUITracingHost,
+    chrome::kChromeUIVersionHost,
+    content::kChromeUIWebRTCInternalsHost,
+};
+
+bool IsAllowedWebUIHost(const std::string_view& host) {
+  for (auto& allowed_host : kAllowedWebUIHosts) {
+    if (base::EqualsCaseInsensitiveASCII(allowed_host, host)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 }  // namespace

 // AlloyBrowserHostImpl static methods.
@ -567,8 +609,8 @@ bool AlloyBrowserHostImpl::MaybeAllowNavigation(
    // The PDF viewer will load the PDF extension in the guest view, and print
    // preview will load chrome://print in the guest view. The PDF renderer
    // used with PdfUnseasoned will set |params.is_pdf| when loading the PDF
-    // stream (see PdfNavigationThrottle::WillStartRequest). All other
-    // navigations are passed to the owner browser.
+    // stream (see PdfNavigationThrottle::WillStartRequest). All other guest
+    // view navigations are passed to the owner browser.
    CEF_POST_TASK(CEF_UIT,
                  base::BindOnce(
                      base::IgnoreResult(&AlloyBrowserHostImpl::OpenURLFromTab),
@ -577,6 +619,14 @@ bool AlloyBrowserHostImpl::MaybeAllowNavigation(
    return false;
  }

+  if (!is_guest_view && params.url.SchemeIs(content::kChromeUIScheme) &&
+      !IsAllowedWebUIHost(params.url.host_piece())) {
+    // Block navigation to non-allowlisted WebUI pages.
+    LOG(WARNING) << "Navigation to " << params.url.spec()
+                 << " is blocked in Alloy-style browser.";
+    return false;
+  }
+
  return true;
 }