For this exploit, the security defenses didn't impress me as much. The immediate question I have is why are there chrome:// URLs at all? It seems you could achieve a much stronger sandbox by using native UI controls that are simply not attached to the webview. Then it would not be possible to trick it into making a same origin mistake.
I mean, this is standard advice for web apps and services, right? You build the control interface completely outside the main user app.
1) From a UX perspective, we prefer to have the majority of the UI within a tab. We don't want to build up an entirely separate UI hierarchy outside tabs.
2) We tried putting native UI within a tab in early versions of Chrome, and it did not feel right. There was an uncanny valley effect. If the content of a tab doesn't feel like HTML, it feels wrong. And it isn't practical to emulate the feel of HTML perfectly with native code.
3) The Chrome team puts a lot of engineering effort into making the web platform as strong as it can be. We would like to eat our own dogfood when possible.
I don't understand why on (chrome://chrome/settings/) I have blue links, blue underlined links, and buttons. I guess I could figure it out, but the meaning is opaque to me at the moment.
A lot of it is just "The Way It's Done", I'm sure. The "about://" and "about://plugins" urls have worked since the very early days of Netscape (and still do in chrome, which redirects them appropriately). It's an interface that Chrome inherited. They didn't design it, so it didn't receive the same security attention.
They didn't invent it, but they've sure run with it. There's no about://downloads in firefox afaik, to pick one example from the exploit. It just feels like the obvious solution to "superuser" web pages is not some high tech intrusion system, but to not have superuser web pages. It's like every heist movie ever made where the thief dodges through the dancing laser beams. I think the ideological pressure to make literally everything be the "web" is costing them real security here. And just like the movies, it does look cool.
Thanks. That's kinda terrifying. I knew a little about xul, but underestimated its usage because the little windows don't look quite as much like web pages. More blame for mozilla I guess...
I agree that these urls would be a target for exploits; an obvious place to target.
I even guessed that this change to 'unreachables' was part of closing the security hole: http://news.ycombinator.com/item?id=3686730
I mean, this is standard advice for web apps and services, right? You build the control interface completely outside the main user app.