Simplify extension server startup

Security issues around where DevTools extensions are allowed to be run.
This change mostly preserves the existing extension semantics while
tightening up the rules to prevent new URL schemes from being permitted
from being attached.

Bug: 376303922
Change-Id: I0b25fbb2975657a682457f64848c308c54121e77
Reviewed-on: https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/5976474
Reviewed-by: Danil Somsikov <[email protected]>
Commit-Queue: Robert Paveza <[email protected]>

Author: robpaveza

front_end/models/extensions/ExtensionServer.test.ts

@@ -704,6 +704,20 @@ describe('ExtensionServer', () => {
       assert.isTrue(Extensions.ExtensionServer.ExtensionServer.canInspectURL(url), url);
     }
   });
+
+  it('cannot inspect non-HTTP URL schemes', () => {
+    const blockedUrls = [
+      'devtools://devtools/bundled/front_end/devtools_app.html',
+      'devtools://devtools/anything',
+      'chrome://extensions',
+      'chrome-untrusted://extensions',
+      'chrome-error://crash',
+      'chrome-search://foo/bar',
+    ];
+    for (const url of blockedUrls as Platform.DevToolsPath.UrlString[]) {
+      assert.isFalse(Extensions.ExtensionServer.ExtensionServer.canInspectURL(url), url);
+    }
+  });
 });
 
 function assertIsStatus<T>(value: T|

front_end/models/extensions/ExtensionServer.ts

@@ -56,15 +56,14 @@ import {RecorderExtensionEndpoint} from './RecorderExtensionEndpoint.js';
 import {RecorderPluginManager} from './RecorderPluginManager.js';
 
 const extensionOrigins: WeakMap<MessagePort, Platform.DevToolsPath.UrlString> = new WeakMap();
+const kPermittedSchemes = ['http:', 'https:', 'file:', 'data:', 'chrome-extension:', 'about:'];
 
 declare global {
   interface Window {
     DevToolsAPI?: {getInspectedTabId?(): string|undefined, getOriginsForbiddenForExtensions?(): string[]};
   }
 }
 
-const kAllowedOrigins = [].map(url => (new URL(url)).origin);
-
 let extensionServerInstance: ExtensionServer|null;
 
 export class HostsPolicy {
@@ -1406,19 +1405,8 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
     } catch (exception) {
       return false;
     }
-    if (kAllowedOrigins.includes(parsedURL.origin)) {
-      return true;
-    }
-    if (parsedURL.protocol === 'chrome:' || parsedURL.protocol === 'devtools:' ||
-        parsedURL.protocol === 'chrome-untrusted:' || parsedURL.protocol === 'chrome-error:' ||
-        parsedURL.protocol === 'chrome-search:') {
-      return false;
-    }
-    if (parsedURL.protocol.startsWith('http') && parsedURL.hostname.match(/^chrome\.google\.com\.?$/) &&
-        parsedURL.pathname.startsWith('/webstore')) {
-      return false;
-    }
-    if (parsedURL.protocol.startsWith('http') && parsedURL.hostname.match(/^chromewebstore\.google\.com\.?$/)) {
+
+    if (!kPermittedSchemes.includes(parsedURL.protocol)) {
       return false;
     }
 
@@ -1428,9 +1416,34 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
       return false;
     }
 
+    if (this.#isUrlFromChromeWebStore(parsedURL)) {
+      return false;
+    }
+
     return true;
   }
 
+  /**
+   * Tests whether a given URL is from the Chrome web store to prevent the extension server from
+   * being injected. This is treated as separate from the `getOriginsForbiddenForExtensions` API because
+   * DevTools might not be being run from a native origin and we still want to lock down this specific
+   * origin from DevTools extensions.
+   *
+   * @param parsedURL The URL to check
+   * @returns `true` if the URL corresponds to the Chrome web store; otherwise `false`
+   */
+  static #isUrlFromChromeWebStore(parsedURL: URL): boolean {
+    if (parsedURL.protocol.startsWith('http') && parsedURL.hostname.match(/^chrome\.google\.com\.?$/) &&
+        parsedURL.pathname.startsWith('/webstore')) {
+      return true;
+    }
+    if (parsedURL.protocol.startsWith('http') && parsedURL.hostname.match(/^chromewebstore\.google\.com\.?$/)) {
+      return true;
+    }
+
+    return false;
+  }
+
   private disableExtensions(): void {
     this.extensionsEnabled = false;
   }