diff --git a/dwds/debug_extension_mv3/web/background.dart b/dwds/debug_extension_mv3/web/background.dart index a96e28f37..5efd5307f 100644 --- a/dwds/debug_extension_mv3/web/background.dart +++ b/dwds/debug_extension_mv3/web/background.dart @@ -69,6 +69,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.isAuthenticated, expectedSender: Script.detector, expectedRecipient: Script.background, + sender: sender, messageHandler: (String isAuthenticated) async { final dartTab = sender.tab; if (dartTab == null) { @@ -89,6 +90,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.debugInfo, expectedSender: Script.detector, expectedRecipient: Script.background, + sender: sender, messageHandler: (DebugInfo debugInfo) async { final dartTab = sender.tab; if (dartTab == null) { @@ -118,6 +120,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.debugStateChange, expectedSender: Script.debuggerPanel, expectedRecipient: Script.background, + sender: sender, messageHandler: (DebugStateChange debugStateChange) { final newState = debugStateChange.newState; final tabId = debugStateChange.tabId; @@ -132,6 +135,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.debugStateChange, expectedSender: Script.popup, expectedRecipient: Script.background, + sender: sender, messageHandler: (DebugStateChange debugStateChange) { final newState = debugStateChange.newState; final tabId = debugStateChange.tabId; @@ -146,6 +150,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.multipleAppsDetected, expectedSender: Script.detector, expectedRecipient: Script.background, + sender: sender, messageHandler: (String multipleAppsDetected) async { final dartTab = sender.tab; if (dartTab == null) { @@ -167,6 +172,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.appId, expectedSender: Script.copier, expectedRecipient: Script.background, + sender: sender, messageHandler: (String appId) { displayNotification('Copied app ID: $appId'); }, diff --git a/dwds/debug_extension_mv3/web/chrome_api.dart b/dwds/debug_extension_mv3/web/chrome_api.dart index a7e9db0c9..bb085cf8e 100644 --- a/dwds/debug_extension_mv3/web/chrome_api.dart +++ b/dwds/debug_extension_mv3/web/chrome_api.dart @@ -191,6 +191,8 @@ class Runtime { external String getURL(String path); + external String get id; + // Note: Not checking the lastError when one occurs throws a runtime exception. external ChromeError? get lastError; @@ -253,6 +255,7 @@ class MessageSender { external String? get id; external Tab? get tab; external String? get url; + external String? get origin; external factory MessageSender({String? id, String? url, Tab? tab}); } diff --git a/dwds/debug_extension_mv3/web/copier.dart b/dwds/debug_extension_mv3/web/copier.dart index dcd1be86e..87919d443 100644 --- a/dwds/debug_extension_mv3/web/copier.dart +++ b/dwds/debug_extension_mv3/web/copier.dart @@ -32,6 +32,7 @@ void _handleRuntimeMessages( expectedType: MessageType.appId, expectedSender: Script.background, expectedRecipient: Script.copier, + sender: sender, messageHandler: _copyAppId, ); diff --git a/dwds/debug_extension_mv3/web/messaging.dart b/dwds/debug_extension_mv3/web/messaging.dart index 9d5fa5640..25c3f611e 100644 --- a/dwds/debug_extension_mv3/web/messaging.dart +++ b/dwds/debug_extension_mv3/web/messaging.dart @@ -14,6 +14,7 @@ import 'package:js/js.dart'; import 'chrome_api.dart'; import 'data_serializers.dart'; import 'logger.dart'; +import 'utils.dart'; // A default response for the sendResponse callback. // @@ -90,9 +91,12 @@ void interceptMessage({ required MessageType expectedType, required Script expectedSender, required Script expectedRecipient, + required MessageSender sender, required void Function(T message) messageHandler, }) { if (message == null) return; + if (!_isLegitimateSender(sender)) return; + try { final decodedMessage = Message.fromJSON(message); if (decodedMessage.type != expectedType || @@ -188,3 +192,31 @@ Future _sendMessage({ } return completer.future; } + +// Verify the message sender is our extension. +bool _isLegitimateSender(MessageSender sender) { + // Check that the sender ID matches our extension ID: + if (sender.id != chrome.runtime.id) return false; + + final senderUri = Uri.parse(sender.origin ?? ''); + final senderHost = senderUri.host; + final isDartAppHost = senderHost == 'localhost' || + senderHost == '127.0.0.1' || + _isGoogleHost(senderHost); + final isExtensionOrigin = + senderHost == chrome.runtime.id && senderUri.scheme == 'chrome-extension'; + + if (isDartAppHost || isExtensionOrigin) return true; + + // If the sender's host is unexpected, display an error. + displayNotification( + 'Unexpected sender ${sender.origin}. Please file a bug at go/dde-bug or https://github.com/dart-lang/webdev', + isError: true, + ); + return false; +} + +bool _isGoogleHost(String host) { + const googleSuffices = ['.googlers.com', '.google.com', '.googleprod.com']; + return googleSuffices.any((suffix) => host.endsWith(suffix)); +} diff --git a/dwds/debug_extension_mv3/web/panel.dart b/dwds/debug_extension_mv3/web/panel.dart index 7494030be..1931db650 100644 --- a/dwds/debug_extension_mv3/web/panel.dart +++ b/dwds/debug_extension_mv3/web/panel.dart @@ -89,6 +89,7 @@ void _handleRuntimeMessages( expectedType: MessageType.debugStateChange, expectedSender: Script.background, expectedRecipient: Script.debuggerPanel, + sender: sender, messageHandler: (DebugStateChange debugStateChange) async { if (debugStateChange.tabId != _tabId) { debugWarn( @@ -107,6 +108,7 @@ void _handleRuntimeMessages( expectedType: MessageType.connectFailure, expectedSender: Script.background, expectedRecipient: Script.debuggerPanel, + sender: sender, messageHandler: (ConnectFailure connectFailure) async { debugLog( 'Received connect failure for ${connectFailure.tabId} vs $_tabId', @@ -185,7 +187,7 @@ Future _maybeUpdateFileABugLink() async { if (bugLink == null) return; bugLink.setAttribute( 'href', - 'http://b/issues/new?component=775375&template=1791321', + 'http://go/dde-bug', ); } }