(resending from the right address) John, You definitely want to be careful with the image download. Since you'll be handing it off to another (not sandboxed) process (Growl for mac, DBus for Linux), you need to do some sanity checking on the image by transcoding it in a sandboxed process. Otherwise, an malicious image may be able to compromise the process you hand it off to and gain access to the machine. We're doing this transcoding for themes and extensions via the "utility process" (check out utility_process_host.cc as a starting point). The idea is that the image you get from the web may be malicious or just poorly formed, and by transcoding it, you can detect these problems and limit the damage to a sandboxed process.
Erik On Thu, Jun 18, 2009 at 1:58 PM, John Gregg <[email protected]> wrote: > Hi all, > > I'm working on a desktop notifications javascript API for web apps; on Mac > these calls will go out to the Growl notification system if it's installed > and user has granted permission to get notifications from that origin. I'm > still trying to completely grasp the sandbox architecture, so the question I > need some input on is how to design the integration with respect to > sandboxing & security. > > The Growl code that would be included in Chrome is just a stub that works > by marshalling data over to a separate Growl process, so the surface area is > small, but as a design question, is calling to a third-party library > something that should happen in the sandboxed renderer process, or should it > be kept in the browser process? One other factor is that the notification > requires an icon to be downloaded, which should happen outside the sandbox. > > So there are two possible flows: > > A. renderer gets notification(iconURL, text) call => hop to browser to > download icon => call Growl from browser > > B. renderer gets notification(iconURL, text) call => hop to browser to > download icon => pass back icon data to renderer => call Growl from renderer > > My instinct is that B is safer for the remote possibility that Growl chokes > on the input and causes a crash. What do people think? Is there an > existing precedent for similar library calls? > > Thanks, > -John > > > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
