feat: Add content script world isolation

[samuelmaddock]

Description of Change

Executes Chrome extension content scripts in an isolated world.

When an isolated world script context is created for a content script, content_script_bundle is injected. The bundle contains code to initialize Chrome APIs and Electron setup.

Checklist

• PR description included and stakeholders cc'd
• npm test passes
• tests are changed or added
• relevant documentation is changed or added
• PR title follows semantic commit guidelines
• PR release notes describe the change in a way relevant to app developers, and are capitalized, punctuated, and past tense.

Release Notes

Notes: Added world isolation to Chrome extension content scripts.

[MarshallOfSound]

The implementation details of the approach seem OK, I have some questions RE the approach in general. Basically where the isolation boundary we are trying to draw is. See comments below.

[MarshallOfSound]

This will have to be explicitly documented in the executeJavaScriptInIsolatedWorld API docs that these numbers are "reserved" / "used" by chrome extensions

[samuelmaddock]

Good point. Since users may have use cases for a large range, perhaps the extensions range should be moved up as well (1000 => 100000?).

[samuelmaddock]

I've defined the range between [1 << 20, 1 << 29) with more info in the commit message of 8d02015

[MarshallOfSound]

I feel as though there should be a better way of doing this, it also implies that this initalizer and the users chrome extension aren't isolated?

I may be missing where the isolation boundary is that this PR is trying to create.

E.g.

Chrome Extension |||| Electron Code but this PR appears to be more Chrome Extension + Electron Code ||| User Code which implies a high level of trust in the Chrome Extension code? Maybe I just need some clarification on that

[samuelmaddock]

The __init function is coupled with Electron code in the content-scripts-injector.ts script. Prior to running a Chrome extension's content script, it will call the __init function with the associated extensionId.

const runContentScript = function (this: any, extensionId: string, url: string, code: string) {
  const sources = [
    // initialize Chrome API in isolated world
    { code: `typeof __init === 'function' && __init('${extensionId}')` },
    // then run content script in isolated world
    { code, url }
  ]

  // ...

  webFrame.executeJavaScriptInIsolatedWorld(worldId, sources)
}

Since __init is called first from Electron code, user code won't be able to access it after it has been removed. The exception would be if the user creates an isolated world within the reserved extension ID range, outside of the content script injector.

This still feels dirty to me, but I'm not yet sure how to initialize the content_script_bundle with the extension ID ahead of time.

[samuelmaddock]

@MarshallOfSound I found another way to pass the extension ID to the content_script_bundle script using a v8 private. fb42cd0

Now there is a clear isolation between user code and Electron code for initializing the content script isolated world.

[MarshallOfSound]

I can't seem to tag wg-security in the reviewers list so just cc'ing here

cc @electron/wg-security

[MarshallOfSound]

This all seems good, there's a few TODO's here but they're all things we didn't have before and are good to track 👍

Would like sign-off from someone else in @electron/wg-security that this is 🆗

[release-clerk]

Release Notes Persisted

Added world isolation to Chrome extension content scripts.