Disallow loading plugins from command line.

There are currently only two known plugins: NaCl and pdfium. Neither is
loaded from command line. Disable loading plugins from the command line
by default.

Bug: 1451269
Change-Id: Ie39fbf611be96329c78085845ad5ddc0a5070a07
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4584150
Code-Coverage: Findit <findit-for-me@appspot.gserviceaccount.com>
Reviewed-by: Derek Schuff <dschuff@chromium.org>
Reviewed-by: Sam Clegg <sbc@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Erik Chen <erikchen@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1154135}

content/app/content_main_runner_impl.cc

@@ -305,6 +305,7 @@ pid_t LaunchZygoteHelper(base::CommandLine* cmd_line,
   // Append any switches from the browser process that need to be forwarded on
   // to the zygote/renderers.
   static const char* const kForwardSwitches[] = {
+    switches::kAllowCommandLinePlugins,
     switches::kClearKeyCdmPathForTesting,
     switches::kEnableLogging,  // Support, e.g., --enable-logging=stderr.
     // Need to tell the zygote that it is headless so that we don't try to use

content/browser/renderer_host/render_process_host_impl.cc

@@ -3513,6 +3513,7 @@ void RenderProcessHostImpl::PropagateBrowserCommandLineToRenderer(
     // Allow this to be set when invoking the browser and relayed along.
     sandbox::policy::switches::kEnableSandboxLogging,
 #endif
+    switches::kAllowCommandLinePlugins,
     switches::kAllowLoopbackInPeerConnection,
     switches::kAudioBufferSize,
     switches::kAutoplayPolicy,

content/common/pepper_plugin_list.cc

@@ -174,7 +174,13 @@ bool MakePepperPluginInfo(const WebPluginInfo& webplugin_info,
 
 void ComputePepperPluginList(std::vector<ContentPluginInfo>* plugins) {
   GetContentClient()->AddPlugins(plugins);
-  ComputePluginsFromCommandLine(plugins);
+  // It would be nice to gate this behind a field trial but this happens too
+  // early in the startup process. We allow loading from command line for
+  // testing but don't allow for general use cases.
+  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kAllowCommandLinePlugins)) {
+    ComputePluginsFromCommandLine(plugins);
+  }
 }
 
 }  // namespace content

content/public/common/content_switches.cc

@@ -22,6 +22,9 @@ const char kAllowInsecureLocalhost[] = "allow-insecure-localhost";
 const char kAllowLoopbackInPeerConnection[] =
     "allow-loopback-in-peer-connection";
 
+// Allows plugins to be loaded in the command line for testing.
+const char kAllowCommandLinePlugins[] = "allow-command-line-plugins";
+
 // Causes the Attribution Report API to run without delays or noise.
 const char kAttributionReportingDebugMode[] =
     "attribution-reporting-debug-mode";

content/public/common/content_switches.h

@@ -19,6 +19,7 @@ namespace switches {
 CONTENT_EXPORT extern const char kAllowFileAccessFromFiles[];
 CONTENT_EXPORT extern const char kAllowInsecureLocalhost[];
 CONTENT_EXPORT extern const char kAllowLoopbackInPeerConnection[];
+CONTENT_EXPORT extern const char kAllowCommandLinePlugins[];
 CONTENT_EXPORT extern const char kAllowSyncXHRInPageDismissal[];
 CONTENT_EXPORT extern const char kAttributionReportingDebugMode[];
 CONTENT_EXPORT extern const char kAutoAcceptCameraAndMicrophoneCapture[];

content/public/test/ppapi_test_utils.cc

@@ -58,6 +58,7 @@ bool RegisterPlugins(base::CommandLine* command_line,
     args += plugin.mime_type;
   }
   command_line->AppendSwitchNative(switches::kRegisterPepperPlugins, args);
+  command_line->AppendSwitch(switches::kAllowCommandLinePlugins);
   return true;
 }
 

native_client_sdk/src/tools/common.mk

@@ -507,6 +507,7 @@ run: check_for_chrome all $(PAGE)
 	$(RUN_PY) -C $(CURDIR) -P $(PAGE_TC_CONFIG) \
 	    $(addprefix -E ,$(CHROME_ENV)) -- "$(CHROME_PATH)" \
 	    $(CHROME_ARGS) \
+	    --allow-command-line-plugins \
 	    --register-pepper-plugins="$(PPAPI_DEBUG),$(PPAPI_RELEASE)"
 
 .PHONY: run_package
@@ -527,6 +528,7 @@ debug: check_for_chrome all $(PAGE)
 	    -C $(CURDIR) -P $(PAGE_TC_CONFIG) \
 	    $(addprefix -E ,$(CHROME_ENV)) -- "$(CHROME_PATH)" \
 	    $(CHROME_ARGS) $(SANDBOX_ARGS) --enable-nacl-debug \
+	    --allow-command-line-plugins \
 	    --register-pepper-plugins="$(PPAPI_DEBUG),$(PPAPI_RELEASE)"
 
 .PHONY: serve

ppapi/native_client/tools/browser_tester/browsertester/browserlauncher.py

@@ -302,6 +302,7 @@ class ChromeLauncher(BrowserLauncher):
       if disable_sandbox:
         cmd.append('--no-sandbox')
     else:
+      cmd.append('--allow-command-line-plugins')
       cmd.append('--register-pepper-plugins=%s;%s'
                  % (self.options.ppapi_plugin,
                     self.options.ppapi_plugin_mimetype))