Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 470170 Web MIDI API: reject sysex permission on http
Starred by 4 users Project Member Reported by toyoshim@chromium.org, Mar 24 2015 Back to list
Status: Fixed
Owner:
Closed: Apr 2015
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug

Blocking:
issue 163795



Sign in to add a comment
For security reason, we decided to reject all permission request from HTTP.
Permission UI will appear only for HTTPS.

extensions:// scheme for Chrome Apps should be handled separately.
 
Blocking: chromium:163795
Owner: toyoshim@chromium.org
Status: Started
The first change fix the logic for UI prompting.

Note from the review comment that I will handle in the second change.
----
Note that it is still possible to set non-secure origin exceptions through the
the settings UI: chrome://settings/contentExceptions#midi-sysex

Please consider adding a similar protection there, or simply disable editing as
we do with some other types, such as geolocation or fullscreen.
Project Member Comment 4 by bugdroid1@chromium.org, Mar 30 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9eb573f4ea26fbc1ad3ba3d1988d5227b80fed36

commit 9eb573f4ea26fbc1ad3ba3d1988d5227b80fed36
Author: toyoshim <toyoshim@chromium.org>
Date: Mon Mar 30 10:39:39 2015

Web MIDI API: reject sysex permissions on non-secure schemes

Since sysex messages are so powerful, Chrome does not allow sysex
permission for any requests from non-secure schemes.

TEST=manual check with simple page, and embedded iframe page.
BUG= 470170 

Review URL: https://codereview.chromium.org/1039123002

Cr-Commit-Position: refs/heads/master@{#322761}

[modify] http://crrev.com/9eb573f4ea26fbc1ad3ba3d1988d5227b80fed36/chrome/browser/content_settings/permission_context_base.cc
[modify] http://crrev.com/9eb573f4ea26fbc1ad3ba3d1988d5227b80fed36/chrome/browser/content_settings/permission_context_base_unittest.cc

Comment 5 by yukawa@chromium.org, Mar 31 2015
Can we mark this as Fixed?
one more fix is coming for content settings UI.
Project Member Comment 7 by bugdroid1@chromium.org, Apr 1 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ccabd7eb46c3a472c4be96cac6209c966ac354f8

commit ccabd7eb46c3a472c4be96cac6209c966ac354f8
Author: toyoshim <toyoshim@chromium.org>
Date: Wed Apr 01 02:58:30 2015

Web MIDI API: disallow to add custom exceptions on content settings UI

To disallow to add exceptions for non-secure origin, make midi-sysex
permission impossible to edit on content settings UI for now.

BUG= 470170 

Review URL: https://codereview.chromium.org/1047793002

Cr-Commit-Position: refs/heads/master@{#323173}

[modify] http://crrev.com/ccabd7eb46c3a472c4be96cac6209c966ac354f8/chrome/browser/resources/options/content_settings_exceptions_area.js

Is http://localhost considered secure? It would be useful to keep this working for sysex.
I'd check it and enable localhost if needed.
Seems like the localhost part is better solved by just waiting for issue 362214 to be resolved. I don't feel strongly to request a special case for Web MIDI here.
Project Member Comment 13 by bugdroid1@chromium.org, Apr 2 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/78fb2d9a429de070b0d7c9c57710cffa52c4b52b

commit 78fb2d9a429de070b0d7c9c57710cffa52c4b52b
Author: toyoshim <toyoshim@chromium.org>
Date: Thu Apr 02 20:27:31 2015

Web MIDI: allow http://localhost to prompt sysex permission

Allow to obtain a sysex permission for localhost even if the scheme is
non-secure. This is inteded for to use for testing.

TEST=manual check with http://localhost:xxx and http://127.0.0.1:xxx
BUG= 470170 

Review URL: https://codereview.chromium.org/1050063002

Cr-Commit-Position: refs/heads/master@{#323555}

[modify] http://crrev.com/78fb2d9a429de070b0d7c9c57710cffa52c4b52b/chrome/browser/content_settings/permission_context_base.cc

Status: Fixed
Project Member Comment 15 by bugdroid1@chromium.org, Apr 17 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/298d7eb01ab6f9c1f8781a31c2fddc13f9e4e4e2

commit 298d7eb01ab6f9c1f8781a31c2fddc13f9e4e4e2
Author: palmer <palmer@chromium.org>
Date: Fri Apr 17 21:09:23 2015

Use IsOriginSecure when checking Web MIDI SYSEX capability.

Rather than the previous ad hoc check. IsOriginSecure is the standard way.

BUG= 362214 , 470170 

Review URL: https://codereview.chromium.org/1087983002

Cr-Commit-Position: refs/heads/master@{#325717}

[modify] http://crrev.com/298d7eb01ab6f9c1f8781a31c2fddc13f9e4e4e2/chrome/browser/content_settings/permission_context_base.cc

Sign in to add a comment