Issue 678764 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	rouslan@chromium.org
Closed:	Apr 2017
Cc:	█ rob.b...@samsung.com █ lgar...@chromium.org palmer@chromium.org
Components:	UI>Browser>Payments
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	Feature

Don't show saved autofill credit cards or payment apps in PaymentRequest UI when omnibox shows "Not Secure" message

Project Member Reported by rouslan@chromium.org, Jan 5 2017

Issue description

^^^

Comment 1 by rouslan@chromium.org, Jan 11 2017

Cc: palmer@chromium.org lgar...@chromium.org
Status: Assigned (was: Started)
Summary: Don't show saved autofill credit cards in PaymentRequest UI when omnibox shows "Not Secure" message (was: Prohibit web payments on sites with bad SSL certificates)

Comment 2 by rob.b...@samsung.com, Jan 26 2017

Summary: Don't show saved autofill credit cards or payment apps in PaymentRequest UI when omnibox shows "Not Secure" message (was: Don't show saved autofill credit cards in PaymentRequest UI when omnibox shows "Not Secure" message)

Comment 3 by rob.b...@samsung.com, Jan 26 2017

Cc: rob.b...@samsung.com

Comment 4 by rouslan@chromium.org, Apr 7 2017

Status: Started (was: Assigned)

Project Member

Comment 5 by bugdroid1@chromium.org, Apr 17 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e

commit 6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e
Author: rouslan <rouslan@chromium.org>
Date: Mon Apr 17 21:23:28 2017

Prevent usage of web payments API over insecure HTTPS.

Before this patch, the web payments UI would allow user to make payments
easily on pages with invalid HTTPS certificates. Even if the URL bar
showed a red, crossed-out "https", the web payments UI would show a
green "https" with a green lock icon.

This patch fixes the problem by checking the security level of the page.
An HTTPS page that's not EV_SECURE, SECURE, or
SECURE_WITH_POLICY_INSTALLED_CERT is prevented from using any payment
apps.

After this patch, invoking PaymentRequest.show() will always return
NotSupportedError on pages with invalid HTTPS certificates. This is
because Chrome is not providing any payment apps for such pages.
Invoking PaymentRequest.canMakePayment() will always return "false" for
the same reason.

Caveat: Pages with invalid HTTPS certificates are still considered
"SecureContext" in web platform, so throwing "SecurityError" in the
PaymentRequest constructor is not an option.

To test an invalid HTTPS certificate:
1) Visit https://edellroot.badssl.com/input/web-payment.
2) Bypass the interstitial.
3) Tap [Initiate payment] button.
   Observe: The web payments UI does not show.

To test a valid HTTPS certificate:
1) Visit https://badssl.com/input/web-payment.
2) Tap [Initiate payment] button.
   Observe: The web payments UI shows.

BUG= 678764 

Review-Url: https://codereview.chromium.org/2815763002
Cr-Commit-Position: refs/heads/master@{#465022}

[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/android/java/src/org/chromium/chrome/browser/payments/SslValidityChecker.java
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/android/java_sources.gni
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/BUILD.gn
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/payments/android/chrome_payments_jni_registrar.cc
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/payments/android/ssl_validity_checker_android.cc
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/payments/android/ssl_validity_checker_android.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/payments/chrome_payment_request_delegate.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/payments/chrome_payment_request_delegate.h
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/payments/ssl_validity_checker.cc
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/payments/ssl_validity_checker.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/cvc_unmask_view_controller_browsertest.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/order_summary_view_controller.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/payment_request_browsertest.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/payment_request_browsertest_base.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/payment_request_browsertest_base.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/payment_request_can_make_payment_browsertest.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/payment_request_dialog_view.h
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/payment_request_payment_app_browsertest.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/payment_request_payment_response_browsertest.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/payment_sheet_view_controller.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/shipping_option_view_controller.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/test_chrome_payment_request_delegate.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/browser/ui/views/payments/test_chrome_payment_request_delegate.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/chrome/test/BUILD.gn
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/BUILD.gn
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/android/BUILD.gn
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/android/component_jni_registrar.cc
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/android/java/src/org/chromium/components/payments/OriginSecurityChecker.java
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/android/origin_security_checker_android.cc
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/android/origin_security_checker_android.h
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/origin_security_checker.cc
[add] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/origin_security_checker.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/payment_request.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/payment_request.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/payment_request_spec.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/payment_request_spec.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/payment_request_spec_unittest.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/payment_request_state.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/payment_request_state.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/content/payment_response_helper_unittest.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/core/payment_request_data_util.cc
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/core/payment_request_data_util.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/components/payments/core/payment_request_delegate.h
[modify] https://crrev.com/6e3cf7c6d281cff41cae5aa4d764f6fd7854c75e/ios/chrome/browser/payments/payment_request.mm

Comment 6 by rouslan@chromium.org, Apr 18 2017

Status: Fixed (was: Started)

Comment 7 by lafo...@chromium.org, Jun 27 2017

Components: -UI>Browser>Autofill>Payments UI>Browser>Payments

►

Issue 678764 link

Issue metadata

Don't show saved autofill credit cards or payment apps in PaymentRequest UI when omnibox shows "Not Secure" message

Issue description

Comment 1 by rouslan@chromium.org, Jan 11 2017

Comment 1 Deleted

Comment 2 by rob.b...@samsung.com, Jan 26 2017

Comment 2 Deleted

Comment 3 by rob.b...@samsung.com, Jan 26 2017

Comment 3 Deleted

Comment 4 by rouslan@chromium.org, Apr 7 2017

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Apr 17 2017

Comment 5 Deleted

Comment 6 by rouslan@chromium.org, Apr 18 2017

Comment 6 Deleted

Comment 7 by lafo...@chromium.org, Jun 27 2017

Comment 7 Deleted

Sign in to add a comment