Issue metadata
Sign in to add a comment
|
Mark data: URLs as not secure |
||||||||||||||||||||||||
Issue descriptiondata URLs don't define a secure context by themselves, so should be marked as not secure. Additionally, they are used for phishing attacks so the agreement is to mark them as not secure regardless of there being any form fields in the url.
,
Jan 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/effd1d519ff74fb1eb998e844f19d5079222b0fd commit effd1d519ff74fb1eb998e844f19d5079222b0fd Author: meacer <meacer@chromium.org> Date: Fri Jan 27 02:14:13 2017 Display "Not secure" verbose state for data: URLs data: URLs don't define a secure context, and are a vector for spoofing. Display a "Not secure" badge for all data URLs, regardless of whether they show a password or credit card field. BUG= 684811 Review-Url: https://codereview.chromium.org/2648353005 Cr-Commit-Position: refs/heads/master@{#446536} [modify] https://crrev.com/effd1d519ff74fb1eb998e844f19d5079222b0fd/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc [modify] https://crrev.com/effd1d519ff74fb1eb998e844f19d5079222b0fd/chrome/browser/ssl/ssl_browser_tests.cc [modify] https://crrev.com/effd1d519ff74fb1eb998e844f19d5079222b0fd/components/security_state/core/security_state.cc [modify] https://crrev.com/effd1d519ff74fb1eb998e844f19d5079222b0fd/components/security_state/core/security_state_unittest.cc
,
Jan 31 2017
Requesting merge to M-56 and M-57 as discussed offline.
,
Jan 31 2017
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 31 2017
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 31 2017
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4278958b00456579123ad87b65663df2de8e8af6 commit 4278958b00456579123ad87b65663df2de8e8af6 Author: Mustafa Acer <meacer@chromium.org> Date: Tue Jan 31 00:34:44 2017 [Merge M-57] Display "Not secure" verbose state for data: URLs data: URLs don't define a secure context, and are a vector for spoofing. Display a "Not secure" badge for all data URLs, regardless of whether they show a password or credit card field. BUG= 684811 Review-Url: https://codereview.chromium.org/2648353005 Cr-Commit-Position: refs/heads/master@{#446536} (cherry picked from commit effd1d519ff74fb1eb998e844f19d5079222b0fd) Review-Url: https://codereview.chromium.org/2660333003 . Cr-Commit-Position: refs/branch-heads/2987@{#206} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/4278958b00456579123ad87b65663df2de8e8af6/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc [modify] https://crrev.com/4278958b00456579123ad87b65663df2de8e8af6/chrome/browser/ssl/ssl_browser_tests.cc [modify] https://crrev.com/4278958b00456579123ad87b65663df2de8e8af6/components/security_state/core/security_state.cc [modify] https://crrev.com/4278958b00456579123ad87b65663df2de8e8af6/components/security_state/core/security_state_unittest.cc
,
Jan 31 2017
Per offline discussion approved for merge into M56
,
Jan 31 2017
bustamante: Thanks. The branch number for M56 is 2924, right?
,
Jan 31 2017
Yes, please mere to 2924 ASAP. We will be cutting the RC soon.
,
Feb 1 2017
Thanks Mustafa for the merge- https://chromium.googlesource.com/chromium/src.git/+/2fde612bdca4930cd5bf82a2603ad86d9c5cec57 Applying label accordingly.
,
Feb 2 2017
meacer@ in order to verify this issue could you please help us with the sample test case or urls and the expected results, so that we can verify the issue on TE-End. Thank You...
,
Feb 2 2017
,
Feb 2 2017
Verified the change on Chrome version 57.0.2987.21 on Windows 7,10, Mac and Linux. Steps followed : 1. Visit data:text/html,<audio controls> <source src="http://hazzardstream.de:7777/stream/1/" type="audio/mpeg"> in Chrome Make sure we see "Not secure" in omnibox. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mea...@chromium.org
, Jan 25 2017Summary: Mark data: URLs as not secure (was: Mark pseudo URLs as not secure)