New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 710838 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

Saving credentials with CM API for localhost does not work.

Project Member Reported by battre@chromium.org, Apr 12 2017

Issue description

Chrome Version       : 58.0.3029.54

1) Execute `python -m SimpleHTTPServer 8000`
2) Go to http://localhost:8000
3) Open Inspector (Ctrl+Shift+I)
4) Execute the following code: var cred = new FederatedCredential({id: 'foo@chromium.org', name: 'foo', provider: 'https://accounts.google.com/'}); navigator.credentials.store(cred);
5) Execute the same code again. Observe that you are prompted whether you want to save again. This should not happen.
6) Execute the following code:
    navigator.credentials.get({
     password: true,
     federated: {
       providers: ['https://accounts.google.com/']
     },
     unmediated: false
    }).then(
    function(p){console.log("success", p)},
    function(p){console.log("error",   p)} 
    );
   Observe that no credential is returned.

This works on other secure domains (https://anyhost) but not for localhost.
 

Comment 1 by mkwst@chromium.org, Apr 12 2017

Does it not treat the context as secure? That is, does the promise reject with a `SecurityError`? Or does the credential just not get written to the backend? I vaguely recall that the password manager (and payments?) has different security checks for valid certificates, etc. than the secure context spec suggests, which might come into play here?

Comment 2 by mkwst@chromium.org, Apr 12 2017

(Does `http://127.0.0.1` work?)
The credential is written to the backend but not retrieved. It's a specific problem for Linux backends. They are suboptimal and still there.
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b4b0602deb4f51bb51275ae5980878a63356b3a5

commit b4b0602deb4f51bb51275ae5980878a63356b3a5
Author: vasilii <vasilii@chromium.org>
Date: Wed Apr 12 22:58:42 2017

Fix a DCHECK in HttpPasswordStoreMigrator for localhost.

CM API can be called on localhost because it's a secure origin. It shouldn't cause HTTP->HTTPS migration.

BUG= 710838 

Review-Url: https://codereview.chromium.org/2806293005
Cr-Commit-Position: refs/heads/master@{#464190}

[modify] https://crrev.com/b4b0602deb4f51bb51275ae5980878a63356b3a5/components/password_manager/content/browser/credential_manager_impl_unittest.cc
[modify] https://crrev.com/b4b0602deb4f51bb51275ae5980878a63356b3a5/components/password_manager/core/browser/credential_manager_pending_request_task.cc

Project Member

Comment 5 by bugdroid1@chromium.org, Apr 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/66e4895ec848860ed812821d2fd48b5caf23981a

commit 66e4895ec848860ed812821d2fd48b5caf23981a
Author: vasilii <vasilii@chromium.org>
Date: Thu Apr 13 18:21:37 2017

Fix retrieving federated credentials for the password store for localhost.

Before we used to ignore port for the federated matches which is a security problem. We also disregarded localhost federated credentials because they are HTTP.

BUG= 710838 

Review-Url: https://codereview.chromium.org/2816033002
Cr-Commit-Position: refs/heads/master@{#464474}

[modify] https://crrev.com/66e4895ec848860ed812821d2fd48b5caf23981a/chrome/browser/password_manager/native_backend_gnome_x_unittest.cc
[modify] https://crrev.com/66e4895ec848860ed812821d2fd48b5caf23981a/chrome/browser/password_manager/native_backend_libsecret_unittest.cc
[modify] https://crrev.com/66e4895ec848860ed812821d2fd48b5caf23981a/components/password_manager/core/browser/login_database_unittest.cc
[modify] https://crrev.com/66e4895ec848860ed812821d2fd48b5caf23981a/components/password_manager/core/browser/psl_matching_helper.cc
[modify] https://crrev.com/66e4895ec848860ed812821d2fd48b5caf23981a/components/password_manager/core/browser/psl_matching_helper.h
[modify] https://crrev.com/66e4895ec848860ed812821d2fd48b5caf23981a/components/password_manager/core/browser/psl_matching_helper_unittest.cc
[modify] https://crrev.com/66e4895ec848860ed812821d2fd48b5caf23981a/components/password_manager/core/browser/test_password_store.cc

Labels: -OS-Linux OS-All
Enjoy you debugging!
Components: UI>Browser>Passwords
Status: Fixed (was: Assigned)

Sign in to add a comment