New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 718416 link

Starred by 3 users
Status: Fixed
Owner:
jdoerrie@chromium.org
Closed: May 2017
Cc:
mkwst@chromium.org
vasi...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Test: ----
Launch-UI: ----
Rollout-Type: ----

Blocking:
issue 715077



Sign in to add a comment

Expose passwords to JavaScript in Credential Management API

Project Member Reported by jdoerrie@chromium.org, May 4 2017 
IMPORTANT:
- This launch issue is used for standards and implementation tracking only.
It is NOT for Chrome approval regarding privacy, security, legal, UI,
testing,
accessibility etc.
- An overview of the different launch issues can be found here:
http://bit.ly/2ncKZfp
- If your feature requires security / privacy / etc approval then seek a PM
to guide you through the go/newchromefeature process

See http://www.chromium.org/blink#launch-process for an overview of the
Blink launch process, but note this doesn't cover security / privacy / etc
reviews as discussed above.

----------

Change description:
This change exposes passwords to JavaScript in the Credential Management API by providing the corresponding attribute on PasswordCredential. Furthermore it deprecates the previously existing PasswordCredential attributes and the custom `fetch()` `credential` infrastructure.

Changes to API surface:
- Introduce PasswordCredential.password
- Deprecate PasswordCredential.idName
- Deprecate PasswordCredential.passwordName
- Deprecate PasswordCredential.additionalData
- Deprecate fetch.RequestInit.RequestCredentials.password

Links:
- GitHub Issue: https://github.com/w3c/webappsec-credential-management/issues/75
- GitHub Pull Request: https://github.com/w3c/webappsec-credential-management/pull/76
- Web Application Security Discussion Thread: https://lists.w3.org/Archives/Public/public-webappsec/2017Apr/0026.html

Support in other browsers:
Internet Explorer: No public signals
Firefox: neutral, commented on the PR
Safari: initially concerned but no further feedback despite several pings

Comment 1 by jdoerrie@chromium.org, May 15 2017

Description: Show this description

Comment 2 by jdoerrie@chromium.org, May 15 2017

Summary: Expose passwords to JavaScript in Credential Management API (was: Expose passwords to JavaScript in Credential Manager API)

Comment 3 by jdoerrie@chromium.org, May 22 2017

Blocking: 715077
Labels: -Pri-3 Pri-2
Project Member

Comment 4 by bugdroid1@chromium.org, May 22 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ee82f7e38627cd7382166e219f4ec72631c816a

commit 0ee82f7e38627cd7382166e219f4ec72631c816a
Author: jdoerrie <jdoerrie@chromium.org>
Date: Mon May 22 14:47:29 2017

Expose passwords to JavaScript in Credential Manager API

This change implements the proposed change to the Credential Manager API
to directly expose passwords to JavaScript. It also deprecates the
existing PasswordCredential attributes and the ability to attach a
Credential to fetch.

See the corresponding GitHub issue and pull request for more details:
- https://github.com/w3c/webappsec-credential-management/issues/75
- https://github.com/w3c/webappsec-credential-management/pull/76

- Intent to Deprecate: Custom fetch for Credential Manager API:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/WPckvg8JO0U

- Intent to Implement and Ship: The password property of PasswordCredential:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/nT51eE7fWn4

BUG= 718416 

Review-Url: https://codereview.chromium.org/2852423002
Cr-Commit-Position: refs/heads/master@{#473576}

[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/external/wpt/credential-management/credentialscontainer-create-basics.https.html
[delete] https://crrev.com/875c54258b74113d3f22411fe14c8a24d363f6c2/third_party/WebKit/LayoutTests/external/wpt/credential-management/idl.https-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/external/wpt/credential-management/idl.https.html
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-basics.html
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-fetch-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/platform/mac/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/platform/win/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/virtual/service-worker-navigation-preload-disabled/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/core/frame/Deprecation.cpp
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.cpp
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.h
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.idl
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/credentialmanager/PasswordCredentialTest.cpp
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/fetch/RequestInit.cpp
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/tools/metrics/histograms/enums.xml

Comment 5 by jdoerrie@chromium.org, May 22 2017

Status: Fixed (was: Started)
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 14 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e995ef6a89e0cb193f3a94b79097b13e9d6de31d

commit e995ef6a89e0cb193f3a94b79097b13e9d6de31d
Author: jdoerrie <jdoerrie@chromium.org>
Date: Wed Jun 14 14:38:04 2017

Update link to Web updates in fetch deprecation message

This change updates the developer facing deprecation message to link to
"Latest Updates to the Credential Management API" update post on
https://developers.google.com.

Bug:  718416 
Change-Id: I1b190f5f66e8ed854d193ee6dc3af28e50d2c310
Reviewed-on: https://chromium-review.googlesource.com/535613
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: jdoerrie <jdoerrie@chromium.org>
Cr-Commit-Position: refs/heads/master@{#479377}
[modify] https://crrev.com/e995ef6a89e0cb193f3a94b79097b13e9d6de31d/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-fetch-expected.txt
[modify] https://crrev.com/e995ef6a89e0cb193f3a94b79097b13e9d6de31d/third_party/WebKit/Source/core/frame/Deprecation.cpp
Project Member

Comment 7 by bugdroid1@chromium.org, Nov 23 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/57b2dc23b962feeadd2dcf60a399c9f38d2087e3

commit 57b2dc23b962feeadd2dcf60a399c9f38d2087e3
Author: Balazs Engedy <engedy@chromium.org>
Date: Thu Nov 23 14:23:38 2017

Remove deprecated PasswordCredential attributes.

Remove all code and tests related to the following attributes of
PasswordCredential:
 -- idName
 -- passwordName
 -- additionalData

These had been slated for removal already in M62 along with the removal
of FetchCredentialsMode::kPassword, but accidentally were not.

See intent to deprecate here:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/WPckvg8JO0U

Bug:  778536 ,  718416 
Change-Id: I52513a4dfdde5e075f86f850c0ccafc49382fba2
Reviewed-on: https://chromium-review.googlesource.com/779000
Commit-Queue: Balazs Engedy <engedy@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#518928}
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/LayoutTests/http/tests/credentialmanager/credentialscontainer-create-basics.html
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/LayoutTests/http/tests/credentialmanager/credentialscontainer-get-basics.html
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-basics.html
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/LayoutTests/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/Source/core/frame/Deprecation.cpp
[delete] https://crrev.com/e15b47cd03542eba57cc447579db5e81452fcc8b/third_party/WebKit/Source/modules/credentialmanager/FormDataOptions.idl
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.cpp
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.h
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.idl
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/Source/modules/credentialmanager/PasswordCredentialTest.cpp
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/Source/modules/modules_idl_files.gni
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/third_party/WebKit/public/platform/web_feature.mojom
[modify] https://crrev.com/57b2dc23b962feeadd2dcf60a399c9f38d2087e3/tools/metrics/histograms/enums.xml
Project Member

Comment 8 by bugdroid1@chromium.org, Nov 23 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5464476eef154dabf38e618a3372857cd8c514c7

commit 5464476eef154dabf38e618a3372857cd8c514c7
Author: Olga Sharonova <olka@chromium.org>
Date: Thu Nov 23 14:52:22 2017

Revert "Remove deprecated PasswordCredential attributes."

This reverts commit 57b2dc23b962feeadd2dcf60a399c9f38d2087e3.

Reason for revert: Broke the tree: https://build.chromium.org/p/chromium/builders/Linux%20x64/builds/53670

Original change's description:
> Remove deprecated PasswordCredential attributes.
> 
> Remove all code and tests related to the following attributes of
> PasswordCredential:
>  -- idName
>  -- passwordName
>  -- additionalData
> 
> These had been slated for removal already in M62 along with the removal
> of FetchCredentialsMode::kPassword, but accidentally were not.
> 
> See intent to deprecate here:
> https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/WPckvg8JO0U
> 
> Bug:  778536 ,  718416 
> Change-Id: I52513a4dfdde5e075f86f850c0ccafc49382fba2
> Reviewed-on: https://chromium-review.googlesource.com/779000
> Commit-Queue: Balazs Engedy <engedy@chromium.org>
> Reviewed-by: Mike West <mkwst@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#518928}

TBR=engedy@chromium.org,mkwst@chromium.org

Change-Id: I9e9ab493d88510e7e56d76205bcbab2e2e142f73
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  778536 ,  718416 
Reviewed-on: https://chromium-review.googlesource.com/788110
Reviewed-by: Olga Sharonova <olka@chromium.org>
Commit-Queue: Olga Sharonova <olka@chromium.org>
Cr-Commit-Position: refs/heads/master@{#518935}
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/LayoutTests/http/tests/credentialmanager/credentialscontainer-create-basics.html
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/LayoutTests/http/tests/credentialmanager/credentialscontainer-get-basics.html
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-basics.html
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/LayoutTests/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/Source/core/frame/Deprecation.cpp
[add] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/Source/modules/credentialmanager/FormDataOptions.idl
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.cpp
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.h
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.idl
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/Source/modules/credentialmanager/PasswordCredentialTest.cpp
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/Source/modules/modules_idl_files.gni
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/third_party/WebKit/public/platform/web_feature.mojom
[modify] https://crrev.com/5464476eef154dabf38e618a3372857cd8c514c7/tools/metrics/histograms/enums.xml
Project Member

Comment 9 by bugdroid1@chromium.org, Nov 23 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ac06fb3d908dca2b51573eb56359172bc6d85b1e

commit ac06fb3d908dca2b51573eb56359172bc6d85b1e
Author: Balazs Engedy <engedy@chromium.org>
Date: Thu Nov 23 18:48:07 2017

Reland "Remove deprecated PasswordCredential attributes."

This is a reland of 57b2dc23b962feeadd2dcf60a399c9f38d2087e3
Original change's description:
> Remove deprecated PasswordCredential attributes.
>
> Remove all code and tests related to the following attributes of
> PasswordCredential:
>  -- idName
>  -- passwordName
>  -- additionalData
>
> These had been slated for removal already in M62 along with the removal
> of FetchCredentialsMode::kPassword, but accidentally were not.
>
> See intent to deprecate here:
> https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/WPckvg8JO0U
>
> Bug:  778536 ,  718416 
> Change-Id: I52513a4dfdde5e075f86f850c0ccafc49382fba2
> Reviewed-on: https://chromium-review.googlesource.com/779000
> Commit-Queue: Balazs Engedy <engedy@chromium.org>
> Reviewed-by: Mike West <mkwst@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#518928}

TBR=mkwst@chromium.org

Bug:  778536 ,  718416 
Change-Id: I219f74f758c1a7f10350bc8613cf794575644ece
Reviewed-on: https://chromium-review.googlesource.com/788210
Commit-Queue: Balazs Engedy <engedy@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#518994}
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/LayoutTests/http/tests/credentialmanager/credentialscontainer-create-basics.html
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/LayoutTests/http/tests/credentialmanager/credentialscontainer-get-basics.html
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-basics.html
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/LayoutTests/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/Source/bindings/modules/v8/generated.gni
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/Source/core/frame/Deprecation.cpp
[delete] https://crrev.com/b874ae659f2a39916d59140f5fefb582d20a61ea/third_party/WebKit/Source/modules/credentialmanager/FormDataOptions.idl
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.cpp
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.h
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.idl
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/Source/modules/credentialmanager/PasswordCredentialTest.cpp
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/Source/modules/modules_idl_files.gni
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/third_party/WebKit/public/platform/web_feature.mojom
[modify] https://crrev.com/ac06fb3d908dca2b51573eb56359172bc6d85b1e/tools/metrics/histograms/enums.xml

Sign in to add a comment