Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: May 22
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Status: ----
Launch-Test: ----
Launch-UI: ----
Product-Review: ----

Blocking:
issue 715077



Sign in to add a comment
Expose passwords to JavaScript in Credential Management API
Project Member Reported by jdoerrie@chromium.org, May 4 Back to list
IMPORTANT:
- This launch issue is used for standards and implementation tracking only.
It is NOT for Chrome approval regarding privacy, security, legal, UI,
testing,
accessibility etc.
- An overview of the different launch issues can be found here:
http://bit.ly/2ncKZfp
- If your feature requires security / privacy / etc approval then seek a PM
to guide you through the go/newchromefeature process

See http://www.chromium.org/blink#launch-process for an overview of the
Blink launch process, but note this doesn't cover security / privacy / etc
reviews as discussed above.

----------

Change description:
This change exposes passwords to JavaScript in the Credential Management API by providing the corresponding attribute on PasswordCredential. Furthermore it deprecates the previously existing PasswordCredential attributes and the custom `fetch()` `credential` infrastructure.

Changes to API surface:
- Introduce PasswordCredential.password
- Deprecate PasswordCredential.idName
- Deprecate PasswordCredential.passwordName
- Deprecate PasswordCredential.additionalData
- Deprecate fetch.RequestInit.RequestCredentials.password

Links:
- GitHub Issue: https://github.com/w3c/webappsec-credential-management/issues/75
- GitHub Pull Request: https://github.com/w3c/webappsec-credential-management/pull/76
- Web Application Security Discussion Thread: https://lists.w3.org/Archives/Public/public-webappsec/2017Apr/0026.html

Support in other browsers:
Internet Explorer: No public signals
Firefox: neutral, commented on the PR
Safari: initially concerned but no further feedback despite several pings
 
Description: Show this description
Summary: Expose passwords to JavaScript in Credential Management API (was: Expose passwords to JavaScript in Credential Manager API)
Blocking: 715077
Labels: -Pri-3 Pri-2
Project Member Comment 4 by bugdroid1@chromium.org, May 22
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ee82f7e38627cd7382166e219f4ec72631c816a

commit 0ee82f7e38627cd7382166e219f4ec72631c816a
Author: jdoerrie <jdoerrie@chromium.org>
Date: Mon May 22 14:47:29 2017

Expose passwords to JavaScript in Credential Manager API

This change implements the proposed change to the Credential Manager API
to directly expose passwords to JavaScript. It also deprecates the
existing PasswordCredential attributes and the ability to attach a
Credential to fetch.

See the corresponding GitHub issue and pull request for more details:
- https://github.com/w3c/webappsec-credential-management/issues/75
- https://github.com/w3c/webappsec-credential-management/pull/76

- Intent to Deprecate: Custom fetch for Credential Manager API:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/WPckvg8JO0U

- Intent to Implement and Ship: The password property of PasswordCredential:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/nT51eE7fWn4

BUG= 718416 

Review-Url: https://codereview.chromium.org/2852423002
Cr-Commit-Position: refs/heads/master@{#473576}

[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/external/wpt/credential-management/credentialscontainer-create-basics.https.html
[delete] https://crrev.com/875c54258b74113d3f22411fe14c8a24d363f6c2/third_party/WebKit/LayoutTests/external/wpt/credential-management/idl.https-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/external/wpt/credential-management/idl.https.html
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-basics.html
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-fetch-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/platform/mac/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/platform/win/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/virtual/service-worker-navigation-preload-disabled/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/core/frame/Deprecation.cpp
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.cpp
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.h
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.idl
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/credentialmanager/PasswordCredentialTest.cpp
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/third_party/WebKit/Source/modules/fetch/RequestInit.cpp
[modify] https://crrev.com/0ee82f7e38627cd7382166e219f4ec72631c816a/tools/metrics/histograms/enums.xml

Status: Fixed
Project Member Comment 6 by bugdroid1@chromium.org, Jun 14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e995ef6a89e0cb193f3a94b79097b13e9d6de31d

commit e995ef6a89e0cb193f3a94b79097b13e9d6de31d
Author: jdoerrie <jdoerrie@chromium.org>
Date: Wed Jun 14 14:38:04 2017

Update link to Web updates in fetch deprecation message

This change updates the developer facing deprecation message to link to
"Latest Updates to the Credential Management API" update post on
https://developers.google.com.

Bug:  718416 
Change-Id: I1b190f5f66e8ed854d193ee6dc3af28e50d2c310
Reviewed-on: https://chromium-review.googlesource.com/535613
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: jdoerrie <jdoerrie@chromium.org>
Cr-Commit-Position: refs/heads/master@{#479377}
[modify] https://crrev.com/e995ef6a89e0cb193f3a94b79097b13e9d6de31d/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-fetch-expected.txt
[modify] https://crrev.com/e995ef6a89e0cb193f3a94b79097b13e9d6de31d/third_party/WebKit/Source/core/frame/Deprecation.cpp

Sign in to add a comment