New issue
Advanced search Search tips

Issue 754303 link

Starred by 3 users
Status: Assigned
Owner:
cthomp@chromium.org
Cc:
est...@chromium.org
eugene...@chromium.org
jdeblasio@chromium.org
michaeldo@chromium.org
ios-bugs@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 3
Type: Bug
Team-Security-UX

Blocked on:
issue 851636


Sign in to add a comment

HTTPBad Sensitive Input warning doesn't show when HTTP frames HTTPS page

Project Member Reported by elawrence@chromium.org, Aug 10 2017 
Chrome Version: 60
OS: iOS 10.3

What steps will reproduce the problem?
(1) Visit a page with a HTTP page framing a HTTPS page containing a password input (e.g. http://webdbg.com/test/forms/FramePassword.asp)

Expect: (i) indicator appears in omnibox because the input is not in a secure context.

Actual: (i) does not appear.

I originally thought this might be caused by how we check the security of the Origin (rather than the security of the Context), e.g. web::IsOriginSecure(self.webState->GetLastCommittedURL()); but now I'm thinking this might be yet another limitation in our surfacing the OnPasswordInputShownOnHttp signal from the iOS password manager (e.g. perhaps it doesn't look for forms in cross-origin subframes).

https://cs.chromium.org/chromium/src/ios/chrome/browser/passwords/password_controller.mm?l=562&rcl=80761605e4fc0b7cb8ae7aa67e0a1c4c12baaa3e

Comment 1 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 2 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 3 by stkhapugin@chromium.org, Aug 7

Cc: eugene...@chromium.org
Status: Untriaged (was: Available)

Comment 4 by eugene...@chromium.org, Aug 7

Cc: est...@chromium.org
Emily, is this something that your team can take?

Comment 5 by cthomp@chromium.org, Aug 7

Owner: cthomp@chromium.org
Status: Assigned (was: Untriaged)
I can take a look at this, although I'm not as familiar with form handling on iOS.

Testing on desktop and Android, editing _any_ framed text input correctly causes the (i) icon to downgrade to the red "dangerous" triangle.

Comment 6 by cthomp@chromium.org, Aug 7 

Specifically, the InsecureInputTabHelper is supposed to listen for form activity via:

void InsecureInputTabHelper::OnFormActivity(
    web::WebState* web_state,
    const web::FormActivityParams& params) {
  DCHECK_EQ(web_state_, web_state);
  if (params.type == "input" &&
      !web::IsOriginSecure(web_state->GetLastCommittedURL())) {
    DidEditFieldInInsecureContext();
  }
}

The problem is that FormActivityObserver::OnFormActivity is _explicitly_ only called for same-origin frames:

https://cs.chromium.org/chromium/src/components/autofill/ios/form_util/form_activity_observer.h?dr=CSs&g=0&l=27

So I'm not sure if there is a way to fix this on iOS without re-architecting how we're getting the signal that form edits are happening.

Comment 7 by eugene...@chromium.org, Aug 7

Cc: michaeldo@chromium.org
Soon InsecureInputTabHelper::OnFormActivity will be called for cross-origin iframes. Mike, could you please mark this bug as blocked on cross-origin iframes refactoring bug.

Comment 8 by michaeldo@chromium.org, Aug 7

Blockedon: 851636
No problem, added that bug as blocking this.

Comment 9 by jdeblasio@chromium.org, Oct 30

Cc: jdeblasio@chromium.org

Sign in to add a comment