New issue
Advanced search Search tips

Issue 756064 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug



Sign in to add a comment

Chrome may allow construction of PaymentRequest JavaScript object on iOS in an insecure context.

Project Member Reported by rouslan@chromium.org, Aug 16 2017

Issue description

Chrome allows construction of PaymentRequest
JavaScript object on iOS in an insecure context (e.g., http instead of
https), if constructed before Chrome has had the chance to send the
"context security" bit to the JavaScript shim.
 
Project Member

Comment 1 by bugdroid1@chromium.org, Aug 22 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/27b00e37a69572423886c4d551b6a54eaf774d39

commit 27b00e37a69572423886c4d551b6a54eaf774d39
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Tue Aug 22 18:28:26 2017

[Payments][iOS] More robust context security check.

Before this patch, Chrome allowed construction of PaymentRequest
JavaScript object on iOS in an insecure context (e.g., http instead of
https), if constructed before Chrome has had the chance to send the
"context security" bit to the JavaScript shim.

This patch adds rudimentary origin security check to the JavaScript
shim, which is used only if the "context security" bit has not been set
yet (i.e., only very early in page initialization).

After this patch, Chrome denies construction of PaymentRequest
JavaScript on iOS in an insecure context, even if constructed before
Chrome has had the chance to send the "context security" bit to the
JavaScript shim.

Bug:  756064 
Change-Id: I0688109273dd615ca17857b22caadbced7231b93
Reviewed-on: https://chromium-review.googlesource.com/617022
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Reviewed-by: mahmadi (Moe) <mahmadi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#496376}
[modify] https://crrev.com/27b00e37a69572423886c4d551b6a54eaf774d39/ios/chrome/browser/web/resources/payment_request.js

Status: Fixed (was: Started)

Sign in to add a comment