Credential Manager API - storing a Credential with insecure iconURL doesn't result in rejected promise. |
||
Issue description
Chrome Version: 60.0.3112.90 (Official Build) (64-bit)
OS: Mac OS X
What steps will reproduce the problem?
Run the following from JS:
(1) f = new FederatedCredential({ id: "id", provider: "https://example.com", iconURL: "http://example.com/", name: "name" })
(2) p = navigator.credentials.store(f)
(3) p // if running from DevTools to look up value of p
What is the expected result?
Note that iconURL is a "http://" not "https://" URL.
Promise should be rejected. According to the spec, iconURL must be a secure URL. See: https://w3c.github.io/webappsec-credential-management/#credentialuserdata-mixin
What happens instead?
Promise is resolved.
,
Aug 21 2017
Just checked - it is indeed stored.
,
Sep 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e53f544bd56fe0a7c66b3fe705e104280a431127 commit e53f544bd56fe0a7c66b3fe705e104280a431127 Author: Vasilii Sukhanov <vasilii@chromium.org> Date: Fri Sep 15 15:28:58 2017 Check that iconURL is secure in navigator.credentials.store() Bug: 756801 Change-Id: Ia41bcb5a59e29ded2237a94606879d22269f9fb3 Reviewed-on: https://chromium-review.googlesource.com/649686 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org> Cr-Commit-Position: refs/heads/master@{#502262} [modify] https://crrev.com/e53f544bd56fe0a7c66b3fe705e104280a431127/third_party/WebKit/LayoutTests/http/tests/credentialmanager/credentialscontainer-store-basics-expected.txt [modify] https://crrev.com/e53f544bd56fe0a7c66b3fe705e104280a431127/third_party/WebKit/LayoutTests/http/tests/credentialmanager/credentialscontainer-store-basics.html [modify] https://crrev.com/e53f544bd56fe0a7c66b3fe705e104280a431127/third_party/WebKit/Source/modules/credentialmanager/CredentialsContainer.cpp
,
Sep 15 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by vasi...@chromium.org
, Aug 18 2017