New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 756846 link

Starred by 1 user
Status: Assigned
Owner:
mkwst@chromium.org
Buried. Ping if important.
Cc:
arthurso...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug-Regression



Sign in to add a comment

BlockCredentialedSubresources iframes with relative urls are blocked when its parent frame url contains credential.

Project Member Reported by arthurso...@chromium.org, Aug 18 2017 
BlockCredentialedSubresources feature blocks any subresources urls (including iframes) that contains credential. For instance https://user:pass@host.com/iframe.html.

This rule has been relaxed in
https://chromium-review.googlesource.com/c/530308
This CL allows embedded credentials for relative URLs.

The problem is that it doesn't work when the subresource is an iframe.
That is to say: when the top-level frame's url contains credential, any iframe loaded with a relative url will be blocked.

This will be fixed soon with PlzNavigate(--enable-browser-side-navigation), but the problem will remain when PlzNavigate is not enabled.

Comment 1 by arthurso...@chromium.org, Aug 21 2017 

This issue is fixed with PlzNavigate.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/98218acf1f7c8c5c2b02a82cff7d10276fc53d27

commit 98218acf1f7c8c5c2b02a82cff7d10276fc53d27
Author: arthursonzogni <arthursonzogni@chromium.org>
Date: Fri Aug 18 20:05:04 2017

PlzNavigate: make BlockCredentialedSubresources work.

Chrome blocks subresource requests whose URLs include credentials (i.e.
http://username:password@example.com/resource.png).

It was broken with PlzNavigate(--enable-browser-side-navigation) when
the subresource was a frame. The page was blocked, but only after the request
had been sent to the server.
This CL makes chrome block requests before they are submitted.

Test: NavigationHandleImplBrowserTest.BlockCredentialedSubresources
Bug:  755892 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_site_isolation
Change-Id: Ibce9555e0cd4f83d206c0fff8a8c8267bd9fb5b6
Reviewed-on: https://chromium-review.googlesource.com/619086
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#495659}
[modify] https://crrev.com/98218acf1f7c8c5c2b02a82cff7d10276fc53d27/content/browser/frame_host/navigation_handle_impl_browsertest.cc
[modify] https://crrev.com/98218acf1f7c8c5c2b02a82cff7d10276fc53d27/content/browser/frame_host/navigation_request.cc
[modify] https://crrev.com/98218acf1f7c8c5c2b02a82cff7d10276fc53d27/content/browser/frame_host/navigation_request.h
[modify] https://crrev.com/98218acf1f7c8c5c2b02a82cff7d10276fc53d27/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Comment 2 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 3 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment