execCommand("InsertText") triggers HTTPBad Phase 2 |
||||||||||||
Issue description
Chrome Version: 62
What steps will reproduce the problem?
(1) Enable HTTPBad Phase 2 (Warn {*} after editing) in chrome://flags
(2) Visit www.indiatimes.com or webdbg.com/test/forms/modernizr.html
Observe: Omnibox shows "Not Secure" and Developer Tools Security Panel says a form was edited.
Expect: No warning, as the user didn't edit anything.
The problem relates to the fact that Modernizer's "input[type="number"] Localization" test performs an ExecCommand("InsertText") on an Input control as part of feature detection logic.
,
Sep 13 2017
It's also worth noting that the treatment of execCommand('InsertText') as user-input confuses other logic, for instance, signals used as input into the tab-discarding algorithm:
web_view_->PageImportanceSignals()->SetHadFormInteraction();
,
Sep 14 2017
,
Sep 15 2017
,
Sep 15 2017
+mustaq, rbyers since one of the solutions being considering is to check for presence of a user gesture during execCommand, which seems reasonable enough to me at first blush.
,
Sep 15 2017
,
Sep 15 2017
Hotlist in #6 seems like a mistake? Re #5: it turns out that Document trivially allows detection of an in progress ExecCommand so I plan to test that directly instead of looking at UserGestures. https://chromium-review.googlesource.com/666118
,
Sep 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7e05b5d9799fdb4f264592a25b5edc2a1a936935 commit 7e05b5d9799fdb4f264592a25b5edc2a1a936935 Author: Eric Lawrence <elawrence@chromium.org> Date: Fri Sep 15 19:49:05 2017 Avoid triggering 'Not Secure' warning when execCommand changes input HTTPBad Phase 2 calls for showing 'Not Secure' on pages where the user edits an INPUT field on a non-secure page. Testing revealed that some JavaScript libraries call execCommand("InsertText"...) during page load. This bubbles up to ChromeClientImpl::DidChangeValueInTextField and causes the Not Secure warning to appear prematurely. This CL ignores value changes that occur due to an execCommand call. Bug: 764760 Change-Id: I3fc6a695ee314dc4c1941c3f2ddfa99053bcefad Reviewed-on: https://chromium-review.googlesource.com/666118 Commit-Queue: Eric Lawrence <elawrence@chromium.org> Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Cr-Commit-Position: refs/heads/master@{#502332} [modify] https://crrev.com/7e05b5d9799fdb4f264592a25b5edc2a1a936935/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc [modify] https://crrev.com/7e05b5d9799fdb4f264592a25b5edc2a1a936935/third_party/WebKit/Source/core/page/ChromeClientImpl.cpp
,
Sep 15 2017
,
Sep 16 2017
Verified fixed in 63.0.3217.0. I'll need to merge to m62
,
Sep 16 2017
This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18 2017
Can you please indicate which OS this will impact?
,
Sep 18 2017
,
Sep 19 2017
Thanks for the fix. Can you please confirm if this is a safe merge overall and why can we not wait until M63? I see it's quite of a small patch and already verified in Canary; however, since it's touching all platforms and we're already few weeks after M62 branch, we'd like to ensure all fixes are truly necessary and safe merges.
,
Sep 19 2017
Yes, this should be an extremely safe merge; it doesn't introduce anything except an additional check of a boolean flag. It can't wait to M63 because it scopes a feature launch; the bug incorrectly changes the behavior of webpages that use a popular JavaScript library. We need the new feature to match the public documentation and outreach: https://blog.chromium.org/2017/04/next-steps-toward-more-connection.html
,
Sep 19 2017
Thanks for more details. Approving merge to M62. Branch: 3202
,
Sep 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cacea9d0352263678bf3b1e20ab257323fab4b4b commit cacea9d0352263678bf3b1e20ab257323fab4b4b Author: Eric Lawrence <elawrence@chromium.org> Date: Tue Sep 19 18:51:14 2017 Avoid triggering 'Not Secure' warning when execCommand changes input HTTPBad Phase 2 calls for showing 'Not Secure' on pages where the user edits an INPUT field on a non-secure page. Testing revealed that some JavaScript libraries call execCommand("InsertText"...) during page load. This bubbles up to ChromeClientImpl::DidChangeValueInTextField and causes the Not Secure warning to appear prematurely. This CL ignores value changes that occur due to an execCommand call. Bug: 764760 Change-Id: I3fc6a695ee314dc4c1941c3f2ddfa99053bcefad Reviewed-on: https://chromium-review.googlesource.com/666118 Commit-Queue: Eric Lawrence <elawrence@chromium.org> Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#502332}(cherry picked from commit 7e05b5d9799fdb4f264592a25b5edc2a1a936935) Reviewed-on: https://chromium-review.googlesource.com/673007 Reviewed-by: Eric Lawrence <elawrence@chromium.org> Cr-Commit-Position: refs/branch-heads/3202@{#328} Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098} [modify] https://crrev.com/cacea9d0352263678bf3b1e20ab257323fab4b4b/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc [modify] https://crrev.com/cacea9d0352263678bf3b1e20ab257323fab4b4b/third_party/WebKit/Source/core/page/ChromeClientImpl.cpp
,
Sep 26 2017
Verified in 62; initially in 62.0.3202.29 |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 13 2017