New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 778711 link

Starred by 5 users
Status: Untriaged
Owner: ----
Cc:
jam@chromium.org
nick@chromium.org
creis@chromium.org
nasko@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 3
Type: Bug


Show other hotlists

Hotlists containing this issue:
Chrome


Sign in to add a comment

Make PPAPI network requests go through the browser process

Project Member Reported by creis@chromium.org, Oct 26 2017 
Similar to  issue 286074  for NPAPI requests, we should switch PPAPI network requests to go straight to the browser process instead of going through the renderer process.

The motivation is that plugins can request documents from any origin, but we want to restrict which documents can be given to renderer processes as part of Site Isolation (see issue 268640).  If we implement this cross-site document blocking for the renderer, it could block legitimate plugin requests as well.

From jam@:
"The implementation of pepper APIs, in this case PPB_URLLoader_API, are in ppapi/proxy/url_loader_resource.cc. They proxy all the calls to the renderer (see the Post(RENDERER calls in ppapi/proxy/url_loader_resource.cc). These can be switched to be Post(BROWSER, and then dispatch the IPCs in the browser (see these examples: https://cs.chromium.org/search/?q=%22Post(BROWSER%22+case:yes&sq=package:chromium&type=cs)."

Comment 1 by creis@chromium.org, Nov 21 2017

Blocking: 786505

Comment 2 by creis@chromium.org, Dec 13 2017

Blocking: -786505
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 13

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by lukasza@chromium.org, Dec 13

Blocking: -268640
Labels: -Pri-1 -Hotlist-Recharge-Cold Pri-3
This seems to be still desirable, but it is *not* blocking CORB - CORB related problems have been addressed through  issue 874515 .

Sign in to add a comment