New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 785172 link

Starred by 2 users
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Jan 2018
Cc:
battre@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Allow same-origin nested usage of `navigator.credentials.*`

Project Member Reported by mkwst@chromium.org, Nov 15 2017
Project Member

Comment 1 by bugdroid1@chromium.org, Nov 20 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e5c30e0bbf8dc7884cb4430e39444d62c19ad8fe

commit e5c30e0bbf8dc7884cb4430e39444d62c19ad8fe
Author: Mike West <mkwst@chromium.org>
Date: Mon Nov 20 15:12:16 2017

Credential Management: Remove blanket restriction on nested contexts.

https://github.com/w3c/webappsec-credential-management/pull/114 shifts
the restriction on nested usage of `navigator.credentials.{get,store}`
from a complete prohibition to one which applies more narrowly to
`PasswordCredential` and `FederatedCredential`.

This patch aligns Blink's behavior with the spec:

1.  The nested-context restriction applies only to `get()` and `store()`
    operations that request `password` or `federated` credential types.
    `preventSilentAccess()` and `create()` can be called anywhere.

2.  Nested contexts that are same-origin with all of their ancestors are
    carved out from the exclusion above. So, `example.com` embedded in
    `not-example.com` will trigger a rejection, while `example.com`
    embedded in `example.com` will not.

3.  Nested usage triggers a `NotAllowedError` as opposed to the current
    `SecurityError`.

Bug:  785172 
Change-Id: If0e75d7b84e91ed7f0eaf1220e90a1c307a85312
Reviewed-on: https://chromium-review.googlesource.com/771190
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Dominic Battré <battre@chromium.org>
Cr-Commit-Position: refs/heads/master@{#517824}
[add] https://crrev.com/e5c30e0bbf8dc7884cb4430e39444d62c19ad8fe/third_party/WebKit/LayoutTests/external/wpt/credential-management/federatedcredential-framed-get.sub.https.html
[add] https://crrev.com/e5c30e0bbf8dc7884cb4430e39444d62c19ad8fe/third_party/WebKit/LayoutTests/external/wpt/credential-management/passwordcredential-framed-get.sub.https.html
[add] https://crrev.com/e5c30e0bbf8dc7884cb4430e39444d62c19ad8fe/third_party/WebKit/LayoutTests/external/wpt/credential-management/support/echoing-nester.html
[add] https://crrev.com/e5c30e0bbf8dc7884cb4430e39444d62c19ad8fe/third_party/WebKit/LayoutTests/external/wpt/credential-management/support/federatedcredential-get.html
[add] https://crrev.com/e5c30e0bbf8dc7884cb4430e39444d62c19ad8fe/third_party/WebKit/LayoutTests/external/wpt/credential-management/support/passwordcredential-get.html
[delete] https://crrev.com/b851ba0d7eb7a1b814c1444c43ea3a1401369160/third_party/WebKit/LayoutTests/http/tests/credentialmanager/credentialscontainer-frame-errors.html
[modify] https://crrev.com/e5c30e0bbf8dc7884cb4430e39444d62c19ad8fe/third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/iframed-credentialscontainer.html
[modify] https://crrev.com/e5c30e0bbf8dc7884cb4430e39444d62c19ad8fe/third_party/WebKit/Source/modules/credentialmanager/CredentialsContainer.cpp

Comment 2 by mkwst@chromium.org, Jan 22 2018

Status: Fixed (was: Started)

Sign in to add a comment