New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 809820 link

Starred by 2 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug

Blocking:
issue 776896



Sign in to add a comment

Convert chrome://histograms to a proper WebUI page.

Project Member Reported by dpa...@chromium.org, Feb 7 2018

Issue description

Context https://bugs.chromium.org/p/chromium/issues/detail?id=776896 (see comment 12).

CC'ing OWNERs.
 
Blocking: 776896
Cc: fdegros@chromium.org
Working on getting the right permissions on the context bug, will ping this thread soon once permissions have been adjusted.
Summary: Convert chrome://histograms to a proper WebUI page. (was: Convert chrome://historgrams to a proper WebUI page.)
Project Member

Comment 5 by sheriffbot@chromium.org, Feb 7 2018

Labels: M-64
Project Member

Comment 6 by sheriffbot@chromium.org, Feb 7 2018

Labels: -Pri-2 Pri-1
I don't have access to see https://bugs.chromium.org/p/chromium/issues/detail?id=776896

But this bug sounds like a dupe of crbug.com/788270, which is already being worked on.
Added you asvitkine@.

bug 788270 feels more generic bug, in that case, this security issue should still be tracked on its own (it can be marked as blocked on that bug).
Components: UI>Browser>WebUI Internals>Metrics
Owner: asvitk...@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 10 by sheriffbot@chromium.org, Feb 22 2018

asvitkine: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Mar 7 2018

Labels: -M-64 M-65
Project Member

Comment 12 by sheriffbot@chromium.org, Mar 8 2018

asvitkine: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Friendly ping from the security sheriff. Can we get any update on this?
Can I have access to the context as well?
I'm a bit confused what the security/stability impact of this is if is a dupe of 
https://bugs.chromium.org/p/chromium/issues/detail?id=788270 (as per #7) which is a feature request and not a stability/security issue.
> Can I have access to the context as well?

Should have access now. Please try again.
Project Member

Comment 17 by sheriffbot@chromium.org, Apr 18 2018

Labels: -M-65 M-66
Are there any updates on this issue?

Re: #15: The issue may be resolved with the work tracked by issue 788270, but the security implications are because of what is discussed in issue 776896.
Cc: ma...@chromium.org se...@chromium.org
No updates. This isn't on our teams OKRs this quarter, so no one is working on it.

I was hoping the prototype mathp@ and sebsg@ have built could be landed and would solve this. But haven't heard back from them.

Comment 20 by wfh@chromium.org, May 14 2018

I think this bug, and also issue 776896 should be Type=Bug with security component, rather than Type=Bug-Security. This is because they are not vulnerabilities directly affecting user security but are defence-in-depth mitigations and new security features:

"Type-Bug-Security: Designates a security vulnerability that impacts users. This label should not be used for new features that relate to security, or general remediation/refactoring ideas. (Use the Security component for that.)" [1] 

Unless there are objections I'll switch both bugs.

[1] - https://chromium.googlesource.com/chromium/src/+/master/docs/security/security-labels.md

Comment 21 by ma...@chromium.org, May 15 2018

I'm sorry we haven't been able to get to it. Let me try to break up the prototype change into smaller chunks.
Owner: ma...@chromium.org
Mathieu sent out a CL for review!

https://chromium-review.googlesource.com/c/chromium/src/+/890627
Project Member

Comment 23 by bugdroid1@chromium.org, May 17 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/18170a49b39546ea32d21dc7d61bc82d61529fd0

commit 18170a49b39546ea32d21dc7d61bc82d61529fd0
Author: Mathieu Perreault <mathp@chromium.org>
Date: Thu May 17 12:48:15 2018

[Histograms] Revamp of the chrome://histograms page

Now a WebUI message handler. Still keeps the same UI
for now, but has potential to be more (see earlier patchsets)

Bug: 809820, 788270
Change-Id: I9e2de72540f152ad367098d8255492378bbb28a3
Reviewed-on: https://chromium-review.googlesource.com/890627
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: Bernhard Bauer <bauerb@chromium.org>
Reviewed-by: Alexei Svitkine <asvitkine@chromium.org>
Commit-Queue: Mathieu Perreault <mathp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559504}
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/chrome/browser/policy/policy_browsertest.cc
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/BUILD.gn
[delete] https://crrev.com/c70cdb314e37ae58980dd993433748d9c09e64dc/content/browser/histogram_internals_request_job.cc
[delete] https://crrev.com/c70cdb314e37ae58980dd993433748d9c09e64dc/content/browser/histogram_internals_request_job.h
[delete] https://crrev.com/c70cdb314e37ae58980dd993433748d9c09e64dc/content/browser/histogram_internals_url_loader.cc
[delete] https://crrev.com/c70cdb314e37ae58980dd993433748d9c09e64dc/content/browser/histogram_internals_url_loader.h
[add] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/histograms_internals_ui.cc
[add] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/histograms_internals_ui.h
[add] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/resources/histograms/histograms_internals.html
[add] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/resources/histograms/histograms_internals.js
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/webui/content_web_ui_controller_factory.cc
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/webui/url_data_manager_backend.cc
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/webui/web_ui_url_loader_factory.cc
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/content_resources.grd

Comment 24 by wfh@chromium.org, May 21 2018

Components: Security
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Stable -Security_Severity-Medium Type-Bug
This isn't a security bug that is a risk to users, it's security feature work.

https://chromium.googlesource.com/chromium/src/+/master/docs/security/security-labels.md
Status: Fixed (was: Assigned)
Marking as Fixed for M68 since this is now live on Canary. Thanks Mathieu!

Comment 26 by nasko@chromium.org, May 23 2018

Thanks a lot for fixing this!
Project Member

Comment 27 by bugdroid1@chromium.org, May 23 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b

commit f38ba52d12bfbbff75397033b1a140b4ee3e7c4b
Author: Mathieu Perreault <mathp@chromium.org>
Date: Wed May 23 19:30:08 2018

[Histograms page] Create a build target for histograms internals JS

As well, address comments from
https://chromium-review.googlesource.com/c/chromium/src/+/890627

Bug: 809820, 788270
Change-Id: Idb11e6045ad79993792da08245485c3e64259f85
Reviewed-on: https://chromium-review.googlesource.com/1065576
Reviewed-by: calamity <calamity@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Demetrios Papadopoulos <dpapad@chromium.org>
Commit-Queue: Mathieu Perreault <mathp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561202}
[modify] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/BUILD.gn
[add] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/BUILD.gn
[add] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/histograms/BUILD.gn
[add] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/histograms/OWNERS
[modify] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/histograms/histograms_internals.html
[modify] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/histograms/histograms_internals.js

Owner: mahmadi@chromium.org
Status: Assigned (was: Fixed)
Reopening for iOS and assigning to Moe

Sign in to add a comment