Right now, we're parsing JSON in the browser process using the JSON parser in //base. It's "probably okay", but that's not good enough; we should be using data_decoder.
What platforms does this affect? Do you know by what release you can fix it? (65 by chance?)
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ec467a5f9ef29a0074681df178fb6a0c1ba42a96 commit ec467a5f9ef29a0074681df178fb6a0c1ba42a96 Author: Julia Tuttle <juliatuttle@chromium.org> Date: Thu Feb 22 20:22:45 2018 Reporting: Move JSON parsing into Delegate. This will let us move the Delegate into //services/network, from which we can access //services/data_decoder to parse JSON more safely. Bug: 810142 Change-Id: I0bdf674db0250c13d742300ce4da09e101d29743 Reviewed-on: https://chromium-review.googlesource.com/922741 Commit-Queue: Julia Tuttle <juliatuttle@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#538545} [modify] https://crrev.com/ec467a5f9ef29a0074681df178fb6a0c1ba42a96/net/reporting/reporting_delegate.cc [modify] https://crrev.com/ec467a5f9ef29a0074681df178fb6a0c1ba42a96/net/reporting/reporting_delegate.h [modify] https://crrev.com/ec467a5f9ef29a0074681df178fb6a0c1ba42a96/net/reporting/reporting_header_parser.cc [modify] https://crrev.com/ec467a5f9ef29a0074681df178fb6a0c1ba42a96/net/reporting/reporting_header_parser.h [modify] https://crrev.com/ec467a5f9ef29a0074681df178fb6a0c1ba42a96/net/reporting/reporting_header_parser_fuzzer.cc [modify] https://crrev.com/ec467a5f9ef29a0074681df178fb6a0c1ba42a96/net/reporting/reporting_header_parser_unittest.cc [modify] https://crrev.com/ec467a5f9ef29a0074681df178fb6a0c1ba42a96/net/reporting/reporting_service.cc [modify] https://crrev.com/ec467a5f9ef29a0074681df178fb6a0c1ba42a96/net/reporting/reporting_test_util.cc [modify] https://crrev.com/ec467a5f9ef29a0074681df178fb6a0c1ba42a96/net/reporting/reporting_test_util.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6efacf5d98f490bcfd73f4a4e43df671b7178166 commit 6efacf5d98f490bcfd73f4a4e43df671b7178166 Author: Julia Tuttle <juliatuttle@chromium.org> Date: Fri Feb 23 20:18:05 2018 Network Error Logging: Make Service abstract, subclass in ServiceImpl. Bug: 810142 Change-Id: If62d38c058de404f3fd02508b9d63828d37d8d7c Reviewed-on: https://chromium-review.googlesource.com/919422 Commit-Queue: Julia Tuttle <juliatuttle@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#538875} [modify] https://crrev.com/6efacf5d98f490bcfd73f4a4e43df671b7178166/net/network_error_logging/network_error_logging_service.cc [modify] https://crrev.com/6efacf5d98f490bcfd73f4a4e43df671b7178166/net/network_error_logging/network_error_logging_service.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/472098df201035552703c5b76b5a9ee4bb415436 commit 472098df201035552703c5b76b5a9ee4bb415436 Author: Julia Tuttle <juliatuttle@chromium.org> Date: Wed Feb 28 21:43:58 2018 Network Error Logging: Create stub Delegate. This will eventually be used to parse JSON using data_decoder. Bug: 810142 Change-Id: Ie0395104c64c24eee2df568be337bb251f500241 Reviewed-on: https://chromium-review.googlesource.com/919621 Commit-Queue: Julia Tuttle <juliatuttle@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#539945} [modify] https://crrev.com/472098df201035552703c5b76b5a9ee4bb415436/chrome/browser/profiles/off_the_record_profile_io_data.cc [modify] https://crrev.com/472098df201035552703c5b76b5a9ee4bb415436/chrome/browser/profiles/profile_impl_io_data.cc [modify] https://crrev.com/472098df201035552703c5b76b5a9ee4bb415436/net/BUILD.gn [add] https://crrev.com/472098df201035552703c5b76b5a9ee4bb415436/net/network_error_logging/network_error_logging_delegate.cc [add] https://crrev.com/472098df201035552703c5b76b5a9ee4bb415436/net/network_error_logging/network_error_logging_delegate.h [modify] https://crrev.com/472098df201035552703c5b76b5a9ee4bb415436/net/network_error_logging/network_error_logging_service.cc [modify] https://crrev.com/472098df201035552703c5b76b5a9ee4bb415436/net/network_error_logging/network_error_logging_service.h [modify] https://crrev.com/472098df201035552703c5b76b5a9ee4bb415436/net/network_error_logging/network_error_logging_service_unittest.cc [modify] https://crrev.com/472098df201035552703c5b76b5a9ee4bb415436/net/url_request/url_request_context_builder.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7f713569de06879cb722473f79eb2e6116cb8fd3 commit 7f713569de06879cb722473f79eb2e6116cb8fd3 Author: Julia Tuttle <juliatuttle@chromium.org> Date: Fri Mar 02 01:12:25 2018 Network Error Logging: Limit JSON size and depth. This makes it less likely that origins will be able to exploit base::JSONReader using NEL headers. Bug: 810142 Change-Id: I26967667cb1cb644549e48ac8d3bff3a2d6a5ace Reviewed-on: https://chromium-review.googlesource.com/944021 Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Julia Tuttle <juliatuttle@chromium.org> Cr-Commit-Position: refs/heads/master@{#540392} [modify] https://crrev.com/7f713569de06879cb722473f79eb2e6116cb8fd3/net/network_error_logging/network_error_logging_service.cc [modify] https://crrev.com/7f713569de06879cb722473f79eb2e6116cb8fd3/net/network_error_logging/network_error_logging_service_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7d87494c2ced48b86306039757514746fc7e7a1b commit 7d87494c2ced48b86306039757514746fc7e7a1b Author: Julia Tuttle <juliatuttle@chromium.org> Date: Fri Mar 02 01:19:13 2018 Reporting: Limit JSON size and depth. is makes it less likely that origins will be able to exploit base::JSONReader using Report-To headers. Bug: 810142 Change-Id: Ie27d98efe2afbfbeec2e4767e2a64b546e4483d9 Reviewed-on: https://chromium-review.googlesource.com/942231 Reviewed-by: Julia Tuttle <juliatuttle@chromium.org> Commit-Queue: John Abd-El-Malek <jam@chromium.org> Cr-Commit-Position: refs/heads/master@{#540395} [modify] https://crrev.com/7d87494c2ced48b86306039757514746fc7e7a1b/net/reporting/reporting_delegate.cc [modify] https://crrev.com/7d87494c2ced48b86306039757514746fc7e7a1b/net/reporting/reporting_service_unittest.cc [modify] https://crrev.com/7d87494c2ced48b86306039757514746fc7e7a1b/net/reporting/reporting_test_util.cc [modify] https://crrev.com/7d87494c2ced48b86306039757514746fc7e7a1b/net/reporting/reporting_test_util.h
Per https://bugs.chromium.org/p/chromium/issues/detail?id=799253#c10 we have permission to continue use base::JSONReader in the browser process.
Given issue 823897 and crrev.com/c/1105565, we might be able to revisit this, and use the data_decoder to parse the JSON header values.
Comment 1 by palmer@chromium.org
, Feb 8 2018