Ensure that YouTube URL checks are not used where strong authenticity requirements are necessary |
|||||
Issue descriptionThis is analogous to bug 120657 , which was mainly for Google Search / Google domain checks. Also, here is a doc about how the Google domain audit / fix was performed: https://docs.google.com/document/d/1haYVf-NCkbiaDcbOf7Djx_jlqLXcSr-Op86eHXV-yi4/edit The only function that does YouTube URL checks is IsYoutubeDomainUrl in google_util.h. Happily, it's only used half a dozen places in the code.
,
Feb 13 2018
,
Feb 13 2018
Tentatively assigning to treib@, and I see he's touched multiple callsites with this function. Feel free to reassign as appropriate.
,
Feb 13 2018
It's possible this may have already been handled by the fix for bug 120657 (which was in bug 665624). It's not clear to me at a glance. (Maria implies it was not, but she may have forgotten the details in between her submitting a change and me asking her about it six months later.)
,
Feb 13 2018
I checked the code: No, it's not already fixed, but it should be straightforward to apply the TLD check also to IsYoutubeDomainUrl, assuming that the list of valid TLDs is the same for both youtube and google hosts.
,
Feb 21 2018
I don't think it's safe to assume that TLDs are the same. However, we do have a script (https://docs.google.com/document/d/1haYVf-NCkbiaDcbOf7Djx_jlqLXcSr-Op86eHXV-yi4/edit#bookmark=id.hu8i66if36k9) that parses domain file where all Google domains are registered to extract TLDs for search and it would be trivial to modify it to do the same for YouTube.
,
Aug 23
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mpear...@chromium.org
, Feb 13 2018