New issue
Advanced search Search tips

Issue 828958 link

Starred by 1 user
Status: Fixed
Owner:
kpaulhamus@chromium.org
Closed: Apr 2018
Cc:
kenrb@chromium.org
martinkr@google.com
engedy@chromium.org
ssoneff@google.com
kpaulhamus@chromium.org
jdoerrie@chromium.org
mknowles@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: ----



Sign in to add a comment

Enforce proper restrictions on caller browsing contexts

Project Member Reported by kpaulhamus@chromium.org, Apr 4 2018 
get/create for PublicKeyCredentials should be restricted to contexts that are “secure and same-origin with all their ancestors” (SASOWATA).

Adjust the implementation & error messages, and add layout tests to enforce them.

Comment 1 by kpaulhamus@chromium.org, Apr 6 2018

Cc: kpaulhamus@chromium.org
 Issue 828956  has been merged into this issue.

Comment 2 by kpaulhamus@chromium.org, Apr 6 2018

Cc: -kpaulhamus@chromium.org
Owner: kpaulhamus@chromium.org
Status: Assigned (was: Available)

Comment 3 by kpaulhamus@chromium.org, Apr 11 2018

Status: Started (was: Assigned)

Comment 5 by kpaulhamus@chromium.org, Apr 13 2018

Status: Fixed (was: Started)
Project Member

Comment 6 by bugdroid1@chromium.org, Apr 17 2018

Labels: merge-merged-testbranch
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d8232f29e4e8b823a59982f0d43226ca1e465626

commit d8232f29e4e8b823a59982f0d43226ca1e465626
Author: Kim Paulhamus <kpaulhamus@chromium.org>
Date: Fri Apr 13 00:50:32 2018

Restrict WebAuthN to "secure and same-origin with all their ancestors"

Bug:  828958 
Change-Id: Ie24fb55ddf5b8180036e830cd73ae58b0fb2ccd5
Reviewed-on: https://chromium-review.googlesource.com/994177
Commit-Queue: Kim Paulhamus <kpaulhamus@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550447}
[add] https://crrev.com/d8232f29e4e8b823a59982f0d43226ca1e465626/third_party/WebKit/LayoutTests/http/tests/credentialmanager/publickeycredential-same-origin-with-ancestors.html
[add] https://crrev.com/d8232f29e4e8b823a59982f0d43226ca1e465626/third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/echoing-nester.html
[modify] https://crrev.com/d8232f29e4e8b823a59982f0d43226ca1e465626/third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/publickey-create-helper.html
[modify] https://crrev.com/d8232f29e4e8b823a59982f0d43226ca1e465626/third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/publickey-get-helper.html
[modify] https://crrev.com/d8232f29e4e8b823a59982f0d43226ca1e465626/third_party/blink/renderer/modules/credentialmanager/credentials_container.cc

Comment 7 by kpaulhamus@chromium.org, Apr 18 2018

Labels: Merge-Request-67
Requesting merge into m67.

Comment 8 by gov...@chromium.org, Apr 18 2018 

Pls apply appropriate OSs label. Thank you.

Comment 9 by kpaulhamus@chromium.org, Apr 18 2018

Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Project Member

Comment 10 by sheriffbot@chromium.org, Apr 19 2018

Labels: -Merge-Request-67 Merge-Approved-67 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M67. Please go ahead and merge the CL to branch 3396 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by bugdroid1@chromium.org, Apr 19 2018

Labels: -merge-approved-67 merge-merged-3396
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/01c6b36b5345607df2aa9ebc9633aeff08e78d5a

commit 01c6b36b5345607df2aa9ebc9633aeff08e78d5a
Author: Kim Paulhamus <kpaulhamus@chromium.org>
Date: Thu Apr 19 21:56:28 2018

Restrict WebAuthN to "secure and same-origin with all their ancestors"

Bug:  828958 
Change-Id: Ie24fb55ddf5b8180036e830cd73ae58b0fb2ccd5
Reviewed-on: https://chromium-review.googlesource.com/994177
Commit-Queue: Kim Paulhamus <kpaulhamus@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#550447}(cherry picked from commit d8232f29e4e8b823a59982f0d43226ca1e465626)
Reviewed-on: https://chromium-review.googlesource.com/1020381
Reviewed-by: Kim Paulhamus <kpaulhamus@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#151}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[add] https://crrev.com/01c6b36b5345607df2aa9ebc9633aeff08e78d5a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/publickeycredential-same-origin-with-ancestors.html
[add] https://crrev.com/01c6b36b5345607df2aa9ebc9633aeff08e78d5a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/echoing-nester.html
[modify] https://crrev.com/01c6b36b5345607df2aa9ebc9633aeff08e78d5a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/publickey-create-helper.html
[modify] https://crrev.com/01c6b36b5345607df2aa9ebc9633aeff08e78d5a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/publickey-get-helper.html
[modify] https://crrev.com/01c6b36b5345607df2aa9ebc9633aeff08e78d5a/third_party/blink/renderer/modules/credentialmanager/credentials_container.cc

Sign in to add a comment