New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 841419 link

Starred by 2 users
Status: Fixed
Owner:
awdf@chromium.org
Last visit > 30 days ago
Closed: Aug 2
Cc:
peter@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Go through the TODOs in web notifications code

Project Member Reported by awdf@chromium.org, May 9 2018 
Go through all the TODOs in notification code to check if there are any  potentially important issues we've forgotten about that should have bugs attached.

Comment 1 by awdf@chromium.org, May 9 2018

Labels: Postmortem-Followup

Comment 2 by awdf@chromium.org, Aug 2

Status: Started (was: Assigned)
Potentially important issues found:

1. "// TODO(awdf): Necessary to validate resources here?"
https://cs.chromium.org/chromium/src/content/browser/notifications/blink_notification_service_impl.cc?l=174&rcl=3e817cb44df3420e9494e2a36d85179a8f336dbf

- Prior to mojofication we rejected notifications if the resources passed from the renderer were larger than the size they should have been scaled down to in the renderer process:

https://chromium.googlesource.com/chromium/src/+/47084bae2a1755b4107436d9f7f01aea72557a31/content/browser/notifications/notification_message_filter.cc#54

- This validation no longer appears to take place, so potentially a compromised renderer could pass very large images and cause an OOM.

Filed Issue 870258


2. "// TODO(peter): Should we do permission checks prior to forwarding to the
  // NotificationEventDispatcher?"
https://cs.chromium.org/chromium/src/chrome/browser/notifications/platform_notification_service_impl.cc?l=210&rcl=3e817cb44df3420e9494e2a36d85179a8f336dbf

- This refers to the potential for forwarding a notificationclose event to an origin that no longer has notification permission. This could potentially represent a privacy leak - if the user has denied a site notification permission then the site should not learn anything about how users interact with its notifications. 

Filed Issue 870255
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 2 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ba81d26edff4aa2efdedda6eb534b7a434b51cc5

commit ba81d26edff4aa2efdedda6eb534b7a434b51cc5
Author: Anita Woodruff <awdf@chromium.org>
Date: Thu Aug 02 14:37:07 2018

[Cleanup] Attach bug number to notification TODOs

R=peter@chromium.org

Bug:  841419 
Change-Id: I91e8b4a0d90ed5ef3a1d97068a890e8363d458cd
Reviewed-on: https://chromium-review.googlesource.com/1160309
Reviewed-by: Peter Beverloo <peter@chromium.org>
Commit-Queue: Peter Beverloo <peter@chromium.org>
Cr-Commit-Position: refs/heads/master@{#580175}
[modify] https://crrev.com/ba81d26edff4aa2efdedda6eb534b7a434b51cc5/chrome/browser/notifications/platform_notification_service_impl.cc
[modify] https://crrev.com/ba81d26edff4aa2efdedda6eb534b7a434b51cc5/content/browser/notifications/blink_notification_service_impl.cc

Comment 4 by awdf@chromium.org, Aug 2

Status: Fixed (was: Started)

Sign in to add a comment