PWA installability check does not respect --unsafely-treat-insecure-origin-as-secure flag |
||||||
Issue descriptionChrome Version: 69 OS: All Desktop (and maybe Android) What steps will reproduce the problem? I don't have a working public example; just ran into this on a local server. (1) Find a site that is a valid PWA but running on HTTP (insecure) (2) Quit Chrome, and restart with --unsafely-treat-insecure-origin-as-secure=http://<site-origin> (3) Navigate to http://<site-origin> (4) Open dev tools -> Application -> Manifest (5) Click "Add to home screen" What is the expected result? Adds to home screen, due to the --unsafely-treat-insecure-origin-as-secure flag. What happens instead? "Site cannot be installed: the page is not served from a secure origin" Note that the service worker is able to be registered despite the origin not being secure, due to the --unsafely-treat-insecure-origin-as-secure flag. But the installability check fails. Check is here: https://cs.chromium.org/chromium/src/chrome/browser/installable/installable_manager.cc?l=427 This flag is the recommended work-around for developers testing PWAs on insecure hosts: https://www.chromium.org/blink/serviceworker/service-worker-faq
,
Jul 17
Adding some security folks, since I think this depends on the Chrome-level security check (according to dominickn@, this flag is only respected in Blink).
,
Jul 23
,
Jul 23
There are some other places where the flag is handled in Chrome security state code [1] (such as treating the origin as secure for security indicators UI, e.g. disabling the "Not Secure" label) which is called by the SecurityStateTabHelper in GetSecurityInfo [2], so this may not be too hard to route into the right bits so that it applies to PWA installability. I think the issue may be that the installability check calls IsContentSecure which calls GetSecurityInfo but then returns IsSslCertificateValid rather than returning that the origin is secure [3]. Maybe we could add a "is origin whitelisted" check to short-circuit this but otherwise still require a valid SSL cert for the typical case? [1] https://cs.chromium.org/chromium/src/components/security_state/core/security_state.cc?sq=package:chromium&g=0&l=166 [2] https://cs.chromium.org/chromium/src/chrome/browser/ssl/security_state_tab_helper.cc?l=78 [3] https://cs.chromium.org/chromium/src/chrome/browser/installable/installable_manager.cc?gsn=IsContentSecure&l=79
,
Jul 23
#4: we used to just check the security_level, but this was changed to check the SSL certificate validity in https://chromium-review.googlesource.com/c/chromium/src/+/823152 to allow policy-installed certs to pass on Chrome OS. Is it possible to expose the IsWhitelistedSecureOrigin() [1] method that's current in the anonymous namespace of content/common/origin_util.cc? [1] https://cs.chromium.org/chromium/src/content/common/origin_util.cc?type=cs&q=content/common/origin_util.cc&sq=package:chromium&g=0&l=27
,
Jul 23
Maybe something along the lines of OriginCanAccessServiceWorkers [1] like "OriginCanInstallPWA" (rather than exposing the implementation detail)? But even just moving IsWhitelistedSecureOrigin into the content namespace and using it from security state code seems reasonable. [1] https://cs.chromium.org/chromium/src/content/common/origin_util.cc?type=cs&q=content/common/origin_util.cc&sq=package:chromium&g=0&l=60
,
Jul 23
I don't think we want to codify PWAs and their security requirements as a content/web platform concept (also there are many other checkboxes to tick to be able to install a PWA), so moving IsWhitelistedSecureOrigin and calling that from InstallableManager seems better to me.
,
Jul 23
Good point. I think moving IsWhitelistedSecureOrigin sounds fine.
,
Nov 28
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7a3c17cf8b5c51fdae32ac4151c50c2da4a1a605 commit 7a3c17cf8b5c51fdae32ac4151c50c2da4a1a605 Author: Dominick Ng <dominickn@chromium.org> Date: Fri Jan 11 22:12:02 2019 Allow the installability check to respect --unsafely-treat-insecure-origin-as-secure. InstallableManager uses SecurityStateTabHelper to check the security status of a tab, and strictly verifies the status of the SSL certificate. However, this means that any origins whitelisted using the --unsafely-treat-insecure-origin-as-secure flag are still regarded as insecure for the purposes of the check. This CL allows InstallableManager to respect the flag by exposing content::IsWhitelistedAsSecureOrigin in content/public. This allows the strictness of the check to be maintained whilst allowing users of the flag to have their sites considered as installable (e.g. testing sites on local network IP addresses). BUG= 864391 Change-Id: Id801cc74524e760a1a502dd2a7de7b026cb86c33 Reviewed-on: https://chromium-review.googlesource.com/c/1401830 Commit-Queue: Dominick Ng <dominickn@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Reviewed-by: Ben Wells <benwells@chromium.org> Cr-Commit-Position: refs/heads/master@{#622182} [modify] https://crrev.com/7a3c17cf8b5c51fdae32ac4151c50c2da4a1a605/chrome/browser/installable/installable_manager.cc [modify] https://crrev.com/7a3c17cf8b5c51fdae32ac4151c50c2da4a1a605/chrome/browser/installable/installable_manager.h [modify] https://crrev.com/7a3c17cf8b5c51fdae32ac4151c50c2da4a1a605/chrome/browser/installable/installable_manager_browsertest.cc [modify] https://crrev.com/7a3c17cf8b5c51fdae32ac4151c50c2da4a1a605/content/common/origin_util.cc [modify] https://crrev.com/7a3c17cf8b5c51fdae32ac4151c50c2da4a1a605/content/public/common/origin_util.h
,
Jan 14
Nice, this is important for our developer story.
,
Jan 14
Should be fixed as of 73.0.3669.0 |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by dominickn@chromium.org
, Jul 17