Issue 894642 link

Starred by 2 users

Issue metadata

Status:	Untriaged
Owner:	----
Cc:	creis@chromium.org lukasza@chromium.org alex...@chromium.org wfh@chromium.org
Components:	Internals>Sandbox>SiteIsolation
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Blocking:
issue 786673

Tighten CanAccessDataForOrigin to disallow access when process is not found

Project Member Reported by alex...@chromium.org, Oct 11

Issue description

Currently, we have this in ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin:

  if (state == security_state_.end()) {
    // TODO(nick): Returning true instead of false here is a temporary
    // workaround for  https://crbug.com/600441 
    return true;
  }

 https://crbug.com/600441  is now marked as fixed, but it's not clear whether there are other cases where this can lead to cookie kills.  We should investigate and try to remove this, as having no record of a process shouldn't lead to blindly allowing access to cookies, etc.

►

Issue 894642 link

Issue metadata

Tighten CanAccessDataForOrigin to disallow access when process is not found

Issue description

Sign in to add a comment