Issue 173357: Error diagnostics for Blacklist IO...

idanan

Implemented error reporting for blacklist errors. Pawel is waiting on the change for the extensions ...

11 years, 4 months ago (2009-08-25 18:23:19 UTC) #1

Paweł Hajdan Jr.

Drive-by (and obviously the code I'm going to write will be interfacing with this code). ...

11 years, 4 months ago (2009-08-25 18:34:06 UTC) #2

M-A Ruel

http://codereview.chromium.org/173357/diff/1/10 File chrome/app/generated_resources.grd (right): http://codereview.chromium.org/173357/diff/1/10#newcode4830 Line 4830: Your privacy is no longer protected err, I ...

11 years, 4 months ago (2009-08-25 18:35:05 UTC) #3

idanan

On 2009/08/25 18:35:05, Marc-Antoine Ruel wrote: > http://codereview.chromium.org/173357/diff/1/10 > File chrome/app/generated_resources.grd (right): > > http://codereview.chromium.org/173357/diff/1/10#newcode4830 ...

11 years, 4 months ago (2009-08-25 21:25:16 UTC) #4

Paweł Hajdan Jr.

Some more nits. http://codereview.chromium.org/173357/diff/1015/31 File chrome/app/generated_resources.grd (right): http://codereview.chromium.org/173357/diff/1015/31#newcode4826 Line 4826: <message name="IDS_BLACKLIST_ERROR_LOADING_TITLE" desc="Title of the ...

11 years, 4 months ago (2009-08-25 21:34:56 UTC) #5

idanan_google.com

Good catch on the typo. All done. Will upload shortly. - Itai On Tue, Aug ...

11 years, 4 months ago (2009-08-25 21:40:52 UTC) #6

idanan

OK. Uploaded and fixed comments. Had to ifdef out for non-windows platforms usage of BlacklistErrorDialog ...

11 years, 4 months ago (2009-08-25 22:21:46 UTC) #7

Paweł Hajdan Jr.

Seems like some too clever tool reformated one file... After fixing that, LGTM (but please ...

11 years, 4 months ago (2009-08-25 23:23:10 UTC) #8

idanan_google.com

On Tue, Aug 25, 2009 at 16:23, <phajdan.jr@chromium.org> wrote: > Seems like some too clever ...

11 years, 4 months ago (2009-08-25 23:42:08 UTC) #9

M-A Ruel

http://codereview.chromium.org/173357/diff/1033/48 File chrome/app/generated_resources.grd (right): http://codereview.chromium.org/173357/diff/1033/48#newcode4830 Line 4830: Your privacy is no longer protected I still ...

11 years, 4 months ago (2009-08-26 13:53:40 UTC) #10

idanan

On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote: > http://codereview.chromium.org/173357/diff/1033/48 > File chrome/app/generated_resources.grd (right): > > http://codereview.chromium.org/173357/diff/1033/48#newcode4830 ...

11 years, 4 months ago (2009-08-26 16:46:07 UTC) #11

On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote:
> http://codereview.chromium.org/173357/diff/1033/48
> File chrome/app/generated_resources.grd (right):
> 
> http://codereview.chromium.org/173357/diff/1033/48#newcode4830
> Line 4830: Your privacy is no longer protected
> I still think the messaging is wrong here.

What would you prefer? I think this gives exactly the consequence
of the error, as opposed to something like "Error loading Privacy
Blacklist".

> http://codereview.chromium.org/173357/diff/1033/40
> File chrome/browser/browser_main.cc (right):
> 
> http://codereview.chromium.org/173357/diff/1033/40#newcode555
> Line 555: // TODO(idanan): Enable this for other platforms once the
dispatching
> support
> 80 cols, you should take a look at
> http://dev.chromium.org/developers/how-tos/visualstudio-tricks
> 
> http://codereview.chromium.org/173357/diff/1033/40#newcode560
> Line 560: #endif
> do a 
> if ...
> return ResultCodes::NORMAL_EXIT;
> #else
> return ResultCodes::NORMAL_EXIT;
> #endif
> 
> otherwise the code alignment is messy.
Done.

> http://codereview.chromium.org/173357/diff/1033/45
> File chrome/browser/privacy_blacklist/blacklist.cc (right):
> 
> http://codereview.chromium.org/173357/diff/1033/45#newcode66
> Line 66: bool Blacklist::Matches(const std::string& pattern, const
std::string&
> url) {
> Shouldn't you add DCHECK(is_good()); in a few functions?
I could but is_good is only designed to be checked once, upon initialization.
The blacklist never goes from good to bad.

> http://codereview.chromium.org/173357/diff/1033/45#newcode163
> Line 163: Blacklist::Blacklist(const FilePath& file) : is_good_(false) {
> Doesn't is_good_ puts unnecessary burden on the callers? Shouldn't the list
just
> be empty when the list failed to load? That's fine to have a signal to verify
> that but you don't cleanup providers_ when it fails latter.

No because it only needs to be checked once. The reason there is even an
is good function is because of dependencies which meant I could not do 
the UI dialog right in the blacklist.

> http://codereview.chromium.org/173357/diff/1033/46
> File chrome/browser/privacy_blacklist/blacklist.h (right):
> 
> http://codereview.chromium.org/173357/diff/1033/46#newcode161
> Line 161: // Returns true if the blacklist object is in good health.
> Could be further shortened to:
> "Is the blacklist object in good health"
> 
> But, in the end, do you really need that? See .cc comment.

As I just said, it is needed to break the dependencies so that we
can show the user when it does not load. It is extremely important
that we do so because otherwise users would have a false impression
about how their privacy is protected.

> http://codereview.chromium.org/173357/diff/1033/41
> File chrome/browser/privacy_blacklist/blacklist_io.cc (right):
> 
> http://codereview.chromium.org/173357/diff/1033/41#newcode139
> Line 139: last_error_ = ASCIIToUTF16("Unexpected ( in attribute parameters.");
> 80 cols
Done.

> http://codereview.chromium.org/173357/diff/1033/42
> File chrome/browser/privacy_blacklist/blacklist_io.h (right):
> 
> http://codereview.chromium.org/173357/diff/1033/42#newcode30
> Line 30: const string16& last_error() const {
> nit: I think this design would badly degrade in failure mode. Imagine an
> overflow of blacklisted IO, that would significantly increase the memory usage
> if the string is large. Especially that it would always be the same string.
> Also, I think it's too deep to keep localized data.

Not sure I understand but you should know that this I/O code is only invoked
by the extension installation code which Pawel is writing. Chrome would not
check these once the the blacklists are installed and compiled.

> http://codereview.chromium.org/173357/diff/1033/43
> File chrome/browser/privacy_blacklist/blacklist_store.cc (right):
> 
> http://codereview.chromium.org/173357/diff/1033/43#newcode126
> Line 126: if (uint32 n = ReadUInt()) {
> Shouldn't you put an arbitrary upper limit for a valid supported range?

I did not see a point to do anything arbitrary, but I can if you really
want me too.

- Itai

M-A Ruel

On 2009/08/26 16:46:07, idanan wrote: > On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote: > > http://codereview.chromium.org/173357/diff/1033/48 ...

11 years, 4 months ago (2009-08-26 17:14:08 UTC) #12

On 2009/08/26 16:46:07, idanan wrote:
> On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote:
> > http://codereview.chromium.org/173357/diff/1033/48
> > File chrome/app/generated_resources.grd (right):
> > 
> > http://codereview.chromium.org/173357/diff/1033/48#newcode4830
> > Line 4830: Your privacy is no longer protected
> > I still think the messaging is wrong here.
> 
> What would you prefer? I think this gives exactly the consequence
> of the error, as opposed to something like "Error loading Privacy
> Blacklist".

To me, the failure to load the privacy blacklist is *AT MOST* a toolbar popup,
like the 'do you want to save password' or 'set chrome as default browser'. If I
want to browse the web *now* I probably don't care that the privacy blacklist
failed to load, and I want even less be scared by a message telling me that my
privacy is suddenly invaded by obscure stuff. The information in this message is
at best misleading. I definitely want the point of view of someone in the UI
team for that.

In any case, the privacy list loading should be asynchronous and non blocking,
so even if the first socket connections starts without the list being fully
loaded, I probably wouldn't care.

Since the list loading should probably be asynchronous, this doesn't deserve a
synchronous popup.


> > http://codereview.chromium.org/173357/diff/1033/45
> > File chrome/browser/privacy_blacklist/blacklist.cc (right):
> > 
> > http://codereview.chromium.org/173357/diff/1033/45#newcode66
> > Line 66: bool Blacklist::Matches(const std::string& pattern, const
> std::string&
> > url) {
> > Shouldn't you add DCHECK(is_good()); in a few functions?
> I could but is_good is only designed to be checked once, upon initialization.
> The blacklist never goes from good to bad.

You know that. Does the function callers in 2 years will remember that?


> > http://codereview.chromium.org/173357/diff/1033/45#newcode163
> > Line 163: Blacklist::Blacklist(const FilePath& file) : is_good_(false) {
> > Doesn't is_good_ puts unnecessary burden on the callers? Shouldn't the list
> just
> > be empty when the list failed to load? That's fine to have a signal to
verify
> > that but you don't cleanup providers_ when it fails latter.
> 
> No because it only needs to be checked once. The reason there is even an
> is good function is because of dependencies which meant I could not do 
> the UI dialog right in the blacklist.
> 
> > http://codereview.chromium.org/173357/diff/1033/46
> > File chrome/browser/privacy_blacklist/blacklist.h (right):
> > 
> > http://codereview.chromium.org/173357/diff/1033/46#newcode161
> > Line 161: // Returns true if the blacklist object is in good health.
> > Could be further shortened to:
> > "Is the blacklist object in good health"
> > 
> > But, in the end, do you really need that? See .cc comment.
> 
> As I just said, it is needed to break the dependencies so that we
> can show the user when it does not load. It is extremely important
> that we do so because otherwise users would have a false impression
> about how their privacy is protected.

My point is roughly that 'good' has different meaning. You probably want to know
if the list is 'valid()' or not. But even though, if the list is not valid,
what's the deal? Frankly, I'd want the point of view of someone else on that
since I'm not a fan of surfacing too many errors.


> > http://codereview.chromium.org/173357/diff/1033/42
> > File chrome/browser/privacy_blacklist/blacklist_io.h (right):
> > 
> > http://codereview.chromium.org/173357/diff/1033/42#newcode30
> > Line 30: const string16& last_error() const {
> > nit: I think this design would badly degrade in failure mode. Imagine an
> > overflow of blacklisted IO, that would significantly increase the memory
usage
> > if the string is large. Especially that it would always be the same string.
> > Also, I think it's too deep to keep localized data.
> 
> Not sure I understand but you should know that this I/O code is only invoked
> by the extension installation code which Pawel is writing. Chrome would not
> check these once the the blacklists are installed and compiled.

ok, but if you look at the rest of the chrome code, we usually don't surface low
level errors like "file read failed" or things like that.


> > http://codereview.chromium.org/173357/diff/1033/43
> > File chrome/browser/privacy_blacklist/blacklist_store.cc (right):
> > 
> > http://codereview.chromium.org/173357/diff/1033/43#newcode126
> > Line 126: if (uint32 n = ReadUInt()) {
> > Shouldn't you put an arbitrary upper limit for a valid supported range?
> 
> I did not see a point to do anything arbitrary, but I can if you really
> want me too.

Simplest path to DoS. All your cute error messages won't do a thing about the
crash that will occur when you try to load an invalid file that simply gobs all
the available memory.

M-A

idanan_google.com

On Wed, Aug 26, 2009 at 10:14, <maruel@chromium.org> wrote: > On 2009/08/26 16:46:07, idanan wrote: ...

11 years, 4 months ago (2009-08-26 17:26:07 UTC) #13

On Wed, Aug 26, 2009 at 10:14, <maruel@chromium.org> wrote:
> On 2009/08/26 16:46:07, idanan wrote:
>>
>> On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote:
>> > http://codereview.chromium.org/173357/diff/1033/48
>> > File chrome/app/generated_resources.grd (right):
>> >
>> > http://codereview.chromium.org/173357/diff/1033/48#newcode4830
>> > Line 4830: Your privacy is no longer protected
>> > I still think the messaging is wrong here.
>
>> What would you prefer? I think this gives exactly the consequence
>> of the error, as opposed to something like "Error loading Privacy
>> Blacklist".
>
> To me, the failure to load the privacy blacklist is *AT MOST* a toolbar
> popup, like the 'do you want to save password' or 'set chrome as default
> browser'. If I want to browse the web *now* I probably don't care that
> the privacy blacklist failed to load, and I want even less be scared by
> a message telling me that my privacy is suddenly invaded by obscure
> stuff. The information in this message is at best misleading. I
> definitely want the point of view of someone in the UI team for that.
>
> In any case, the privacy list loading should be asynchronous and non
> blocking, so even if the first socket connections starts without the
> list being fully loaded, I probably wouldn't care.
>
> Since the list loading should probably be asynchronous, this doesn't
> deserve a synchronous popup.

Sorry but I strongly disagree here. Every access must be checked against
the blacklist, we can't load it later because if users don't want to
send cookies
or something, they don't want us to send them while we wait for the blacklist
to be loaded. If the blacklist fails to load, which should be a rare occurrence
because we are talking about the compiled blacklist here (disk corruption
or incorrect command line are the two possibilities), the user must know and
acknowledge that their privacy is not protected the way they chose by installing
their blacklists. If you don't care about privacy and have no
blacklists, none of
this will every show.

>> > http://codereview.chromium.org/173357/diff/1033/45
>> > File chrome/browser/privacy_blacklist/blacklist.cc (right):
>> >
>> > http://codereview.chromium.org/173357/diff/1033/45#newcode66
>> > Line 66: bool Blacklist::Matches(const std::string& pattern, const
>> std::string&
>> > url) {
>> > Shouldn't you add DCHECK(is_good()); in a few functions?
>> I could but is_good is only designed to be checked once, upon
>
> initialization.
>>
>> The blacklist never goes from good to bad.
>
> You know that. Does the function callers in 2 years will remember that?

OK, fair.

>> > http://codereview.chromium.org/173357/diff/1033/45#newcode163
>> > Line 163: Blacklist::Blacklist(const FilePath& file) :
>
> is_good_(false) {
>>
>> > Doesn't is_good_ puts unnecessary burden on the callers? Shouldn't
>
> the list
>>
>> just
>> > be empty when the list failed to load? That's fine to have a signal
>
> to verify
>>
>> > that but you don't cleanup providers_ when it fails latter.
>
>> No because it only needs to be checked once. The reason there is even
>
> an
>>
>> is good function is because of dependencies which meant I could not do
>
>> the UI dialog right in the blacklist.
>
>> > http://codereview.chromium.org/173357/diff/1033/46
>> > File chrome/browser/privacy_blacklist/blacklist.h (right):
>> >
>> > http://codereview.chromium.org/173357/diff/1033/46#newcode161
>> > Line 161: // Returns true if the blacklist object is in good health.
>> > Could be further shortened to:
>> > "Is the blacklist object in good health"
>> >
>> > But, in the end, do you really need that? See .cc comment.
>
>> As I just said, it is needed to break the dependencies so that we
>> can show the user when it does not load. It is extremely important
>> that we do so because otherwise users would have a false impression
>> about how their privacy is protected.
>
> My point is roughly that 'good' has different meaning. You probably want
> to know if the list is 'valid()' or not. But even though, if the list is
> not valid, what's the deal? Frankly, I'd want the point of view of
> someone else on that since I'm not a fan of surfacing too many errors.
>
>
>> > http://codereview.chromium.org/173357/diff/1033/42
>> > File chrome/browser/privacy_blacklist/blacklist_io.h (right):
>> >
>> > http://codereview.chromium.org/173357/diff/1033/42#newcode30
>> > Line 30: const string16& last_error() const {
>> > nit: I think this design would badly degrade in failure mode.
>
> Imagine an
>>
>> > overflow of blacklisted IO, that would significantly increase the
>
> memory usage
>>
>> > if the string is large. Especially that it would always be the same
>
> string.
>>
>> > Also, I think it's too deep to keep localized data.
>
>> Not sure I understand but you should know that this I/O code is only
>
> invoked
>>
>> by the extension installation code which Pawel is writing. Chrome
>
> would not
>>
>> check these once the the blacklists are installed and compiled.
>
> ok, but if you look at the rest of the chrome code, we usually don't
> surface low level errors like "file read failed" or things like that.

We don't except for developer messages I was told. That is why these messages
are not i18n. It is mostly for the ones developing and validating the
blacklists. Pawel
is writing the front-end code that uses this.

>> > http://codereview.chromium.org/173357/diff/1033/43
>> > File chrome/browser/privacy_blacklist/blacklist_store.cc (right):
>> >
>> > http://codereview.chromium.org/173357/diff/1033/43#newcode126
>> > Line 126: if (uint32 n = ReadUInt()) {
>> > Shouldn't you put an arbitrary upper limit for a valid supported
>
> range?
>
>> I did not see a point to do anything arbitrary, but I can if you
>
> really
>>
>> want me too.
>
> Simplest path to DoS. All your cute error messages won't do a thing
> about the crash that will occur when you try to load an invalid file
> that simply gobs all the available memory.

OK. That's something new!

- Itai

> M-A
>
> http://codereview.chromium.org/173357
>

Ben Goodger (Google)

Hi Itai, Can you send Glen and I a screenshot of your dialog box, and ...

11 years, 4 months ago (2009-08-26 17:33:43 UTC) #14

brian

Please do not check in "Your privacy is no longer protected." It overstates the problem. ...

11 years, 3 months ago (2009-08-27 21:50:35 UTC) #15

Please do not check in "Your privacy is no longer protected." It overstates
the problem.
For now, "Privacy blacklist failed to load" will do. I don't understand what
cancel does in this case though.

On Wed, Aug 26, 2009 at 10:25 AM, Itai Danan <idanan@google.com> wrote:

>
> On Wed, Aug 26, 2009 at 10:14, <maruel@chromium.org> wrote:
> > On 2009/08/26 16:46:07, idanan wrote:
> >>
> >> On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote:
> >> > http://codereview.chromium.org/173357/diff/1033/48
> >> > File chrome/app/generated_resources.grd (right):
> >> >
> >> > http://codereview.chromium.org/173357/diff/1033/48#newcode4830
> >> > Line 4830: Your privacy is no longer protected
> >> > I still think the messaging is wrong here.
> >
> >> What would you prefer? I think this gives exactly the consequence
> >> of the error, as opposed to something like "Error loading Privacy
> >> Blacklist".
> >
> > To me, the failure to load the privacy blacklist is *AT MOST* a toolbar
> > popup, like the 'do you want to save password' or 'set chrome as default
> > browser'. If I want to browse the web *now* I probably don't care that
> > the privacy blacklist failed to load, and I want even less be scared by
> > a message telling me that my privacy is suddenly invaded by obscure
> > stuff. The information in this message is at best misleading. I
> > definitely want the point of view of someone in the UI team for that.
> >
> > In any case, the privacy list loading should be asynchronous and non
> > blocking, so even if the first socket connections starts without the
> > list being fully loaded, I probably wouldn't care.
> >
> > Since the list loading should probably be asynchronous, this doesn't
> > deserve a synchronous popup.
>
> Sorry but I strongly disagree here. Every access must be checked against
> the blacklist, we can't load it later because if users don't want to
> send cookies
> or something, they don't want us to send them while we wait for the
> blacklist
> to be loaded. If the blacklist fails to load, which should be a rare
> occurrence
> because we are talking about the compiled blacklist here (disk corruption
> or incorrect command line are the two possibilities), the user must know
> and
> acknowledge that their privacy is not protected the way they chose by
> installing
> their blacklists. If you don't care about privacy and have no
> blacklists, none of
> this will every show.
>
> >> > http://codereview.chromium.org/173357/diff/1033/45
> >> > File chrome/browser/privacy_blacklist/blacklist.cc (right):
> >> >
> >> > http://codereview.chromium.org/173357/diff/1033/45#newcode66
> >> > Line 66: bool Blacklist::Matches(const std::string& pattern, const
> >> std::string&
> >> > url) {
> >> > Shouldn't you add DCHECK(is_good()); in a few functions?
> >> I could but is_good is only designed to be checked once, upon
> >
> > initialization.
> >>
> >> The blacklist never goes from good to bad.
> >
> > You know that. Does the function callers in 2 years will remember that?
>
> OK, fair.
>
> >> > http://codereview.chromium.org/173357/diff/1033/45#newcode163
> >> > Line 163: Blacklist::Blacklist(const FilePath& file) :
> >
> > is_good_(false) {
> >>
> >> > Doesn't is_good_ puts unnecessary burden on the callers? Shouldn't
> >
> > the list
> >>
> >> just
> >> > be empty when the list failed to load? That's fine to have a signal
> >
> > to verify
> >>
> >> > that but you don't cleanup providers_ when it fails latter.
> >
> >> No because it only needs to be checked once. The reason there is even
> >
> > an
> >>
> >> is good function is because of dependencies which meant I could not do
> >
> >> the UI dialog right in the blacklist.
> >
> >> > http://codereview.chromium.org/173357/diff/1033/46
> >> > File chrome/browser/privacy_blacklist/blacklist.h (right):
> >> >
> >> > http://codereview.chromium.org/173357/diff/1033/46#newcode161
> >> > Line 161: // Returns true if the blacklist object is in good health.
> >> > Could be further shortened to:
> >> > "Is the blacklist object in good health"
> >> >
> >> > But, in the end, do you really need that? See .cc comment.
> >
> >> As I just said, it is needed to break the dependencies so that we
> >> can show the user when it does not load. It is extremely important
> >> that we do so because otherwise users would have a false impression
> >> about how their privacy is protected.
> >
> > My point is roughly that 'good' has different meaning. You probably want
> > to know if the list is 'valid()' or not. But even though, if the list is
> > not valid, what's the deal? Frankly, I'd want the point of view of
> > someone else on that since I'm not a fan of surfacing too many errors.
> >
> >
> >> > http://codereview.chromium.org/173357/diff/1033/42
> >> > File chrome/browser/privacy_blacklist/blacklist_io.h (right):
> >> >
> >> > http://codereview.chromium.org/173357/diff/1033/42#newcode30
> >> > Line 30: const string16& last_error() const {
> >> > nit: I think this design would badly degrade in failure mode.
> >
> > Imagine an
> >>
> >> > overflow of blacklisted IO, that would significantly increase the
> >
> > memory usage
> >>
> >> > if the string is large. Especially that it would always be the same
> >
> > string.
> >>
> >> > Also, I think it's too deep to keep localized data.
> >
> >> Not sure I understand but you should know that this I/O code is only
> >
> > invoked
> >>
> >> by the extension installation code which Pawel is writing. Chrome
> >
> > would not
> >>
> >> check these once the the blacklists are installed and compiled.
> >
> > ok, but if you look at the rest of the chrome code, we usually don't
> > surface low level errors like "file read failed" or things like that.
>
> We don't except for developer messages I was told. That is why these
> messages
> are not i18n. It is mostly for the ones developing and validating the
> blacklists. Pawel
> is writing the front-end code that uses this.
>
> >> > http://codereview.chromium.org/173357/diff/1033/43
> >> > File chrome/browser/privacy_blacklist/blacklist_store.cc (right):
> >> >
> >> > http://codereview.chromium.org/173357/diff/1033/43#newcode126
> >> > Line 126: if (uint32 n = ReadUInt()) {
> >> > Shouldn't you put an arbitrary upper limit for a valid supported
> >
> > range?
> >
> >> I did not see a point to do anything arbitrary, but I can if you
> >
> > really
> >>
> >> want me too.
> >
> > Simplest path to DoS. All your cute error messages won't do a thing
> > about the crash that will occur when you try to load an invalid file
> > that simply gobs all the available memory.
>
> OK. That's something new!
>
> - Itai
>
> > M-A
> >
> > http://codereview.chromium.org/173357
> >
>

idanan_google.com

OK for the error message. Cancel lets you not load Chrome and fix the problem, ...

11 years, 3 months ago (2009-08-28 01:27:59 UTC) #16

OK for the error message.

Cancel lets you not load Chrome and fix the problem, just like when
the user profile fails to load
(in case you moved the files, changed permissions too aggressively,
want to restore a backup,
etc).

Those labels could be Continue (instead of OK) and Exit (instead of
Cancel). It might be a bit
clearer but even checked-in, it is not carved in stone. We will have
time to refine this several
times before we enable it for everyone.

- Itai

On Thu, Aug 27, 2009 at 14:50, Brian Rakowski<brian@chromium.org> wrote:
> Please do not check in "Your privacy is no longer protected." It overstates
> the problem.
> For now, "Privacy blacklist failed to load" will do. I don't understand what
> cancel does in this case though.
>
> On Wed, Aug 26, 2009 at 10:25 AM, Itai Danan <idanan@google.com> wrote:
>>
>> On Wed, Aug 26, 2009 at 10:14, <maruel@chromium.org> wrote:
>> > On 2009/08/26 16:46:07, idanan wrote:
>> >>
>> >> On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote:
>> >> > http://codereview.chromium.org/173357/diff/1033/48
>> >> > File chrome/app/generated_resources.grd (right):
>> >> >
>> >> > http://codereview.chromium.org/173357/diff/1033/48#newcode4830
>> >> > Line 4830: Your privacy is no longer protected
>> >> > I still think the messaging is wrong here.
>> >
>> >> What would you prefer? I think this gives exactly the consequence
>> >> of the error, as opposed to something like "Error loading Privacy
>> >> Blacklist".
>> >
>> > To me, the failure to load the privacy blacklist is *AT MOST* a toolbar
>> > popup, like the 'do you want to save password' or 'set chrome as default
>> > browser'. If I want to browse the web *now* I probably don't care that
>> > the privacy blacklist failed to load, and I want even less be scared by
>> > a message telling me that my privacy is suddenly invaded by obscure
>> > stuff. The information in this message is at best misleading. I
>> > definitely want the point of view of someone in the UI team for that.
>> >
>> > In any case, the privacy list loading should be asynchronous and non
>> > blocking, so even if the first socket connections starts without the
>> > list being fully loaded, I probably wouldn't care.
>> >
>> > Since the list loading should probably be asynchronous, this doesn't
>> > deserve a synchronous popup.
>>
>> Sorry but I strongly disagree here. Every access must be checked against
>> the blacklist, we can't load it later because if users don't want to
>> send cookies
>> or something, they don't want us to send them while we wait for the
>> blacklist
>> to be loaded. If the blacklist fails to load, which should be a rare
>> occurrence
>> because we are talking about the compiled blacklist here (disk corruption
>> or incorrect command line are the two possibilities), the user must know
>> and
>> acknowledge that their privacy is not protected the way they chose by
>> installing
>> their blacklists. If you don't care about privacy and have no
>> blacklists, none of
>> this will every show.
>>
>> >> > http://codereview.chromium.org/173357/diff/1033/45
>> >> > File chrome/browser/privacy_blacklist/blacklist.cc (right):
>> >> >
>> >> > http://codereview.chromium.org/173357/diff/1033/45#newcode66
>> >> > Line 66: bool Blacklist::Matches(const std::string& pattern, const
>> >> std::string&
>> >> > url) {
>> >> > Shouldn't you add DCHECK(is_good()); in a few functions?
>> >> I could but is_good is only designed to be checked once, upon
>> >
>> > initialization.
>> >>
>> >> The blacklist never goes from good to bad.
>> >
>> > You know that. Does the function callers in 2 years will remember that?
>>
>> OK, fair.
>>
>> >> > http://codereview.chromium.org/173357/diff/1033/45#newcode163
>> >> > Line 163: Blacklist::Blacklist(const FilePath& file) :
>> >
>> > is_good_(false) {
>> >>
>> >> > Doesn't is_good_ puts unnecessary burden on the callers? Shouldn't
>> >
>> > the list
>> >>
>> >> just
>> >> > be empty when the list failed to load? That's fine to have a signal
>> >
>> > to verify
>> >>
>> >> > that but you don't cleanup providers_ when it fails latter.
>> >
>> >> No because it only needs to be checked once. The reason there is even
>> >
>> > an
>> >>
>> >> is good function is because of dependencies which meant I could not do
>> >
>> >> the UI dialog right in the blacklist.
>> >
>> >> > http://codereview.chromium.org/173357/diff/1033/46
>> >> > File chrome/browser/privacy_blacklist/blacklist.h (right):
>> >> >
>> >> > http://codereview.chromium.org/173357/diff/1033/46#newcode161
>> >> > Line 161: // Returns true if the blacklist object is in good health.
>> >> > Could be further shortened to:
>> >> > "Is the blacklist object in good health"
>> >> >
>> >> > But, in the end, do you really need that? See .cc comment.
>> >
>> >> As I just said, it is needed to break the dependencies so that we
>> >> can show the user when it does not load. It is extremely important
>> >> that we do so because otherwise users would have a false impression
>> >> about how their privacy is protected.
>> >
>> > My point is roughly that 'good' has different meaning. You probably want
>> > to know if the list is 'valid()' or not. But even though, if the list is
>> > not valid, what's the deal? Frankly, I'd want the point of view of
>> > someone else on that since I'm not a fan of surfacing too many errors.
>> >
>> >
>> >> > http://codereview.chromium.org/173357/diff/1033/42
>> >> > File chrome/browser/privacy_blacklist/blacklist_io.h (right):
>> >> >
>> >> > http://codereview.chromium.org/173357/diff/1033/42#newcode30
>> >> > Line 30: const string16& last_error() const {
>> >> > nit: I think this design would badly degrade in failure mode.
>> >
>> > Imagine an
>> >>
>> >> > overflow of blacklisted IO, that would significantly increase the
>> >
>> > memory usage
>> >>
>> >> > if the string is large. Especially that it would always be the same
>> >
>> > string.
>> >>
>> >> > Also, I think it's too deep to keep localized data.
>> >
>> >> Not sure I understand but you should know that this I/O code is only
>> >
>> > invoked
>> >>
>> >> by the extension installation code which Pawel is writing. Chrome
>> >
>> > would not
>> >>
>> >> check these once the the blacklists are installed and compiled.
>> >
>> > ok, but if you look at the rest of the chrome code, we usually don't
>> > surface low level errors like "file read failed" or things like that.
>>
>> We don't except for developer messages I was told. That is why these
>> messages
>> are not i18n. It is mostly for the ones developing and validating the
>> blacklists. Pawel
>> is writing the front-end code that uses this.
>>
>> >> > http://codereview.chromium.org/173357/diff/1033/43
>> >> > File chrome/browser/privacy_blacklist/blacklist_store.cc (right):
>> >> >
>> >> > http://codereview.chromium.org/173357/diff/1033/43#newcode126
>> >> > Line 126: if (uint32 n = ReadUInt()) {
>> >> > Shouldn't you put an arbitrary upper limit for a valid supported
>> >
>> > range?
>> >
>> >> I did not see a point to do anything arbitrary, but I can if you
>> >
>> > really
>> >>
>> >> want me too.
>> >
>> > Simplest path to DoS. All your cute error messages won't do a thing
>> > about the crash that will occur when you try to load an invalid file
>> > that simply gobs all the available memory.
>>
>> OK. That's something new!
>>
>> - Itai
>>
>> > M-A
>> >
>> > http://codereview.chromium.org/173357
>> >
>
>

Glen Murphy

As long as this UI is behind a flag that we don't tell that many ...

11 years, 3 months ago (2009-09-01 22:27:11 UTC) #17

As long as this UI is behind a flag that we don't tell that many
people about, I'm OK with including it for now. I'd rather we have
Continue / Exit, though.



On Thu, Aug 27, 2009 at 3:00 PM, Itai Danan <idanan@google.com> wrote:
> OK for the error message.
>
> Cancel lets you not load Chrome and fix the problem, just like when
> the user profile fails to load
> (in case you moved the files, changed permissions too aggressively,
> want to restore a backup,
> etc).
>
> Those labels could be Continue (instead of OK) and Exit (instead of
> Cancel). It might be a bit
> clearer but even checked-in, it is not carved in stone. We will have
> time to refine this several
> times before we enable it for everyone.
>
> - Itai
>
> On Thu, Aug 27, 2009 at 14:50, Brian Rakowski<brian@chromium.org> wrote:
>> Please do not check in "Your privacy is no longer protected." It overstates
>> the problem.
>> For now, "Privacy blacklist failed to load" will do. I don't understand what
>> cancel does in this case though.
>>
>> On Wed, Aug 26, 2009 at 10:25 AM, Itai Danan <idanan@google.com> wrote:
>>>
>>> On Wed, Aug 26, 2009 at 10:14, <maruel@chromium.org> wrote:
>>> > On 2009/08/26 16:46:07, idanan wrote:
>>> >>
>>> >> On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote:
>>> >> > http://codereview.chromium.org/173357/diff/1033/48
>>> >> > File chrome/app/generated_resources.grd (right):
>>> >> >
>>> >> > http://codereview.chromium.org/173357/diff/1033/48#newcode4830
>>> >> > Line 4830: Your privacy is no longer protected
>>> >> > I still think the messaging is wrong here.
>>> >
>>> >> What would you prefer? I think this gives exactly the consequence
>>> >> of the error, as opposed to something like "Error loading Privacy
>>> >> Blacklist".
>>> >
>>> > To me, the failure to load the privacy blacklist is *AT MOST* a toolbar
>>> > popup, like the 'do you want to save password' or 'set chrome as default
>>> > browser'. If I want to browse the web *now* I probably don't care that
>>> > the privacy blacklist failed to load, and I want even less be scared by
>>> > a message telling me that my privacy is suddenly invaded by obscure
>>> > stuff. The information in this message is at best misleading. I
>>> > definitely want the point of view of someone in the UI team for that.
>>> >
>>> > In any case, the privacy list loading should be asynchronous and non
>>> > blocking, so even if the first socket connections starts without the
>>> > list being fully loaded, I probably wouldn't care.
>>> >
>>> > Since the list loading should probably be asynchronous, this doesn't
>>> > deserve a synchronous popup.
>>>
>>> Sorry but I strongly disagree here. Every access must be checked against
>>> the blacklist, we can't load it later because if users don't want to
>>> send cookies
>>> or something, they don't want us to send them while we wait for the
>>> blacklist
>>> to be loaded. If the blacklist fails to load, which should be a rare
>>> occurrence
>>> because we are talking about the compiled blacklist here (disk corruption
>>> or incorrect command line are the two possibilities), the user must know
>>> and
>>> acknowledge that their privacy is not protected the way they chose by
>>> installing
>>> their blacklists. If you don't care about privacy and have no
>>> blacklists, none of
>>> this will every show.
>>>
>>> >> > http://codereview.chromium.org/173357/diff/1033/45
>>> >> > File chrome/browser/privacy_blacklist/blacklist.cc (right):
>>> >> >
>>> >> > http://codereview.chromium.org/173357/diff/1033/45#newcode66
>>> >> > Line 66: bool Blacklist::Matches(const std::string& pattern, const
>>> >> std::string&
>>> >> > url) {
>>> >> > Shouldn't you add DCHECK(is_good()); in a few functions?
>>> >> I could but is_good is only designed to be checked once, upon
>>> >
>>> > initialization.
>>> >>
>>> >> The blacklist never goes from good to bad.
>>> >
>>> > You know that. Does the function callers in 2 years will remember that?
>>>
>>> OK, fair.
>>>
>>> >> > http://codereview.chromium.org/173357/diff/1033/45#newcode163
>>> >> > Line 163: Blacklist::Blacklist(const FilePath& file) :
>>> >
>>> > is_good_(false) {
>>> >>
>>> >> > Doesn't is_good_ puts unnecessary burden on the callers? Shouldn't
>>> >
>>> > the list
>>> >>
>>> >> just
>>> >> > be empty when the list failed to load? That's fine to have a signal
>>> >
>>> > to verify
>>> >>
>>> >> > that but you don't cleanup providers_ when it fails latter.
>>> >
>>> >> No because it only needs to be checked once. The reason there is even
>>> >
>>> > an
>>> >>
>>> >> is good function is because of dependencies which meant I could not do
>>> >
>>> >> the UI dialog right in the blacklist.
>>> >
>>> >> > http://codereview.chromium.org/173357/diff/1033/46
>>> >> > File chrome/browser/privacy_blacklist/blacklist.h (right):
>>> >> >
>>> >> > http://codereview.chromium.org/173357/diff/1033/46#newcode161
>>> >> > Line 161: // Returns true if the blacklist object is in good health.
>>> >> > Could be further shortened to:
>>> >> > "Is the blacklist object in good health"
>>> >> >
>>> >> > But, in the end, do you really need that? See .cc comment.
>>> >
>>> >> As I just said, it is needed to break the dependencies so that we
>>> >> can show the user when it does not load. It is extremely important
>>> >> that we do so because otherwise users would have a false impression
>>> >> about how their privacy is protected.
>>> >
>>> > My point is roughly that 'good' has different meaning. You probably want
>>> > to know if the list is 'valid()' or not. But even though, if the list is
>>> > not valid, what's the deal? Frankly, I'd want the point of view of
>>> > someone else on that since I'm not a fan of surfacing too many errors.
>>> >
>>> >
>>> >> > http://codereview.chromium.org/173357/diff/1033/42
>>> >> > File chrome/browser/privacy_blacklist/blacklist_io.h (right):
>>> >> >
>>> >> > http://codereview.chromium.org/173357/diff/1033/42#newcode30
>>> >> > Line 30: const string16& last_error() const {
>>> >> > nit: I think this design would badly degrade in failure mode.
>>> >
>>> > Imagine an
>>> >>
>>> >> > overflow of blacklisted IO, that would significantly increase the
>>> >
>>> > memory usage
>>> >>
>>> >> > if the string is large. Especially that it would always be the same
>>> >
>>> > string.
>>> >>
>>> >> > Also, I think it's too deep to keep localized data.
>>> >
>>> >> Not sure I understand but you should know that this I/O code is only
>>> >
>>> > invoked
>>> >>
>>> >> by the extension installation code which Pawel is writing. Chrome
>>> >
>>> > would not
>>> >>
>>> >> check these once the the blacklists are installed and compiled.
>>> >
>>> > ok, but if you look at the rest of the chrome code, we usually don't
>>> > surface low level errors like "file read failed" or things like that.
>>>
>>> We don't except for developer messages I was told. That is why these
>>> messages
>>> are not i18n. It is mostly for the ones developing and validating the
>>> blacklists. Pawel
>>> is writing the front-end code that uses this.
>>>
>>> >> > http://codereview.chromium.org/173357/diff/1033/43
>>> >> > File chrome/browser/privacy_blacklist/blacklist_store.cc (right):
>>> >> >
>>> >> > http://codereview.chromium.org/173357/diff/1033/43#newcode126
>>> >> > Line 126: if (uint32 n = ReadUInt()) {
>>> >> > Shouldn't you put an arbitrary upper limit for a valid supported
>>> >
>>> > range?
>>> >
>>> >> I did not see a point to do anything arbitrary, but I can if you
>>> >
>>> > really
>>> >>
>>> >> want me too.
>>> >
>>> > Simplest path to DoS. All your cute error messages won't do a thing
>>> > about the crash that will occur when you try to load an invalid file
>>> > that simply gobs all the available memory.
>>>
>>> OK. That's something new!
>>>
>>> - Itai
>>>
>>> > M-A
>>> >
>>> > http://codereview.chromium.org/173357
>>> >
>>
>>
>



-- 
Reminder: I will be on vacation from September 17 - 30, and will
probably be out of internet range (Egypt) until the 27th (Paris).

idanan

Great thanks. I've renamed the buttons (and i18n'd them) to Continue exit and I will ...

11 years, 3 months ago (2009-09-10 18:06:50 UTC) #18

Great thanks. I've renamed the buttons (and i18n'd them) to
Continue exit and I will put in the patch shortly.

- Itai

PS: For some reason I did not get your reply to this in my inbox,
all other ones made it, so I just found it.

On 2009/09/01 22:27:11, Glen Murphy wrote:
> As long as this UI is behind a flag that we don't tell that many
> people about, I'm OK with including it for now. I'd rather we have
> Continue / Exit, though.
> 
> 
> 
> On Thu, Aug 27, 2009 at 3:00 PM, Itai Danan <mailto:idanan@google.com> wrote:
> > OK for the error message.
> >
> > Cancel lets you not load Chrome and fix the problem, just like when
> > the user profile fails to load
> > (in case you moved the files, changed permissions too aggressively,
> > want to restore a backup,
> > etc).
> >
> > Those labels could be Continue (instead of OK) and Exit (instead of
> > Cancel). It might be a bit
> > clearer but even checked-in, it is not carved in stone. We will have
> > time to refine this several
> > times before we enable it for everyone.
> >
> > - Itai
> >
> > On Thu, Aug 27, 2009 at 14:50, Brian mailto:Rakowski<brian@chromium.org>
wrote:
> >> Please do not check in "Your privacy is no longer protected." It overstates
> >> the problem.
> >> For now, "Privacy blacklist failed to load" will do. I don't understand
what
> >> cancel does in this case though.
> >>
> >> On Wed, Aug 26, 2009 at 10:25 AM, Itai Danan <mailto:idanan@google.com>
wrote:
> >>>
> >>> On Wed, Aug 26, 2009 at 10:14, <mailto:maruel@chromium.org> wrote:
> >>> > On 2009/08/26 16:46:07, idanan wrote:
> >>> >>
> >>> >> On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote:
> >>> >> > http://codereview.chromium.org/173357/diff/1033/48
> >>> >> > File chrome/app/generated_resources.grd (right):
> >>> >> >
> >>> >> > http://codereview.chromium.org/173357/diff/1033/48#newcode4830
> >>> >> > Line 4830: Your privacy is no longer protected
> >>> >> > I still think the messaging is wrong here.
> >>> >
> >>> >> What would you prefer? I think this gives exactly the consequence
> >>> >> of the error, as opposed to something like "Error loading Privacy
> >>> >> Blacklist".
> >>> >
> >>> > To me, the failure to load the privacy blacklist is *AT MOST* a toolbar
> >>> > popup, like the 'do you want to save password' or 'set chrome as default
> >>> > browser'. If I want to browse the web *now* I probably don't care that
> >>> > the privacy blacklist failed to load, and I want even less be scared by
> >>> > a message telling me that my privacy is suddenly invaded by obscure
> >>> > stuff. The information in this message is at best misleading. I
> >>> > definitely want the point of view of someone in the UI team for that.
> >>> >
> >>> > In any case, the privacy list loading should be asynchronous and non
> >>> > blocking, so even if the first socket connections starts without the
> >>> > list being fully loaded, I probably wouldn't care.
> >>> >
> >>> > Since the list loading should probably be asynchronous, this doesn't
> >>> > deserve a synchronous popup.
> >>>
> >>> Sorry but I strongly disagree here. Every access must be checked against
> >>> the blacklist, we can't load it later because if users don't want to
> >>> send cookies
> >>> or something, they don't want us to send them while we wait for the
> >>> blacklist
> >>> to be loaded. If the blacklist fails to load, which should be a rare
> >>> occurrence
> >>> because we are talking about the compiled blacklist here (disk corruption
> >>> or incorrect command line are the two possibilities), the user must know
> >>> and
> >>> acknowledge that their privacy is not protected the way they chose by
> >>> installing
> >>> their blacklists. If you don't care about privacy and have no
> >>> blacklists, none of
> >>> this will every show.
> >>>
> >>> >> > http://codereview.chromium.org/173357/diff/1033/45
> >>> >> > File chrome/browser/privacy_blacklist/blacklist.cc (right):
> >>> >> >
> >>> >> > http://codereview.chromium.org/173357/diff/1033/45#newcode66
> >>> >> > Line 66: bool Blacklist::Matches(const std::string& pattern, const
> >>> >> std::string&
> >>> >> > url) {
> >>> >> > Shouldn't you add DCHECK(is_good()); in a few functions?
> >>> >> I could but is_good is only designed to be checked once, upon
> >>> >
> >>> > initialization.
> >>> >>
> >>> >> The blacklist never goes from good to bad.
> >>> >
> >>> > You know that. Does the function callers in 2 years will remember that?
> >>>
> >>> OK, fair.
> >>>
> >>> >> > http://codereview.chromium.org/173357/diff/1033/45#newcode163
> >>> >> > Line 163: Blacklist::Blacklist(const FilePath& file) :
> >>> >
> >>> > is_good_(false) {
> >>> >>
> >>> >> > Doesn't is_good_ puts unnecessary burden on the callers? Shouldn't
> >>> >
> >>> > the list
> >>> >>
> >>> >> just
> >>> >> > be empty when the list failed to load? That's fine to have a signal
> >>> >
> >>> > to verify
> >>> >>
> >>> >> > that but you don't cleanup providers_ when it fails latter.
> >>> >
> >>> >> No because it only needs to be checked once. The reason there is even
> >>> >
> >>> > an
> >>> >>
> >>> >> is good function is because of dependencies which meant I could not do
> >>> >
> >>> >> the UI dialog right in the blacklist.
> >>> >
> >>> >> > http://codereview.chromium.org/173357/diff/1033/46
> >>> >> > File chrome/browser/privacy_blacklist/blacklist.h (right):
> >>> >> >
> >>> >> > http://codereview.chromium.org/173357/diff/1033/46#newcode161
> >>> >> > Line 161: // Returns true if the blacklist object is in good health.
> >>> >> > Could be further shortened to:
> >>> >> > "Is the blacklist object in good health"
> >>> >> >
> >>> >> > But, in the end, do you really need that? See .cc comment.
> >>> >
> >>> >> As I just said, it is needed to break the dependencies so that we
> >>> >> can show the user when it does not load. It is extremely important
> >>> >> that we do so because otherwise users would have a false impression
> >>> >> about how their privacy is protected.
> >>> >
> >>> > My point is roughly that 'good' has different meaning. You probably want
> >>> > to know if the list is 'valid()' or not. But even though, if the list is
> >>> > not valid, what's the deal? Frankly, I'd want the point of view of
> >>> > someone else on that since I'm not a fan of surfacing too many errors.
> >>> >
> >>> >
> >>> >> > http://codereview.chromium.org/173357/diff/1033/42
> >>> >> > File chrome/browser/privacy_blacklist/blacklist_io.h (right):
> >>> >> >
> >>> >> > http://codereview.chromium.org/173357/diff/1033/42#newcode30
> >>> >> > Line 30: const string16& last_error() const {
> >>> >> > nit: I think this design would badly degrade in failure mode.
> >>> >
> >>> > Imagine an
> >>> >>
> >>> >> > overflow of blacklisted IO, that would significantly increase the
> >>> >
> >>> > memory usage
> >>> >>
> >>> >> > if the string is large. Especially that it would always be the same
> >>> >
> >>> > string.
> >>> >>
> >>> >> > Also, I think it's too deep to keep localized data.
> >>> >
> >>> >> Not sure I understand but you should know that this I/O code is only
> >>> >
> >>> > invoked
> >>> >>
> >>> >> by the extension installation code which Pawel is writing. Chrome
> >>> >
> >>> > would not
> >>> >>
> >>> >> check these once the the blacklists are installed and compiled.
> >>> >
> >>> > ok, but if you look at the rest of the chrome code, we usually don't
> >>> > surface low level errors like "file read failed" or things like that.
> >>>
> >>> We don't except for developer messages I was told. That is why these
> >>> messages
> >>> are not i18n. It is mostly for the ones developing and validating the
> >>> blacklists. Pawel
> >>> is writing the front-end code that uses this.
> >>>
> >>> >> > http://codereview.chromium.org/173357/diff/1033/43
> >>> >> > File chrome/browser/privacy_blacklist/blacklist_store.cc (right):
> >>> >> >
> >>> >> > http://codereview.chromium.org/173357/diff/1033/43#newcode126
> >>> >> > Line 126: if (uint32 n = ReadUInt()) {
> >>> >> > Shouldn't you put an arbitrary upper limit for a valid supported
> >>> >
> >>> > range?
> >>> >
> >>> >> I did not see a point to do anything arbitrary, but I can if you
> >>> >
> >>> > really
> >>> >>
> >>> >> want me too.
> >>> >
> >>> > Simplest path to DoS. All your cute error messages won't do a thing
> >>> > about the crash that will occur when you try to load an invalid file
> >>> > that simply gobs all the available memory.
> >>>
> >>> OK. That's something new!
> >>>
> >>> - Itai
> >>>
> >>> > M-A
> >>> >
> >>> > http://codereview.chromium.org/173357
> >>> >
> >>
> >>
> >
> 
> 
> 
> -- 
> Reminder: I will be on vacation from September 17 - 30, and will
> probably be out of internet range (Egypt) until the 27th (Paris).

idanan

On 2009/08/26 17:14:08, Marc-Antoine Ruel wrote: > On 2009/08/26 16:46:07, idanan wrote: > > On ...

11 years, 3 months ago (2009-09-10 18:33:11 UTC) #19

On 2009/08/26 17:14:08, Marc-Antoine Ruel wrote:
> On 2009/08/26 16:46:07, idanan wrote:
> > On 2009/08/26 13:53:40, Marc-Antoine Ruel wrote:
> > > http://codereview.chromium.org/173357/diff/1033/48
> > > File chrome/app/generated_resources.grd (right):
> > > 
> > > http://codereview.chromium.org/173357/diff/1033/48#newcode4830
> > > Line 4830: Your privacy is no longer protected
> > > I still think the messaging is wrong here.
> > 
> > What would you prefer? I think this gives exactly the consequence
> > of the error, as opposed to something like "Error loading Privacy
> > Blacklist".
> 
> To me, the failure to load the privacy blacklist is *AT MOST* a toolbar popup,
> like the 'do you want to save password' or 'set chrome as default browser'. If
I
> want to browse the web *now* I probably don't care that the privacy blacklist
> failed to load, and I want even less be scared by a message telling me that my
> privacy is suddenly invaded by obscure stuff. The information in this message
is
> at best misleading. I definitely want the point of view of someone in the UI
> team for that.
> 
> In any case, the privacy list loading should be asynchronous and non blocking,
> so even if the first socket connections starts without the list being fully
> loaded, I probably wouldn't care.
> 
> Since the list loading should probably be asynchronous, this doesn't deserve a
> synchronous popup.
> 

Modified according to Glen's suggestions.

> > > http://codereview.chromium.org/173357/diff/1033/45
> > > File chrome/browser/privacy_blacklist/blacklist.cc (right):
> > > 
> > > http://codereview.chromium.org/173357/diff/1033/45#newcode66
> > > Line 66: bool Blacklist::Matches(const std::string& pattern, const
> > std::string&
> > > url) {
> > > Shouldn't you add DCHECK(is_good()); in a few functions?
> > I could but is_good is only designed to be checked once, upon
initialization.
> > The blacklist never goes from good to bad.
> 
> You know that. Does the function callers in 2 years will remember that?

OK. Actually had to make that an if, for the case were users use "Continue".

> > > http://codereview.chromium.org/173357/diff/1033/45#newcode163
> > > Line 163: Blacklist::Blacklist(const FilePath& file) : is_good_(false) {
> > > Doesn't is_good_ puts unnecessary burden on the callers? Shouldn't the
list
> > just
> > > be empty when the list failed to load? That's fine to have a signal to
> verify
> > > that but you don't cleanup providers_ when it fails latter.
> > 
> > No because it only needs to be checked once. The reason there is even an
> > is good function is because of dependencies which meant I could not do 
> > the UI dialog right in the blacklist.
> > 
> > > http://codereview.chromium.org/173357/diff/1033/46
> > > File chrome/browser/privacy_blacklist/blacklist.h (right):
> > > 
> > > http://codereview.chromium.org/173357/diff/1033/46#newcode161
> > > Line 161: // Returns true if the blacklist object is in good health.
> > > Could be further shortened to:
> > > "Is the blacklist object in good health"
> > > 
> > > But, in the end, do you really need that? See .cc comment.
> > 
> > As I just said, it is needed to break the dependencies so that we
> > can show the user when it does not load. It is extremely important
> > that we do so because otherwise users would have a false impression
> > about how their privacy is protected.
> 
> My point is roughly that 'good' has different meaning. You probably want to
know
> if the list is 'valid()' or not. But even though, if the list is not valid,
> what's the deal? Frankly, I'd want the point of view of someone else on that
> since I'm not a fan of surfacing too many errors.
> 
>
> > > http://codereview.chromium.org/173357/diff/1033/42
> > > File chrome/browser/privacy_blacklist/blacklist_io.h (right):
> > > 
> > > http://codereview.chromium.org/173357/diff/1033/42#newcode30
> > > Line 30: const string16& last_error() const {
> > > nit: I think this design would badly degrade in failure mode. Imagine an
> > > overflow of blacklisted IO, that would significantly increase the memory
> usage
> > > if the string is large. Especially that it would always be the same
string.
> > > Also, I think it's too deep to keep localized data.
> > 
> > Not sure I understand but you should know that this I/O code is only invoked
> > by the extension installation code which Pawel is writing. Chrome would not
> > check these once the the blacklists are installed and compiled.
> 
> ok, but if you look at the rest of the chrome code, we usually don't surface
low
> level errors like "file read failed" or things like that.
> 
> 
> > > http://codereview.chromium.org/173357/diff/1033/43
> > > File chrome/browser/privacy_blacklist/blacklist_store.cc (right):
> > > 
> > > http://codereview.chromium.org/173357/diff/1033/43#newcode126
> > > Line 126: if (uint32 n = ReadUInt()) {
> > > Shouldn't you put an arbitrary upper limit for a valid supported range?
> > 
> > I did not see a point to do anything arbitrary, but I can if you really
> > want me too.
> 
> Simplest path to DoS. All your cute error messages won't do a thing about the
> crash that will occur when you try to load an invalid file that simply gobs
all
> the available memory.

Done.

M-A Ruel

lgtm for my side http://codereview.chromium.org/173357/diff/4005/5021 File chrome/app/generated_resources.grd (right): http://codereview.chromium.org/173357/diff/4005/5021#newcode4960 Line 4960: Your privacy blacklists failed ...

11 years, 3 months ago (2009-09-10 18:59:40 UTC) #20

idanan_google.com

11 years, 3 months ago (2009-09-10 19:17:20 UTC) #21

On Thu, Sep 10, 2009 at 14:59,  <maruel@chromium.org> wrote:
> lgtm for my side
>
>
> http://codereview.chromium.org/173357/diff/4005/5021
> File chrome/app/generated_resources.grd (right):
>
> http://codereview.chromium.org/173357/diff/4005/5021#newcode4960
> Line 4960: Your privacy blacklists failed to load.
> Is 'Your' necessary?

I'll let the experts find better messages in a future date. I prefer
the your in there,
it does not sound so good without it.

> http://codereview.chromium.org/173357/diff/4005/5016
> File chrome/browser/privacy_blacklist/blacklist_store.cc (right):
>
> http://codereview.chromium.org/173357/diff/4005/5016#newcode16
> Line 16: const char cookie[] = "GCPBL100";
> const char* const cookie = "..";

Can't. Using sizeof.

- Itai

Issue 173357: Error diagnostics for Blacklist IO... (Closed)

Description

Patch Set 1 #

Patch Set 2 : '' #

Patch Set 3 : '' #

Patch Set 4 : '' #

Patch Set 5 : '' #

Patch Set 6 : '' #

Patch Set 7 : '' #

Messages