Issue 1181293003: Expand SecurityStyleChanged interfaces to include explanations

estark

estark@chromium.org changed reviewers: + creis@chromium.org, pfeldman@chromium.org, pkasting@chromium.org

5 years, 6 months ago (2015-06-12 23:00:14 UTC) #1

estark

This is the next step in our devtools security panel plumbing Master Plan.* The eventual ...

5 years, 6 months ago (2015-06-12 23:00:15 UTC) #2

lgarron

lgarron@chromium.org changed reviewers: + lgarron@chromium.org

5 years, 6 months ago (2015-06-12 23:59:59 UTC) #3

lgarron

I like the use of two vectors for the two security levels. However, I would ...

5 years, 6 months ago (2015-06-13 00:00:00 UTC) #4

lgarron

lgarron@chromium.org changed reviewers: - lgarron@chromium.org

5 years, 6 months ago (2015-06-13 00:00:21 UTC) #5

estark

On 2015/06/13 00:00:00, lgarron wrote: > I like the use of two vectors for the ...

5 years, 6 months ago (2015-06-14 22:59:52 UTC) #6

Peter Kasting

* It's not made clear anywhere why the added params are vectors of strings, rather ...

5 years, 6 months ago (2015-06-15 20:23:43 UTC) #7

lgarron

On 2015/06/15 at 20:23:43, pkasting wrote: > * It's not made clear anywhere why the ...

5 years, 6 months ago (2015-06-15 20:44:54 UTC) #8

estark

On 2015/06/15 20:23:43, Peter Kasting wrote: > * It's not made clear anywhere why the ...

5 years, 6 months ago (2015-06-16 02:09:36 UTC) #9

On 2015/06/15 20:23:43, Peter Kasting wrote:
> * It's not made clear anywhere why the added params are vectors of strings,
> rather than strings.  In particular, I don't see how a naive reader (i.e. me)
> would know how many strings the vector should have or what each would
correspond
> to.
> 
> * It seems like this change neither populates nor uses the new params.  It
would
> be easier to review this (and would clear up e.g. the confusion above) if it
did
> at least one of these things, if not both.  I'm not a big fan of reviewing API
> changes where I can't see how the API will practically be used.
> 
> Otherwise the (trivial) mechanics of the change seem OK.

Hmm, I was trying to keep the CL small but I guess it was a little too small to
be useful. Please take a look at the latest patchset (#5). Here is an outline of
the changes I've made:

* Added code to populate the explanations in
//chrome/browser/ssl/connection_security.cc and //chrome/browser/ui/browser.cc.
The former provides enums describing why a particular SecurityStyle was chosen
for a page, and the latter converts those enums into strings.

* Introduced a SecurityStyleExplanation struct (containing the two vectors), and
changed the API to pass around a SecurityStyleExplanation instead of the two
vectors. The motivation for this change was a conversation today about what the
devtools security panel frontend will look like (new frontend mocks show a
summary and description for each security issue instead of just a description).
I think that passing around a SecurityStyleExplanation will give us more
flexibility than passing around two vectors: if we later decide that we want to
add e.g. |bonus_point_explanations| explaining what a site is doing right in its
SSL configuration, we can change the SecurityStyleExplanation struct and the
code that populates and consumes it, instead of having to change all the APIs in
between them.

* Added comments in SecurityStyleExplanation to hopefully make it more clear
what the vectors should contain.

Peter Kasting

This makes a lot more sense than the first change. https://codereview.chromium.org/1181293003/diff/70001/chrome/app/generated_resources.grd File chrome/app/generated_resources.grd (right): https://codereview.chromium.org/1181293003/diff/70001/chrome/app/generated_resources.grd#newcode15645 ...

5 years, 6 months ago (2015-06-16 06:29:11 UTC) #10

estark

https://codereview.chromium.org/1181293003/diff/70001/chrome/app/generated_resources.grd File chrome/app/generated_resources.grd (right): https://codereview.chromium.org/1181293003/diff/70001/chrome/app/generated_resources.grd#newcode15645 chrome/app/generated_resources.grd:15645: + The certificate for this site expires in 2016, ...

5 years, 6 months ago (2015-06-16 15:32:35 UTC) #11

Peter Kasting

LGTM https://codereview.chromium.org/1181293003/diff/90001/content/public/common/security_style.h File content/public/common/security_style.h (right): https://codereview.chromium.org/1181293003/diff/90001/content/public/common/security_style.h#newcode53 content/public/common/security_style.h:53: const std::string& description_input); Nit: Name these |summary| and ...

5 years, 6 months ago (2015-06-16 22:11:31 UTC) #12

estark

estark@chromium.org changed reviewers: + rsleevi@chromium.org

5 years, 6 months ago (2015-06-16 23:42:19 UTC) #13

estark

Thanks pkasting. creis: could you please look at the rest of //content? pfeldman: could you ...

5 years, 6 months ago (2015-06-16 23:42:20 UTC) #14

Thanks pkasting.

creis: could you please look at the rest of //content?
pfeldman: could you please take a look at //content/browser/devtools?
rsleevi: could you please look at //chrome/browser/ssl?

Executive summary:
* connection_security (in //c/b/ssl) computes a SecurityStyle for the page and a
set of properties (enums) describing why that SecurityStyle was chosen.
* Browser (in //c/b/ui) translates these properties into strings, which it puts
into a SecurityStyleExplanations struct which gets ferried through //content to
devtools.
* The devtools security handler is not yet doing anything with the explanations;
that will be in a follow-up CL after the necessary Blink changes are landed.

https://codereview.chromium.org/1181293003/diff/90001/content/public/common/s...
File content/public/common/security_style.h (right):

https://codereview.chromium.org/1181293003/diff/90001/content/public/common/s...
content/public/common/security_style.h:53: const std::string&
description_input);
On 2015/06/16 22:11:31, Peter Kasting wrote:
> Nit: Name these |summary| and |description|.  You can still write the
> initializer list this way:
> 
>   SecurityStyleExplanation(const std::string& summary,
>                            const std::string& description)
>       : summary(summary), description(description) {
>   }
> 
> ...and the compiler will get it right.

Done.

https://codereview.chromium.org/1181293003/diff/90001/content/public/common/s...
content/public/common/security_style.h:60: // A SecurityStyleExplanations
contains human-readable explanations for
On 2015/06/16 22:11:31, Peter Kasting wrote:
> Nit: Remove initial "A" (it just makes the sentence less grammatically clear)

Done.

https://codereview.chromium.org/1181293003/diff/90001/content/public/common/s...
content/public/common/security_style.h:66: // has multiple issues.
On 2015/06/16 22:11:31, Peter Kasting wrote:
> Nit: This last sentence is now unclear because "An explanation" no longer
> clearly refers to this class.  How about:
> 
> A single site may have multiple different explanations of both "warning" and
> "broken" severity levels.

Done.

Ryan Sleevi

c/b/ssl LGTM % nit https://codereview.chromium.org/1181293003/diff/110001/chrome/browser/ssl/connection_security.cc File chrome/browser/ssl/connection_security.cc (right): https://codereview.chromium.org/1181293003/diff/110001/chrome/browser/ssl/connection_security.cc#newcode85 chrome/browser/ssl/connection_security.cc:85: if (cert && (ssl.cert_status & ...

5 years, 6 months ago (2015-06-16 23:58:54 UTC) #15

estark

https://codereview.chromium.org/1181293003/diff/110001/chrome/browser/ssl/connection_security.cc File chrome/browser/ssl/connection_security.cc (right): https://codereview.chromium.org/1181293003/diff/110001/chrome/browser/ssl/connection_security.cc#newcode85 chrome/browser/ssl/connection_security.cc:85: if (cert && (ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) { On 2015/06/16 ...

5 years, 6 months ago (2015-06-17 04:38:30 UTC) #17

Charlie Reis

creis@chromium.org changed reviewers: + jam@chromium.org

5 years, 6 months ago (2015-06-17 18:37:39 UTC) #18

Charlie Reis

[+jam] I'd like to do a quick sanity check on whether we need the new ...

5 years, 6 months ago (2015-06-17 18:37:40 UTC) #19

estark

On 2015/06/17 18:37:40, Charlie Reis wrote: > [+jam] > > I'd like to do a ...

5 years, 6 months ago (2015-06-17 18:50:15 UTC) #20

On 2015/06/17 18:37:40, Charlie Reis wrote:
> [+jam]
> 
> I'd like to do a quick sanity check on whether we need the new structs in the
> content/public API.  On one hand, we have things like DevToolsManagerDelegate
> for getting info from the embedder without threading it through most of
content.
>  On the other hand, we'd probably want it in a structured form inside
DevTools,
> so a type for it may be worthwhile.
> 
> How is it going to be consumed?  Will it need to be converted again to be
passed
> into Blink?  In that case, maybe we should use a public Blink type instead of
a
> content type.

The plan is to add a parameter for it on the SecurityStyleChanged event in
devtools's protocol.json (the remote debugging protocol). SecurityHandler (in
//content/browser/devtools) observes the
WebContentsObserver::SecurityStyleChanged event and will include the
SecurityStyleExplanations as a parameter in the message that it sends. (Which
will be received by devtools javascript code in blink). So the plan is to
basically consume it the same way SecurityStyle is currently consumed: //chrome
sets the explanation and passes it through //content to the SecurityHandler (in
//content), which sends it over the devtools remote debugging protocol.

> 
> (We generally don't want to add things to content/public until they're used
both
> inside and outside content, so it would be useful to know how it will be
used.)
> 
>
https://codereview.chromium.org/1181293003/diff/150001/content/public/browser...
> File content/public/browser/web_contents_observer.h (right):
> 
>
https://codereview.chromium.org/1181293003/diff/150001/content/public/browser...
> content/public/browser/web_contents_observer.h:181: // changes.
|security_style|
> is the new
> nit: Looks like "changes" fits on the previous line, as before.
> Similar issue with next line.
> 
>
https://codereview.chromium.org/1181293003/diff/150001/content/public/common/...
> File content/public/common/security_style.h (right):
> 
>
https://codereview.chromium.org/1181293003/diff/150001/content/public/common/...
> content/public/common/security_style.h:50: struct SecurityStyleExplanation {
> From the content API guidelines:
> "each interface/struct/enum should be in a separate file"
> 
> http://www.chromium.org/developers/content-module/content-api
> 
> It's admittedly unfortunate to need separate files for both
> SecurityStyleExplanation and SecurityStyleExplanations, but I want to get
John's
> opinion on the approach anyway.

estark

On 2015/06/17 18:50:15, estark wrote: > On 2015/06/17 18:37:40, Charlie Reis wrote: > > [+jam] ...

5 years, 6 months ago (2015-06-17 19:00:39 UTC) #21

On 2015/06/17 18:50:15, estark wrote:
> On 2015/06/17 18:37:40, Charlie Reis wrote:
> > [+jam]
> > 
> > I'd like to do a quick sanity check on whether we need the new structs in
the
> > content/public API.  On one hand, we have things like
DevToolsManagerDelegate
> > for getting info from the embedder without threading it through most of
> content.
> >  On the other hand, we'd probably want it in a structured form inside
> DevTools,
> > so a type for it may be worthwhile.
> > 
> > How is it going to be consumed?  Will it need to be converted again to be
> passed
> > into Blink?  In that case, maybe we should use a public Blink type instead
of
> a
> > content type.
> 
> The plan is to add a parameter for it on the SecurityStyleChanged event in
> devtools's protocol.json (the remote debugging protocol). SecurityHandler (in
> //content/browser/devtools) observes the
> WebContentsObserver::SecurityStyleChanged event and will include the
> SecurityStyleExplanations as a parameter in the message that it sends. (Which
> will be received by devtools javascript code in blink). So the plan is to
> basically consume it the same way SecurityStyle is currently consumed:
//chrome
> sets the explanation and passes it through //content to the SecurityHandler
(in
> //content), which sends it over the devtools remote debugging protocol.

https://code.google.com/p/chromium/codesearch#chromium/src/content/browser/de...
is where we'd like to pass the explanation to devtools, in case I wasn't clear.

> 
> > 
> > (We generally don't want to add things to content/public until they're used
> both
> > inside and outside content, so it would be useful to know how it will be
> used.)
> > 
> >
>
https://codereview.chromium.org/1181293003/diff/150001/content/public/browser...
> > File content/public/browser/web_contents_observer.h (right):
> > 
> >
>
https://codereview.chromium.org/1181293003/diff/150001/content/public/browser...
> > content/public/browser/web_contents_observer.h:181: // changes.
> |security_style|
> > is the new
> > nit: Looks like "changes" fits on the previous line, as before.
> > Similar issue with next line.
> > 
> >
>
https://codereview.chromium.org/1181293003/diff/150001/content/public/common/...
> > File content/public/common/security_style.h (right):
> > 
> >
>
https://codereview.chromium.org/1181293003/diff/150001/content/public/common/...
> > content/public/common/security_style.h:50: struct SecurityStyleExplanation {
> > From the content API guidelines:
> > "each interface/struct/enum should be in a separate file"
> > 
> > http://www.chromium.org/developers/content-module/content-api
> > 
> > It's admittedly unfortunate to need separate files for both
> > SecurityStyleExplanation and SecurityStyleExplanations, but I want to get
> John's
> > opinion on the approach anyway.

Charlie Reis

On 2015/06/17 19:00:39, estark wrote: > On 2015/06/17 18:50:15, estark wrote: > > On 2015/06/17 ...

5 years, 6 months ago (2015-06-17 19:38:15 UTC) #22

estark

Cool, thanks creis. https://codereview.chromium.org/1181293003/diff/150001/content/public/browser/web_contents_observer.h File content/public/browser/web_contents_observer.h (right): https://codereview.chromium.org/1181293003/diff/150001/content/public/browser/web_contents_observer.h#newcode181 content/public/browser/web_contents_observer.h:181: // changes. |security_style| is the new ...

5 years, 6 months ago (2015-06-17 20:35:58 UTC) #23

jam

so I just took a closer look at the GetSecurityStyle method which was added in ...

5 years, 6 months ago (2015-06-17 20:45:10 UTC) #24

jam

On 2015/06/17 20:45:10, jam wrote: > so I just took a closer look at the ...

5 years, 6 months ago (2015-06-17 20:46:00 UTC) #25

estark

On 2015/06/17 20:45:10, jam wrote: > so I just took a closer look at the ...

5 years, 6 months ago (2015-06-17 20:46:41 UTC) #26

estark

On 2015/06/17 20:46:41, estark wrote: > On 2015/06/17 20:45:10, jam wrote: > > so I ...

5 years, 6 months ago (2015-06-17 20:50:31 UTC) #27

jam

On 2015/06/17 20:46:41, estark wrote: > On 2015/06/17 20:45:10, jam wrote: > > so I ...

5 years, 6 months ago (2015-06-17 21:03:46 UTC) #28

jam

On 2015/06/17 20:50:31, estark wrote: > On 2015/06/17 20:46:41, estark wrote: > > On 2015/06/17 ...

5 years, 6 months ago (2015-06-17 21:05:39 UTC) #29

estark

On 2015/06/17 21:03:46, jam wrote: > On 2015/06/17 20:46:41, estark wrote: > > On 2015/06/17 ...

5 years, 6 months ago (2015-06-17 21:08:28 UTC) #30

Ryan Sleevi

On 2015/06/17 21:08:28, estark wrote: > I do remember talking about this at one point; ...

5 years, 6 months ago (2015-06-17 21:15:45 UTC) #31

jam

On 2015/06/17 21:08:28, estark wrote: > On 2015/06/17 21:03:46, jam wrote: > > On 2015/06/17 ...

5 years, 6 months ago (2015-06-17 21:16:05 UTC) #32

On 2015/06/17 21:08:28, estark wrote:
> On 2015/06/17 21:03:46, jam wrote:
> > On 2015/06/17 20:46:41, estark wrote:
> > > On 2015/06/17 20:45:10, jam wrote:
> > > > so I just took a closer look at the GetSecurityStyle method which was
> added
> > in
> > > > https://codereview.chromium.org/1162663004/
> > > > 
> > > > It's not clear to me why this is something that the embedder provides.
> i.e.
> > > > content seems to have all the information to set this itself without
> asking
> > > > chrome layer. The one exception is the chromeos bits in
> > > > connection_security_helper.cc, but it seems we can have an embedder
> callback
> > > > just for that  (i.e. WebContentsDelegate::UsedPolicyCertificates or
> > something
> > > > similar). but the rest of the logic is stuff we want every content
> embedder
> > to
> > > > have for free and not to have to do this themselves
> > > 
> > > The SHA1 deprecation policy is all Chrome-specific, in that other
embedders
> > > shouldn't have to deprecate SHA1 at the same pace or in the same way that
> > Chrome
> > > does.
> > 
> > It's not clear to me why that is so?
> > It seems that if we decide we want to deprecate SHA1 to improve security, we
> > should assume that this improved security would benefit all content
embedders.
> > Have other embedders explicitly reached out to us and said they don't want
to
> do
> > this? Even if that did happen, we could add one specific embedder callback
for
> > that.
> 
> rsleevi: I know you have strong opinions on this, do you have any thoughts?
> 
> I do remember talking about this at one point; one problem is that we'd end up
> with a good number of embedder callbacks for embedder-specific things
> (UsedPolicyCerts(), UsedDeprecatedSHA1(), UsesMarkNonsecureAsFieldTrial()), 

Right now, the only thing that is required is UsedPolicyCerts, since that uses
policy code in src/chrome

The others can all be in content and we don't need embedder callbacks for them.

> and
> many of those callbacks probably don't even make sense for non-Chrome
embedders.
> The concept of using policy certs is a ChromeOS-specific idea, IIUC, and
> definitely the mark-nonsecure-as field trial doesn't make sense for other
> embedders.

Other embedders don't use field trials anyways...

jam

On 2015/06/17 21:15:45, Ryan Sleevi wrote: > On 2015/06/17 21:08:28, estark wrote: > > I ...

5 years, 6 months ago (2015-06-17 21:36:50 UTC) #33

Ryan Sleevi

On 2015/06/17 21:36:50, jam wrote: > Why is this a chrome-only concept. It's a in ...

5 years, 6 months ago (2015-06-17 21:51:34 UTC) #34

On 2015/06/17 21:36:50, jam wrote:
> Why is this a chrome-only concept. It's a in a module that sits below content,
> so any content embedder can set the whitelist.

The same reason that HPKP (implemented in //net) is a Chrome-only concept (and
explicitly not allowed on mobile). It requires a regular update cycle, and can
cause significant harm if not.

> In my reading of the code, this doesn't change how content loads the data,
just
> what it sends devtools. So unless I'm misreading the code, I'm not sure how
this
> would break a client.

It sends to DevTools the result of UI policy, which certainly varies by
embedder. We've taken a stronger UI policy than Firefox (console.log) or
Microsoft (no warning), and that UI behaviour would be entirely inappropriate
for some uses (Chromium Embedded, Steam, etc)

There's zero reason for //content to know about //chrome's UI policies and
treatments, and the SHA-1 policy intentionally doesn't affect loading in //net
until 2016.

> How is this UI policy? I don't see this changing chrome UI; the only thing I
see
> is that it's sent to devtools.

The entirity of the "SHA-1 issue" is implemented in //chrome, and solely used to
affect UI.

To place this in //content sets a dangerous precedent that I would strongly
prefer not to set, which is that any possible UI policies that //chrome takes
should be expressed in //content. Fundamentally, the question of "How do you
present the omnibox and security indicators" is entirely left to embedders, and
the purpose of this CL is to provide an embedder-agnostic way for an embedder to
explain those policies and how the decisions were made.

> I suggested an embedder callback just for the cros case (that is the only
> possible solution if this code is in content)

I'm still having trouble seeing the value here in such a callback.

Since there's definitely a communication gap, with you asking "Why didn't you do
X" (and these previous replies being answers to that), could you help us
understand "Why should we do X?" What benefits does it provide versus the
complexity of exposing Omnibox UI policies through //content and requiring that
any embedders that wish to use alternative policies to customize //content?

estark

On 2015/06/17 21:36:50, jam wrote: > On 2015/06/17 21:15:45, Ryan Sleevi wrote: > > On ...

5 years, 6 months ago (2015-06-17 21:51:58 UTC) #35

On 2015/06/17 21:36:50, jam wrote:
> On 2015/06/17 21:15:45, Ryan Sleevi wrote:
> > On 2015/06/17 21:08:28, estark wrote:
> > > I do remember talking about this at one point; one problem is that we'd
end
> up
> > > with a good number of embedder callbacks for embedder-specific things
> > > (UsedPolicyCerts(), UsedDeprecatedSHA1(),
UsesMarkNonsecureAsFieldTrial()),
> > and
> > > many of those callbacks probably don't even make sense for non-Chrome
> > embedders.
> > > The concept of using policy certs is a ChromeOS-specific idea, IIUC, and
> > > definitely the mark-nonsecure-as field trial doesn't make sense for other
> > > embedders.
> > 
> > Chrome-only concepts:
> > - Certificate Transparency (requires a regular update cycle to keep the
> > ecosystem healthy, and policies applicable to Chrome)
> 
> Why is this a chrome-only concept. It's a in a module that sits below content,
> so any content embedder can set the whitelist.
> 
> > - Policy certificates ( ChromeOS-only concept)
> 
> (see below, i agree and this would have to be in a focused callback)
> 
> > - SHA-1 deprecation (Until 2017, when it's fully turned off, then an
embedder
> > who doesn't have a rapid update cycle is not only at risk of breaking, but
> their
> > breakage may be used as an excuse to delay the deprecation further)
> 
> In my reading of the code, this doesn't change how content loads the data,
just
> what it sends devtools. So unless I'm misreading the code, I'm not sure how
this
> would break a client.

GetSecurityLevelForWebContents() is used to pick the lock icon in the omnibox --
is that what you mean?

> 
> > 
> > It seems very wrong for us to impose UI policy (and that's what this is,
> moreso
> > than security policy) on embedders.
> 
> How is this UI policy? I don't see this changing chrome UI; the only thing I
see
> is that it's sent to devtools.

See above; GetSecurityLevelForWebContents() is used to pick the lock icon.

> 
> 
> > Certainly, it doesn't seem appropriate to
> > extend ChromeOS ideas into content.
> 
> I suggested an embedder callback just for the cros case (that is the only
> possible solution if this code is in content)

I think the objection is that the idea of "policy certs" is itself a CrOS idea.
So having a UsedPolicyCerts() callback is introducing CrOS knowledge into
//content just by virtue of the callback name.

jam

On 2015/06/17 21:51:34, Ryan Sleevi wrote: > On 2015/06/17 21:36:50, jam wrote: > > Why ...

5 years, 6 months ago (2015-06-18 00:36:58 UTC) #36

On 2015/06/17 21:51:34, Ryan Sleevi wrote:
> On 2015/06/17 21:36:50, jam wrote:
> > Why is this a chrome-only concept. It's a in a module that sits below
content,
> > so any content embedder can set the whitelist.
> 
> The same reason that HPKP (implemented in //net) is a Chrome-only concept (and
> explicitly not allowed on mobile). It requires a regular update cycle, and can
> cause significant harm if not.
> 
> > In my reading of the code, this doesn't change how content loads the data,
> just
> > what it sends devtools. So unless I'm misreading the code, I'm not sure how
> this
> > would break a client.
> 
> It sends to DevTools the result of UI policy, which certainly varies by
> embedder. We've taken a stronger UI policy than Firefox (console.log) or
> Microsoft (no warning), and that UI behaviour would be entirely inappropriate
> for some uses (Chromium Embedded, Steam, etc)
> 
> There's zero reason for //content to know about //chrome's UI policies and
> treatments, and the SHA-1 policy intentionally doesn't affect loading in //net
> until 2016.

ah, ok I didn't notice initially that the method that is called in chrome to get
this result for WCD is the one called by chrome ui. i understand the pushback
now and i agree.

> 
> > How is this UI policy? I don't see this changing chrome UI; the only thing I
> see
> > is that it's sent to devtools.
> 
> The entirity of the "SHA-1 issue" is implemented in //chrome, and solely used
to
> affect UI.
> 
> To place this in //content sets a dangerous precedent that I would strongly
> prefer not to set, which is that any possible UI policies that //chrome takes
> should be expressed in //content. Fundamentally, the question of "How do you
> present the omnibox and security indicators" is entirely left to embedders,
and
> the purpose of this CL is to provide an embedder-agnostic way for an embedder
to
> explain those policies and how the decisions were made.
> 
> > I suggested an embedder callback just for the cros case (that is the only
> > possible solution if this code is in content)
> 
> I'm still having trouble seeing the value here in such a callback.
> 
> 
> Since there's definitely a communication gap, with you asking "Why didn't you
do
> X" (and these previous replies being answers to that), could you help us
> understand "Why should we do X?" What benefits does it provide versus the
> complexity of exposing Omnibox UI policies through //content and requiring
that
> any embedders that wish to use alternative policies to customize //content?

mostly it was about reducing content api's growth.

instead of content asking chrome for ui result so that it can send it to
devtools, can chrome send it directly instead?

estark

On 2015/06/18 00:36:58, jam wrote: > On 2015/06/17 21:51:34, Ryan Sleevi wrote: > > On ...

5 years, 6 months ago (2015-06-18 00:55:41 UTC) #37

On 2015/06/18 00:36:58, jam wrote:
> On 2015/06/17 21:51:34, Ryan Sleevi wrote:
> > On 2015/06/17 21:36:50, jam wrote:
> > > Why is this a chrome-only concept. It's a in a module that sits below
> content,
> > > so any content embedder can set the whitelist.
> > 
> > The same reason that HPKP (implemented in //net) is a Chrome-only concept
(and
> > explicitly not allowed on mobile). It requires a regular update cycle, and
can
> > cause significant harm if not.
> > 
> > > In my reading of the code, this doesn't change how content loads the data,
> > just
> > > what it sends devtools. So unless I'm misreading the code, I'm not sure
how
> > this
> > > would break a client.
> > 
> > It sends to DevTools the result of UI policy, which certainly varies by
> > embedder. We've taken a stronger UI policy than Firefox (console.log) or
> > Microsoft (no warning), and that UI behaviour would be entirely
inappropriate
> > for some uses (Chromium Embedded, Steam, etc)
> > 
> > There's zero reason for //content to know about //chrome's UI policies and
> > treatments, and the SHA-1 policy intentionally doesn't affect loading in
//net
> > until 2016.
> 
> ah, ok I didn't notice initially that the method that is called in chrome to
get
> this result for WCD is the one called by chrome ui. i understand the pushback
> now and i agree.
> 
> > 
> > > How is this UI policy? I don't see this changing chrome UI; the only thing
I
> > see
> > > is that it's sent to devtools.
> > 
> > The entirity of the "SHA-1 issue" is implemented in //chrome, and solely
used
> to
> > affect UI.
> > 
> > To place this in //content sets a dangerous precedent that I would strongly
> > prefer not to set, which is that any possible UI policies that //chrome
takes
> > should be expressed in //content. Fundamentally, the question of "How do you
> > present the omnibox and security indicators" is entirely left to embedders,
> and
> > the purpose of this CL is to provide an embedder-agnostic way for an
embedder
> to
> > explain those policies and how the decisions were made.
> > 
> > > I suggested an embedder callback just for the cros case (that is the only
> > > possible solution if this code is in content)
> > 
> > I'm still having trouble seeing the value here in such a callback.
> > 
> > 
> > Since there's definitely a communication gap, with you asking "Why didn't
you
> do
> > X" (and these previous replies being answers to that), could you help us
> > understand "Why should we do X?" What benefits does it provide versus the
> > complexity of exposing Omnibox UI policies through //content and requiring
> that
> > any embedders that wish to use alternative policies to customize //content?
> 
> mostly it was about reducing content api's growth.
> 
> instead of content asking chrome for ui result so that it can send it to
> devtools, can chrome send it directly instead?

We discussed this approach quite a bit with Pavel. My understanding is that
there does exist a way to intercept commands sent from devtools to the browser
in //chrome such that they don't go through //content
(https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/dev...),
but the drawbacks are:

1. It's kind of hacky and discouraged unless really necessary.
2. The devtools infrastructure currently supports handling commands from
devtools to the browser in //chrome, but not sending events from //chrome to
devtools, which is what we want to do (so we'd have to wait for the devtools
team to figure out how to do that and build it).
3. I think it actually makes sense for the event to be sent from //content: it
would be nice for any embedder to be able to get the security panel
functionality by just implementing WCD::GetSecurityStyle instead of having to
re-implement all the boilerplate of a devtools protocol handler itself.

So we wanted to avoid the //chrome-direct-to-devtools approach until we actually
had to send Chrome-specific information.

lgarron

https://codereview.chromium.org/1181293003/diff/210001/chrome/app/generated_resources.grd File chrome/app/generated_resources.grd (right): https://codereview.chromium.org/1181293003/diff/210001/chrome/app/generated_resources.grd#newcode15667 chrome/app/generated_resources.grd:15667: + Mixed Content estark@: Would you mind changing this ...

5 years, 6 months ago (2015-06-18 01:28:46 UTC) #38

Ryan Sleevi

https://codereview.chromium.org/1181293003/diff/210001/chrome/app/generated_resources.grd File chrome/app/generated_resources.grd (right): https://codereview.chromium.org/1181293003/diff/210001/chrome/app/generated_resources.grd#newcode15667 chrome/app/generated_resources.grd:15667: + Mixed Content On 2015/06/18 01:28:45, lgarron wrote: > ...

5 years, 6 months ago (2015-06-18 01:34:04 UTC) #39

lgarron

lgarron@chromium.org changed reviewers: + lgarron@chromium.org

5 years, 6 months ago (2015-06-18 01:47:24 UTC) #40

lgarron

https://codereview.chromium.org/1181293003/diff/210001/chrome/app/generated_resources.grd File chrome/app/generated_resources.grd (right): https://codereview.chromium.org/1181293003/diff/210001/chrome/app/generated_resources.grd#newcode15667 chrome/app/generated_resources.grd:15667: + Mixed Content On 2015/06/18 at 01:34:03, Ryan Sleevi ...

5 years, 6 months ago (2015-06-18 01:47:25 UTC) #41

jam

On 2015/06/18 00:55:41, estark wrote: > On 2015/06/18 00:36:58, jam wrote: > > On 2015/06/17 ...

5 years, 6 months ago (2015-06-18 14:51:12 UTC) #42

On 2015/06/18 00:55:41, estark wrote:
> On 2015/06/18 00:36:58, jam wrote:
> > On 2015/06/17 21:51:34, Ryan Sleevi wrote:
> > > On 2015/06/17 21:36:50, jam wrote:
> > > > Why is this a chrome-only concept. It's a in a module that sits below
> > content,
> > > > so any content embedder can set the whitelist.
> > > 
> > > The same reason that HPKP (implemented in //net) is a Chrome-only concept
> (and
> > > explicitly not allowed on mobile). It requires a regular update cycle, and
> can
> > > cause significant harm if not.
> > > 
> > > > In my reading of the code, this doesn't change how content loads the
data,
> > > just
> > > > what it sends devtools. So unless I'm misreading the code, I'm not sure
> how
> > > this
> > > > would break a client.
> > > 
> > > It sends to DevTools the result of UI policy, which certainly varies by
> > > embedder. We've taken a stronger UI policy than Firefox (console.log) or
> > > Microsoft (no warning), and that UI behaviour would be entirely
> inappropriate
> > > for some uses (Chromium Embedded, Steam, etc)
> > > 
> > > There's zero reason for //content to know about //chrome's UI policies and
> > > treatments, and the SHA-1 policy intentionally doesn't affect loading in
> //net
> > > until 2016.
> > 
> > ah, ok I didn't notice initially that the method that is called in chrome to
> get
> > this result for WCD is the one called by chrome ui. i understand the
pushback
> > now and i agree.
> > 
> > > 
> > > > How is this UI policy? I don't see this changing chrome UI; the only
thing
> I
> > > see
> > > > is that it's sent to devtools.
> > > 
> > > The entirity of the "SHA-1 issue" is implemented in //chrome, and solely
> used
> > to
> > > affect UI.
> > > 
> > > To place this in //content sets a dangerous precedent that I would
strongly
> > > prefer not to set, which is that any possible UI policies that //chrome
> takes
> > > should be expressed in //content. Fundamentally, the question of "How do
you
> > > present the omnibox and security indicators" is entirely left to
embedders,
> > and
> > > the purpose of this CL is to provide an embedder-agnostic way for an
> embedder
> > to
> > > explain those policies and how the decisions were made.
> > > 
> > > > I suggested an embedder callback just for the cros case (that is the
only
> > > > possible solution if this code is in content)
> > > 
> > > I'm still having trouble seeing the value here in such a callback.
> > > 
> > > 
> > > Since there's definitely a communication gap, with you asking "Why didn't
> you
> > do
> > > X" (and these previous replies being answers to that), could you help us
> > > understand "Why should we do X?" What benefits does it provide versus the
> > > complexity of exposing Omnibox UI policies through //content and requiring
> > that
> > > any embedders that wish to use alternative policies to customize
//content?
> > 
> > mostly it was about reducing content api's growth.
> > 
> > instead of content asking chrome for ui result so that it can send it to
> > devtools, can chrome send it directly instead?
> 
> We discussed this approach quite a bit with Pavel. My understanding is that
> there does exist a way to intercept commands sent from devtools to the browser
> in //chrome such that they don't go through //content
>
(https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/dev...),
> but the drawbacks are:
> 
> 1. It's kind of hacky and discouraged unless really necessary.
> 2. The devtools infrastructure currently supports handling commands from
> devtools to the browser in //chrome, but not sending events from //chrome to
> devtools, which is what we want to do (so we'd have to wait for the devtools
> team to figure out how to do that and build it).

Shouldn't this be easy, i.e. a method that takes a string?

> 3. I think it actually makes sense for the event to be sent from //content: it
> would be nice for any embedder to be able to get the security panel
> functionality by just implementing WCD::GetSecurityStyle instead of having to
> re-implement all the boilerplate of a devtools protocol handler itself.

That depends on what the API of 2 is right? i.e. if there's a method in
content/public that sends a string to devtools, then there shouldn't be much
work to implement on the embedder side.

> 
> So we wanted to avoid the //chrome-direct-to-devtools approach until we
actually
> had to send Chrome-specific information.

estark

On 2015/06/18 14:51:12, jam wrote: > On 2015/06/18 00:55:41, estark wrote: > > On 2015/06/18 ...

5 years, 6 months ago (2015-06-18 14:56:28 UTC) #43

On 2015/06/18 14:51:12, jam wrote:
> On 2015/06/18 00:55:41, estark wrote:
> > On 2015/06/18 00:36:58, jam wrote:
> > > On 2015/06/17 21:51:34, Ryan Sleevi wrote:
> > > > On 2015/06/17 21:36:50, jam wrote:
> > > > > Why is this a chrome-only concept. It's a in a module that sits below
> > > content,
> > > > > so any content embedder can set the whitelist.
> > > > 
> > > > The same reason that HPKP (implemented in //net) is a Chrome-only
concept
> > (and
> > > > explicitly not allowed on mobile). It requires a regular update cycle,
and
> > can
> > > > cause significant harm if not.
> > > > 
> > > > > In my reading of the code, this doesn't change how content loads the
> data,
> > > > just
> > > > > what it sends devtools. So unless I'm misreading the code, I'm not
sure
> > how
> > > > this
> > > > > would break a client.
> > > > 
> > > > It sends to DevTools the result of UI policy, which certainly varies by
> > > > embedder. We've taken a stronger UI policy than Firefox (console.log) or
> > > > Microsoft (no warning), and that UI behaviour would be entirely
> > inappropriate
> > > > for some uses (Chromium Embedded, Steam, etc)
> > > > 
> > > > There's zero reason for //content to know about //chrome's UI policies
and
> > > > treatments, and the SHA-1 policy intentionally doesn't affect loading in
> > //net
> > > > until 2016.
> > > 
> > > ah, ok I didn't notice initially that the method that is called in chrome
to
> > get
> > > this result for WCD is the one called by chrome ui. i understand the
> pushback
> > > now and i agree.
> > > 
> > > > 
> > > > > How is this UI policy? I don't see this changing chrome UI; the only
> thing
> > I
> > > > see
> > > > > is that it's sent to devtools.
> > > > 
> > > > The entirity of the "SHA-1 issue" is implemented in //chrome, and solely
> > used
> > > to
> > > > affect UI.
> > > > 
> > > > To place this in //content sets a dangerous precedent that I would
> strongly
> > > > prefer not to set, which is that any possible UI policies that //chrome
> > takes
> > > > should be expressed in //content. Fundamentally, the question of "How do
> you
> > > > present the omnibox and security indicators" is entirely left to
> embedders,
> > > and
> > > > the purpose of this CL is to provide an embedder-agnostic way for an
> > embedder
> > > to
> > > > explain those policies and how the decisions were made.
> > > > 
> > > > > I suggested an embedder callback just for the cros case (that is the
> only
> > > > > possible solution if this code is in content)
> > > > 
> > > > I'm still having trouble seeing the value here in such a callback.
> > > > 
> > > > 
> > > > Since there's definitely a communication gap, with you asking "Why
didn't
> > you
> > > do
> > > > X" (and these previous replies being answers to that), could you help us
> > > > understand "Why should we do X?" What benefits does it provide versus
the
> > > > complexity of exposing Omnibox UI policies through //content and
requiring
> > > that
> > > > any embedders that wish to use alternative policies to customize
> //content?
> > > 
> > > mostly it was about reducing content api's growth.
> > > 
> > > instead of content asking chrome for ui result so that it can send it to
> > > devtools, can chrome send it directly instead?
> > 
> > We discussed this approach quite a bit with Pavel. My understanding is that
> > there does exist a way to intercept commands sent from devtools to the
browser
> > in //chrome such that they don't go through //content
> >
>
(https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/dev...),
> > but the drawbacks are:
> > 
> > 1. It's kind of hacky and discouraged unless really necessary.
> > 2. The devtools infrastructure currently supports handling commands from
> > devtools to the browser in //chrome, but not sending events from //chrome to
> > devtools, which is what we want to do (so we'd have to wait for the devtools
> > team to figure out how to do that and build it).
> 
> Shouldn't this be easy, i.e. a method that takes a string?

I don't understand, sorry -- can you be more specific? Or is there an example
you can point to? (I guess I don't understand what "the string" is that you're
referring to, or what the method would be called and what exactly it would do.)

> 
> > 3. I think it actually makes sense for the event to be sent from //content:
it
> > would be nice for any embedder to be able to get the security panel
> > functionality by just implementing WCD::GetSecurityStyle instead of having
to
> > re-implement all the boilerplate of a devtools protocol handler itself.
> 
> That depends on what the API of 2 is right? i.e. if there's a method in
> content/public that sends a string to devtools, then there shouldn't be much
> work to implement on the embedder side.
> 
> > 
> > So we wanted to avoid the //chrome-direct-to-devtools approach until we
> actually
> > had to send Chrome-specific information.

jam

On 2015/06/18 14:56:28, estark wrote: > On 2015/06/18 14:51:12, jam wrote: > > On 2015/06/18 ...

5 years, 6 months ago (2015-06-18 15:19:41 UTC) #44

On 2015/06/18 14:56:28, estark wrote:
> On 2015/06/18 14:51:12, jam wrote:
> > On 2015/06/18 00:55:41, estark wrote:
> > > On 2015/06/18 00:36:58, jam wrote:
> > > > On 2015/06/17 21:51:34, Ryan Sleevi wrote:
> > > > > On 2015/06/17 21:36:50, jam wrote:
> > > > > > Why is this a chrome-only concept. It's a in a module that sits
below
> > > > content,
> > > > > > so any content embedder can set the whitelist.
> > > > > 
> > > > > The same reason that HPKP (implemented in //net) is a Chrome-only
> concept
> > > (and
> > > > > explicitly not allowed on mobile). It requires a regular update cycle,
> and
> > > can
> > > > > cause significant harm if not.
> > > > > 
> > > > > > In my reading of the code, this doesn't change how content loads the
> > data,
> > > > > just
> > > > > > what it sends devtools. So unless I'm misreading the code, I'm not
> sure
> > > how
> > > > > this
> > > > > > would break a client.
> > > > > 
> > > > > It sends to DevTools the result of UI policy, which certainly varies
by
> > > > > embedder. We've taken a stronger UI policy than Firefox (console.log)
or
> > > > > Microsoft (no warning), and that UI behaviour would be entirely
> > > inappropriate
> > > > > for some uses (Chromium Embedded, Steam, etc)
> > > > > 
> > > > > There's zero reason for //content to know about //chrome's UI policies
> and
> > > > > treatments, and the SHA-1 policy intentionally doesn't affect loading
in
> > > //net
> > > > > until 2016.
> > > > 
> > > > ah, ok I didn't notice initially that the method that is called in
chrome
> to
> > > get
> > > > this result for WCD is the one called by chrome ui. i understand the
> > pushback
> > > > now and i agree.
> > > > 
> > > > > 
> > > > > > How is this UI policy? I don't see this changing chrome UI; the only
> > thing
> > > I
> > > > > see
> > > > > > is that it's sent to devtools.
> > > > > 
> > > > > The entirity of the "SHA-1 issue" is implemented in //chrome, and
solely
> > > used
> > > > to
> > > > > affect UI.
> > > > > 
> > > > > To place this in //content sets a dangerous precedent that I would
> > strongly
> > > > > prefer not to set, which is that any possible UI policies that
//chrome
> > > takes
> > > > > should be expressed in //content. Fundamentally, the question of "How
do
> > you
> > > > > present the omnibox and security indicators" is entirely left to
> > embedders,
> > > > and
> > > > > the purpose of this CL is to provide an embedder-agnostic way for an
> > > embedder
> > > > to
> > > > > explain those policies and how the decisions were made.
> > > > > 
> > > > > > I suggested an embedder callback just for the cros case (that is the
> > only
> > > > > > possible solution if this code is in content)
> > > > > 
> > > > > I'm still having trouble seeing the value here in such a callback.
> > > > > 
> > > > > 
> > > > > Since there's definitely a communication gap, with you asking "Why
> didn't
> > > you
> > > > do
> > > > > X" (and these previous replies being answers to that), could you help
us
> > > > > understand "Why should we do X?" What benefits does it provide versus
> the
> > > > > complexity of exposing Omnibox UI policies through //content and
> requiring
> > > > that
> > > > > any embedders that wish to use alternative policies to customize
> > //content?
> > > > 
> > > > mostly it was about reducing content api's growth.
> > > > 
> > > > instead of content asking chrome for ui result so that it can send it to
> > > > devtools, can chrome send it directly instead?
> > > 
> > > We discussed this approach quite a bit with Pavel. My understanding is
that
> > > there does exist a way to intercept commands sent from devtools to the
> browser
> > > in //chrome such that they don't go through //content
> > >
> >
>
(https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/dev...),
> > > but the drawbacks are:
> > > 
> > > 1. It's kind of hacky and discouraged unless really necessary.
> > > 2. The devtools infrastructure currently supports handling commands from
> > > devtools to the browser in //chrome, but not sending events from //chrome
to
> > > devtools, which is what we want to do (so we'd have to wait for the
devtools
> > > team to figure out how to do that and build it).
> > 
> > Shouldn't this be easy, i.e. a method that takes a string?
> 
> I don't understand, sorry -- can you be more specific? Or is there an example
> you can point to? (I guess I don't understand what "the string" is that you're
> referring to, or what the method would be called and what exactly it would
do.)

oh, I'm just looking at SecurityHandler::SecurityStyleChanged which calls
Client::SecurityStateChanged and that eventually ends up in
DevToolsProtocolClient::SendRawMessage with a string.

> 
> > 
> > > 3. I think it actually makes sense for the event to be sent from
//content:
> it
> > > would be nice for any embedder to be able to get the security panel
> > > functionality by just implementing WCD::GetSecurityStyle instead of having
> to
> > > re-implement all the boilerplate of a devtools protocol handler itself.
> > 
> > That depends on what the API of 2 is right? i.e. if there's a method in
> > content/public that sends a string to devtools, then there shouldn't be much
> > work to implement on the embedder side.
> > 
> > > 
> > > So we wanted to avoid the //chrome-direct-to-devtools approach until we
> > actually
> > > had to send Chrome-specific information.

estark

On 2015/06/18 15:19:41, jam wrote: > On 2015/06/18 14:56:28, estark wrote: > > On 2015/06/18 ...

5 years, 6 months ago (2015-06-18 15:35:58 UTC) #45

On 2015/06/18 15:19:41, jam wrote:
> On 2015/06/18 14:56:28, estark wrote:
> > On 2015/06/18 14:51:12, jam wrote:
> > > On 2015/06/18 00:55:41, estark wrote:
> > > > On 2015/06/18 00:36:58, jam wrote:
> > > > > On 2015/06/17 21:51:34, Ryan Sleevi wrote:
> > > > > > On 2015/06/17 21:36:50, jam wrote:
> > > > > > > Why is this a chrome-only concept. It's a in a module that sits
> below
> > > > > content,
> > > > > > > so any content embedder can set the whitelist.
> > > > > > 
> > > > > > The same reason that HPKP (implemented in //net) is a Chrome-only
> > concept
> > > > (and
> > > > > > explicitly not allowed on mobile). It requires a regular update
cycle,
> > and
> > > > can
> > > > > > cause significant harm if not.
> > > > > > 
> > > > > > > In my reading of the code, this doesn't change how content loads
the
> > > data,
> > > > > > just
> > > > > > > what it sends devtools. So unless I'm misreading the code, I'm not
> > sure
> > > > how
> > > > > > this
> > > > > > > would break a client.
> > > > > > 
> > > > > > It sends to DevTools the result of UI policy, which certainly varies
> by
> > > > > > embedder. We've taken a stronger UI policy than Firefox
(console.log)
> or
> > > > > > Microsoft (no warning), and that UI behaviour would be entirely
> > > > inappropriate
> > > > > > for some uses (Chromium Embedded, Steam, etc)
> > > > > > 
> > > > > > There's zero reason for //content to know about //chrome's UI
policies
> > and
> > > > > > treatments, and the SHA-1 policy intentionally doesn't affect
loading
> in
> > > > //net
> > > > > > until 2016.
> > > > > 
> > > > > ah, ok I didn't notice initially that the method that is called in
> chrome
> > to
> > > > get
> > > > > this result for WCD is the one called by chrome ui. i understand the
> > > pushback
> > > > > now and i agree.
> > > > > 
> > > > > > 
> > > > > > > How is this UI policy? I don't see this changing chrome UI; the
only
> > > thing
> > > > I
> > > > > > see
> > > > > > > is that it's sent to devtools.
> > > > > > 
> > > > > > The entirity of the "SHA-1 issue" is implemented in //chrome, and
> solely
> > > > used
> > > > > to
> > > > > > affect UI.
> > > > > > 
> > > > > > To place this in //content sets a dangerous precedent that I would
> > > strongly
> > > > > > prefer not to set, which is that any possible UI policies that
> //chrome
> > > > takes
> > > > > > should be expressed in //content. Fundamentally, the question of
"How
> do
> > > you
> > > > > > present the omnibox and security indicators" is entirely left to
> > > embedders,
> > > > > and
> > > > > > the purpose of this CL is to provide an embedder-agnostic way for an
> > > > embedder
> > > > > to
> > > > > > explain those policies and how the decisions were made.
> > > > > > 
> > > > > > > I suggested an embedder callback just for the cros case (that is
the
> > > only
> > > > > > > possible solution if this code is in content)
> > > > > > 
> > > > > > I'm still having trouble seeing the value here in such a callback.
> > > > > > 
> > > > > > 
> > > > > > Since there's definitely a communication gap, with you asking "Why
> > didn't
> > > > you
> > > > > do
> > > > > > X" (and these previous replies being answers to that), could you
help
> us
> > > > > > understand "Why should we do X?" What benefits does it provide
versus
> > the
> > > > > > complexity of exposing Omnibox UI policies through //content and
> > requiring
> > > > > that
> > > > > > any embedders that wish to use alternative policies to customize
> > > //content?
> > > > > 
> > > > > mostly it was about reducing content api's growth.
> > > > > 
> > > > > instead of content asking chrome for ui result so that it can send it
to
> > > > > devtools, can chrome send it directly instead?
> > > > 
> > > > We discussed this approach quite a bit with Pavel. My understanding is
> that
> > > > there does exist a way to intercept commands sent from devtools to the
> > browser
> > > > in //chrome such that they don't go through //content
> > > >
> > >
> >
>
(https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/dev...),
> > > > but the drawbacks are:
> > > > 
> > > > 1. It's kind of hacky and discouraged unless really necessary.
> > > > 2. The devtools infrastructure currently supports handling commands from
> > > > devtools to the browser in //chrome, but not sending events from
//chrome
> to
> > > > devtools, which is what we want to do (so we'd have to wait for the
> devtools
> > > > team to figure out how to do that and build it).
> > > 
> > > Shouldn't this be easy, i.e. a method that takes a string?
> > 
> > I don't understand, sorry -- can you be more specific? Or is there an
example
> > you can point to? (I guess I don't understand what "the string" is that
you're
> > referring to, or what the method would be called and what exactly it would
> do.)
> 
> oh, I'm just looking at SecurityHandler::SecurityStyleChanged which calls
> Client::SecurityStateChanged and that eventually ends up in
> DevToolsProtocolClient::SendRawMessage with a string.

Ok, but I'm not sure how the embedder would actually construct that string...
AFAIU it would have to get a hold of a Client somehow, and Clients are currently
constructed by generated code, and set on the SecurityHandler, so //chrome would
have to get a hold of the SecurityHandler, which dangles off the
RenderFrameDevToolsAgentHost, and I'm not sure how to get at that. (There is
currently a method to get the RFDTAH for a given RenderFrameHost in an anonymous
namespace; I'm not sure how devtools people would feel about pulling that out
and making it a public API somehow.)

I'm also not sure how the devtools people feel about having a
SendMessageToDevTools() method in //content/public. The comment on
DevToolsProtocolClient::SendRawMessage() says "Do not use unless you must."

> 
> > 
> > > 
> > > > 3. I think it actually makes sense for the event to be sent from
> //content:
> > it
> > > > would be nice for any embedder to be able to get the security panel
> > > > functionality by just implementing WCD::GetSecurityStyle instead of
having
> > to
> > > > re-implement all the boilerplate of a devtools protocol handler itself.
> > > 
> > > That depends on what the API of 2 is right? i.e. if there's a method in
> > > content/public that sends a string to devtools, then there shouldn't be
much
> > > work to implement on the embedder side.
> > > 
> > > > 
> > > > So we wanted to avoid the //chrome-direct-to-devtools approach until we
> > > actually
> > > > had to send Chrome-specific information.

jam

On 2015/06/18 15:35:58, estark wrote: > On 2015/06/18 15:19:41, jam wrote: > > On 2015/06/18 ...

5 years, 6 months ago (2015-06-18 17:34:56 UTC) #46

On 2015/06/18 15:35:58, estark wrote:
> On 2015/06/18 15:19:41, jam wrote:
> > On 2015/06/18 14:56:28, estark wrote:
> > > On 2015/06/18 14:51:12, jam wrote:
> > > > On 2015/06/18 00:55:41, estark wrote:
> > > > > On 2015/06/18 00:36:58, jam wrote:
> > > > > > On 2015/06/17 21:51:34, Ryan Sleevi wrote:
> > > > > > > On 2015/06/17 21:36:50, jam wrote:
> > > > > > > > Why is this a chrome-only concept. It's a in a module that sits
> > below
> > > > > > content,
> > > > > > > > so any content embedder can set the whitelist.
> > > > > > > 
> > > > > > > The same reason that HPKP (implemented in //net) is a Chrome-only
> > > concept
> > > > > (and
> > > > > > > explicitly not allowed on mobile). It requires a regular update
> cycle,
> > > and
> > > > > can
> > > > > > > cause significant harm if not.
> > > > > > > 
> > > > > > > > In my reading of the code, this doesn't change how content loads
> the
> > > > data,
> > > > > > > just
> > > > > > > > what it sends devtools. So unless I'm misreading the code, I'm
not
> > > sure
> > > > > how
> > > > > > > this
> > > > > > > > would break a client.
> > > > > > > 
> > > > > > > It sends to DevTools the result of UI policy, which certainly
varies
> > by
> > > > > > > embedder. We've taken a stronger UI policy than Firefox
> (console.log)
> > or
> > > > > > > Microsoft (no warning), and that UI behaviour would be entirely
> > > > > inappropriate
> > > > > > > for some uses (Chromium Embedded, Steam, etc)
> > > > > > > 
> > > > > > > There's zero reason for //content to know about //chrome's UI
> policies
> > > and
> > > > > > > treatments, and the SHA-1 policy intentionally doesn't affect
> loading
> > in
> > > > > //net
> > > > > > > until 2016.
> > > > > > 
> > > > > > ah, ok I didn't notice initially that the method that is called in
> > chrome
> > > to
> > > > > get
> > > > > > this result for WCD is the one called by chrome ui. i understand the
> > > > pushback
> > > > > > now and i agree.
> > > > > > 
> > > > > > > 
> > > > > > > > How is this UI policy? I don't see this changing chrome UI; the
> only
> > > > thing
> > > > > I
> > > > > > > see
> > > > > > > > is that it's sent to devtools.
> > > > > > > 
> > > > > > > The entirity of the "SHA-1 issue" is implemented in //chrome, and
> > solely
> > > > > used
> > > > > > to
> > > > > > > affect UI.
> > > > > > > 
> > > > > > > To place this in //content sets a dangerous precedent that I would
> > > > strongly
> > > > > > > prefer not to set, which is that any possible UI policies that
> > //chrome
> > > > > takes
> > > > > > > should be expressed in //content. Fundamentally, the question of
> "How
> > do
> > > > you
> > > > > > > present the omnibox and security indicators" is entirely left to
> > > > embedders,
> > > > > > and
> > > > > > > the purpose of this CL is to provide an embedder-agnostic way for
an
> > > > > embedder
> > > > > > to
> > > > > > > explain those policies and how the decisions were made.
> > > > > > > 
> > > > > > > > I suggested an embedder callback just for the cros case (that is
> the
> > > > only
> > > > > > > > possible solution if this code is in content)
> > > > > > > 
> > > > > > > I'm still having trouble seeing the value here in such a callback.
> > > > > > > 
> > > > > > > 
> > > > > > > Since there's definitely a communication gap, with you asking "Why
> > > didn't
> > > > > you
> > > > > > do
> > > > > > > X" (and these previous replies being answers to that), could you
> help
> > us
> > > > > > > understand "Why should we do X?" What benefits does it provide
> versus
> > > the
> > > > > > > complexity of exposing Omnibox UI policies through //content and
> > > requiring
> > > > > > that
> > > > > > > any embedders that wish to use alternative policies to customize
> > > > //content?
> > > > > > 
> > > > > > mostly it was about reducing content api's growth.
> > > > > > 
> > > > > > instead of content asking chrome for ui result so that it can send
it
> to
> > > > > > devtools, can chrome send it directly instead?
> > > > > 
> > > > > We discussed this approach quite a bit with Pavel. My understanding is
> > that
> > > > > there does exist a way to intercept commands sent from devtools to the
> > > browser
> > > > > in //chrome such that they don't go through //content
> > > > >
> > > >
> > >
> >
>
(https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/dev...),
> > > > > but the drawbacks are:
> > > > > 
> > > > > 1. It's kind of hacky and discouraged unless really necessary.
> > > > > 2. The devtools infrastructure currently supports handling commands
from
> > > > > devtools to the browser in //chrome, but not sending events from
> //chrome
> > to
> > > > > devtools, which is what we want to do (so we'd have to wait for the
> > devtools
> > > > > team to figure out how to do that and build it).
> > > > 
> > > > Shouldn't this be easy, i.e. a method that takes a string?
> > > 
> > > I don't understand, sorry -- can you be more specific? Or is there an
> example
> > > you can point to? (I guess I don't understand what "the string" is that
> you're
> > > referring to, or what the method would be called and what exactly it would
> > do.)
> > 
> > oh, I'm just looking at SecurityHandler::SecurityStyleChanged which calls
> > Client::SecurityStateChanged and that eventually ends up in
> > DevToolsProtocolClient::SendRawMessage with a string.
> 
> Ok, but I'm not sure how the embedder would actually construct that string...
> AFAIU it would have to get a hold of a Client somehow, and Clients are
currently
> constructed by generated code, and set on the SecurityHandler, so //chrome
would
> have to get a hold of the SecurityHandler, which dangles off the
> RenderFrameDevToolsAgentHost, and I'm not sure how to get at that. (There is
> currently a method to get the RFDTAH for a given RenderFrameHost in an
anonymous
> namespace; I'm not sure how devtools people would feel about pulling that out
> and making it a public API somehow.)
> 
> I'm also not sure how the devtools people feel about having a
> SendMessageToDevTools() method in //content/public. The comment on
> DevToolsProtocolClient::SendRawMessage() says "Do not use unless you must."

I see; ok the plumbing is more complicated than I thought.

lgtm then

one nit: try to avoid the .cc files in content/public unless you have to to
avoid clang errors.

estark

On 2015/06/18 17:34:56, jam wrote: > On 2015/06/18 15:35:58, estark wrote: > > On 2015/06/18 ...

5 years, 6 months ago (2015-06-18 18:37:50 UTC) #47

On 2015/06/18 17:34:56, jam wrote:
> On 2015/06/18 15:35:58, estark wrote:
> > On 2015/06/18 15:19:41, jam wrote:
> > > On 2015/06/18 14:56:28, estark wrote:
> > > > On 2015/06/18 14:51:12, jam wrote:
> > > > > On 2015/06/18 00:55:41, estark wrote:
> > > > > > On 2015/06/18 00:36:58, jam wrote:
> > > > > > > On 2015/06/17 21:51:34, Ryan Sleevi wrote:
> > > > > > > > On 2015/06/17 21:36:50, jam wrote:
> > > > > > > > > Why is this a chrome-only concept. It's a in a module that
sits
> > > below
> > > > > > > content,
> > > > > > > > > so any content embedder can set the whitelist.
> > > > > > > > 
> > > > > > > > The same reason that HPKP (implemented in //net) is a
Chrome-only
> > > > concept
> > > > > > (and
> > > > > > > > explicitly not allowed on mobile). It requires a regular update
> > cycle,
> > > > and
> > > > > > can
> > > > > > > > cause significant harm if not.
> > > > > > > > 
> > > > > > > > > In my reading of the code, this doesn't change how content
loads
> > the
> > > > > data,
> > > > > > > > just
> > > > > > > > > what it sends devtools. So unless I'm misreading the code, I'm
> not
> > > > sure
> > > > > > how
> > > > > > > > this
> > > > > > > > > would break a client.
> > > > > > > > 
> > > > > > > > It sends to DevTools the result of UI policy, which certainly
> varies
> > > by
> > > > > > > > embedder. We've taken a stronger UI policy than Firefox
> > (console.log)
> > > or
> > > > > > > > Microsoft (no warning), and that UI behaviour would be entirely
> > > > > > inappropriate
> > > > > > > > for some uses (Chromium Embedded, Steam, etc)
> > > > > > > > 
> > > > > > > > There's zero reason for //content to know about //chrome's UI
> > policies
> > > > and
> > > > > > > > treatments, and the SHA-1 policy intentionally doesn't affect
> > loading
> > > in
> > > > > > //net
> > > > > > > > until 2016.
> > > > > > > 
> > > > > > > ah, ok I didn't notice initially that the method that is called in
> > > chrome
> > > > to
> > > > > > get
> > > > > > > this result for WCD is the one called by chrome ui. i understand
the
> > > > > pushback
> > > > > > > now and i agree.
> > > > > > > 
> > > > > > > > 
> > > > > > > > > How is this UI policy? I don't see this changing chrome UI;
the
> > only
> > > > > thing
> > > > > > I
> > > > > > > > see
> > > > > > > > > is that it's sent to devtools.
> > > > > > > > 
> > > > > > > > The entirity of the "SHA-1 issue" is implemented in //chrome,
and
> > > solely
> > > > > > used
> > > > > > > to
> > > > > > > > affect UI.
> > > > > > > > 
> > > > > > > > To place this in //content sets a dangerous precedent that I
would
> > > > > strongly
> > > > > > > > prefer not to set, which is that any possible UI policies that
> > > //chrome
> > > > > > takes
> > > > > > > > should be expressed in //content. Fundamentally, the question of
> > "How
> > > do
> > > > > you
> > > > > > > > present the omnibox and security indicators" is entirely left to
> > > > > embedders,
> > > > > > > and
> > > > > > > > the purpose of this CL is to provide an embedder-agnostic way
for
> an
> > > > > > embedder
> > > > > > > to
> > > > > > > > explain those policies and how the decisions were made.
> > > > > > > > 
> > > > > > > > > I suggested an embedder callback just for the cros case (that
is
> > the
> > > > > only
> > > > > > > > > possible solution if this code is in content)
> > > > > > > > 
> > > > > > > > I'm still having trouble seeing the value here in such a
callback.
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Since there's definitely a communication gap, with you asking
"Why
> > > > didn't
> > > > > > you
> > > > > > > do
> > > > > > > > X" (and these previous replies being answers to that), could you
> > help
> > > us
> > > > > > > > understand "Why should we do X?" What benefits does it provide
> > versus
> > > > the
> > > > > > > > complexity of exposing Omnibox UI policies through //content and
> > > > requiring
> > > > > > > that
> > > > > > > > any embedders that wish to use alternative policies to customize
> > > > > //content?
> > > > > > > 
> > > > > > > mostly it was about reducing content api's growth.
> > > > > > > 
> > > > > > > instead of content asking chrome for ui result so that it can send
> it
> > to
> > > > > > > devtools, can chrome send it directly instead?
> > > > > > 
> > > > > > We discussed this approach quite a bit with Pavel. My understanding
is
> > > that
> > > > > > there does exist a way to intercept commands sent from devtools to
the
> > > > browser
> > > > > > in //chrome such that they don't go through //content
> > > > > >
> > > > >
> > > >
> > >
> >
>
(https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/dev...),
> > > > > > but the drawbacks are:
> > > > > > 
> > > > > > 1. It's kind of hacky and discouraged unless really necessary.
> > > > > > 2. The devtools infrastructure currently supports handling commands
> from
> > > > > > devtools to the browser in //chrome, but not sending events from
> > //chrome
> > > to
> > > > > > devtools, which is what we want to do (so we'd have to wait for the
> > > devtools
> > > > > > team to figure out how to do that and build it).
> > > > > 
> > > > > Shouldn't this be easy, i.e. a method that takes a string?
> > > > 
> > > > I don't understand, sorry -- can you be more specific? Or is there an
> > example
> > > > you can point to? (I guess I don't understand what "the string" is that
> > you're
> > > > referring to, or what the method would be called and what exactly it
would
> > > do.)
> > > 
> > > oh, I'm just looking at SecurityHandler::SecurityStyleChanged which calls
> > > Client::SecurityStateChanged and that eventually ends up in
> > > DevToolsProtocolClient::SendRawMessage with a string.
> > 
> > Ok, but I'm not sure how the embedder would actually construct that
string...
> > AFAIU it would have to get a hold of a Client somehow, and Clients are
> currently
> > constructed by generated code, and set on the SecurityHandler, so //chrome
> would
> > have to get a hold of the SecurityHandler, which dangles off the
> > RenderFrameDevToolsAgentHost, and I'm not sure how to get at that. (There is
> > currently a method to get the RFDTAH for a given RenderFrameHost in an
> anonymous
> > namespace; I'm not sure how devtools people would feel about pulling that
out
> > and making it a public API somehow.)
> > 
> > I'm also not sure how the devtools people feel about having a
> > SendMessageToDevTools() method in //content/public. The comment on
> > DevToolsProtocolClient::SendRawMessage() says "Do not use unless you must."
> 
> I see; ok the plumbing is more complicated than I thought.
> 
> lgtm then
> 
> one nit: try to avoid the .cc files in content/public unless you have to to
> avoid clang errors.

Great, thanks jam.

For avoiding the .cc files: are you suggesting that as a general best practice
to know about, or specifically that I should move the content/public .cc files
in this CL? I thought it's okay to have them because of this content API
guideline: "it's acceptable to put implementation files that hold
constructors/destructors of interfaces/structs which might have member
variables. For structs, this covers initializing member variables."

If security_explanation(s).cc don't belong in content/public, would I just be
moving the files as-is to content/browser? Or should I make
SecurityExplanation(s) a virtual interface with a SecurityExplanation(s)Impl in
content/browser? (That approach seems heavy-handed)

estark

creis, pfeldman: would you like to take another look before this lands? https://codereview.chromium.org/1181293003/diff/210001/chrome/app/generated_resources.grd File chrome/app/generated_resources.grd ...

5 years, 6 months ago (2015-06-18 18:52:23 UTC) #48

lgarron

https://codereview.chromium.org/1181293003/diff/210001/chrome/app/generated_resources.grd File chrome/app/generated_resources.grd (right): https://codereview.chromium.org/1181293003/diff/210001/chrome/app/generated_resources.grd#newcode15667 chrome/app/generated_resources.grd:15667: + Mixed Content On 2015/06/18 at 18:52:23, estark wrote: ...

5 years, 6 months ago (2015-06-18 20:22:46 UTC) #49

Charlie Reis

Thanks, content/ LGTM with nits given the previous discussion. On 2015/06/18 18:37:50, estark wrote: > ...

5 years, 6 months ago (2015-06-18 20:39:52 UTC) #50

Thanks, content/ LGTM with nits given the previous discussion.

On 2015/06/18 18:37:50, estark wrote:
> On 2015/06/18 17:34:56, jam wrote:
> > I see; ok the plumbing is more complicated than I thought.
> > 
> > lgtm then
> > 
> > one nit: try to avoid the .cc files in content/public unless you have to to
> > avoid clang errors.
> 
> Great, thanks jam.
> 
> For avoiding the .cc files: are you suggesting that as a general best practice
> to know about, or specifically that I should move the content/public .cc files
> in this CL? I thought it's okay to have them because of this content API
> guideline: "it's acceptable to put implementation files that hold
> constructors/destructors of interfaces/structs which might have member
> variables. For structs, this covers initializing member variables."
> 
> If security_explanation(s).cc don't belong in content/public, would I just be
> moving the files as-is to content/browser? Or should I make
> SecurityExplanation(s) a virtual interface with a SecurityExplanation(s)Impl
in
> content/browser? (That approach seems heavy-handed)

I think he meant to inline them in the .h file if you can, unless clang
complains that they have to live in a .cc file.  No need to move the .cc files
if they have to exist.

https://codereview.chromium.org/1181293003/diff/230001/content/public/browser...
File content/public/browser/web_contents_delegate.h (right):

https://codereview.chromium.org/1181293003/diff/230001/content/public/browser...
content/public/browser/web_contents_delegate.h:41: struct
SecurityStyleExplanations;
nit: List with the structs, not the classes.

https://codereview.chromium.org/1181293003/diff/230001/content/public/browser...
File content/public/browser/web_contents_observer.h (right):

https://codereview.chromium.org/1181293003/diff/230001/content/public/browser...
content/public/browser/web_contents_observer.h:25: struct
SecurityStyleExplanations;
Ditto.

estark

On 2015/06/18 20:39:52, Charlie Reis (OOO soon) wrote: > Thanks, content/ LGTM with nits given ...

5 years, 6 months ago (2015-06-18 23:13:09 UTC) #51

On 2015/06/18 20:39:52, Charlie Reis (OOO soon) wrote:
> Thanks, content/ LGTM with nits given the previous discussion.
> 
> On 2015/06/18 18:37:50, estark wrote:
> > On 2015/06/18 17:34:56, jam wrote:
> > > I see; ok the plumbing is more complicated than I thought.
> > > 
> > > lgtm then
> > > 
> > > one nit: try to avoid the .cc files in content/public unless you have to
to
> > > avoid clang errors.
> > 
> > Great, thanks jam.
> > 
> > For avoiding the .cc files: are you suggesting that as a general best
practice
> > to know about, or specifically that I should move the content/public .cc
files
> > in this CL? I thought it's okay to have them because of this content API
> > guideline: "it's acceptable to put implementation files that hold
> > constructors/destructors of interfaces/structs which might have member
> > variables. For structs, this covers initializing member variables."
> > 
> > If security_explanation(s).cc don't belong in content/public, would I just
be
> > moving the files as-is to content/browser? Or should I make
> > SecurityExplanation(s) a virtual interface with a SecurityExplanation(s)Impl
> in
> > content/browser? (That approach seems heavy-handed)
> 
> I think he meant to inline them in the .h file if you can, unless clang
> complains that they have to live in a .cc file.  No need to move the .cc files
> if they have to exist.

Ah, ok, thanks for the clarification. I inlined SecurityStyleExplanation but
wasn't able to with SecurityStyleExplanations.

> 
>
https://codereview.chromium.org/1181293003/diff/230001/content/public/browser...
> File content/public/browser/web_contents_delegate.h (right):
> 
>
https://codereview.chromium.org/1181293003/diff/230001/content/public/browser...
> content/public/browser/web_contents_delegate.h:41: struct
> SecurityStyleExplanations;
> nit: List with the structs, not the classes.
> 
>
https://codereview.chromium.org/1181293003/diff/230001/content/public/browser...
> File content/public/browser/web_contents_observer.h (right):
> 
>
https://codereview.chromium.org/1181293003/diff/230001/content/public/browser...
> content/public/browser/web_contents_observer.h:25: struct
> SecurityStyleExplanations;
> Ditto.

estark

https://codereview.chromium.org/1181293003/diff/230001/content/public/browser/web_contents_delegate.h File content/public/browser/web_contents_delegate.h (right): https://codereview.chromium.org/1181293003/diff/230001/content/public/browser/web_contents_delegate.h#newcode41 content/public/browser/web_contents_delegate.h:41: struct SecurityStyleExplanations; On 2015/06/18 20:39:51, Charlie Reis (OOO soon) ...

5 years, 6 months ago (2015-06-18 23:13:26 UTC) #52

estark

The patchset sent to the CQ was uploaded after l-g-t-m from pkasting@chromium.org, rsleevi@chromium.org, jam@chromium.org, creis@chromium.org ...

5 years, 6 months ago (2015-06-19 14:44:03 UTC) #55