Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(24)

Issue 1485973002: Removal of geolocation APIs on insecure origins (Closed)

Created:
2 years, 11 months ago by jww
Modified:
2 years, 11 months ago
CC:
blink-reviews, chromium-reviews, jochen (gone - plz use gerrit), mlamouri+watch-blink_chromium.org, mvanouwerkerk+watch_chromium.org, timvolodine
Base URL:
https://chromium.googlesource.com/chromium/src@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Removal of geolocation APIs on insecure origins This disallows the geolocation APIs getCurrentPosition() and watchPosition() from being used on insecure origins. Adds a console warning message that the API call has failed because of this. BUG=520765, 561641 Committed: https://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8 Cr-Commit-Position: refs/heads/master@{#364642}

Patch Set 1 #

Total comments: 4

Patch Set 2 : Address philipj's nits #

Patch Set 3 : Update GeolocationPermissionContext #

Patch Set 4 : Fix unit tests #

Patch Set 5 : Rebase on ToT #

Patch Set 6 : Fix WebView tests #

Messages

Total messages: 90 (28 generated)
jww
philipj@opera.com, can you take a look at this? This has the required 3 LGTMs from ...
2 years, 11 months ago (2015-12-01 02:11:06 UTC) #2
jww
Whoops, meant to include mlamouri@ as a reviewer for the Geolocation bits :-) Sorry!
2 years, 11 months ago (2015-12-01 02:12:47 UTC) #4
philipj_slow
lgtm with optional testharness.js nits https://codereview.chromium.org/1485973002/diff/1/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html File third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html (right): https://codereview.chromium.org/1485973002/diff/1/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html#newcode60 third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html:60: this.done(); This line won't ...
2 years, 11 months ago (2015-12-01 08:45:21 UTC) #5
jww
Confirmed with rbyers that his lgtm is still gtg, so once mlamouri reviews, we should ...
2 years, 11 months ago (2015-12-01 18:31:54 UTC) #6
mlamouri (slow - plz ping)
Could you modify the permission context too?
2 years, 11 months ago (2015-12-01 19:06:06 UTC) #7
jww
Mounir, can you clarify? I'm not sure what you're looking for. On Tue, Dec 1, ...
2 years, 11 months ago (2015-12-01 19:15:30 UTC) #8
jww
Mounir, can you clarify? I'm not sure what you're looking for. On Tue, Dec 1, ...
2 years, 11 months ago (2015-12-01 19:15:32 UTC) #9
mlamouri (slow - plz ping)
Sorry for the lack of details, I assumed you knew about PermissionContexts. The content layer ...
2 years, 11 months ago (2015-12-02 15:08:53 UTC) #10
jww
On 2015/12/02 15:08:53, Mounir Lamouri OOO till Monday wrote: > Sorry for the lack of ...
2 years, 11 months ago (2015-12-03 19:32:18 UTC) #11
jww
Mounir, can you take another look? Thanks!
2 years, 11 months ago (2015-12-03 19:46:53 UTC) #12
mlamouri (slow - plz ping)
lgtm
2 years, 11 months ago (2015-12-07 17:53:43 UTC) #13
jww
thestig@, can you OWNER review chrome/browser/geolocation/geolocation_permission_context.cc? Thanks!
2 years, 11 months ago (2015-12-07 18:38:00 UTC) #15
Lei Zhang
lgtm
2 years, 11 months ago (2015-12-07 19:29:27 UTC) #16
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1485973002/40001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1485973002/40001
2 years, 11 months ago (2015-12-07 19:34:46 UTC) #19
commit-bot: I haz the power
Try jobs failed on following builders: linux_chromium_chromeos_rel_ng on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_chromeos_rel_ng/builds/139154) mac_chromium_rel_ng on tryserver.chromium.mac (JOB_FAILED, ...
2 years, 11 months ago (2015-12-07 20:45:11 UTC) #21
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1485973002/60001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1485973002/60001
2 years, 11 months ago (2015-12-07 23:04:52 UTC) #24
commit-bot: I haz the power
Try jobs failed on following builders: win8_chromium_ng on tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win8_chromium_ng/builds/76976)
2 years, 11 months ago (2015-12-07 23:17:44 UTC) #26
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1485973002/80001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1485973002/80001
2 years, 11 months ago (2015-12-07 23:26:39 UTC) #29
commit-bot: I haz the power
Try jobs failed on following builders: mac_chromium_rel_ng on tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng/builds/151479)
2 years, 11 months ago (2015-12-08 00:11:14 UTC) #31
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1485973002/80001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1485973002/80001
2 years, 11 months ago (2015-12-08 00:30:23 UTC) #33
commit-bot: I haz the power
Try jobs failed on following builders: linux_chromium_asan_rel_ng on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_asan_rel_ng/builds/88853) linux_chromium_rel_ng on tryserver.chromium.linux (JOB_FAILED, ...
2 years, 11 months ago (2015-12-08 00:51:59 UTC) #35
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1485973002/80001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1485973002/80001
2 years, 11 months ago (2015-12-08 00:58:45 UTC) #37
commit-bot: I haz the power
Try jobs failed on following builders: linux_android_rel_ng on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_android_rel_ng/builds/106646)
2 years, 11 months ago (2015-12-08 02:41:22 UTC) #39
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1485973002/80001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1485973002/80001
2 years, 11 months ago (2015-12-09 00:46:12 UTC) #41
jww
sgurun@chromium.org, would you mind taking a look at my WebView test change? Thanks!
2 years, 11 months ago (2015-12-09 02:10:31 UTC) #44
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1485973002/100001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1485973002/100001
2 years, 11 months ago (2015-12-09 02:12:47 UTC) #45
commit-bot: I haz the power
Dry run: This issue passed the CQ dry run.
2 years, 11 months ago (2015-12-09 05:27:10 UTC) #47
jww
On 2015/12/09 05:27:10, commit-bot: I haz the power wrote: > Dry run: This issue passed ...
2 years, 11 months ago (2015-12-09 16:22:38 UTC) #48
sgurun-gerrit only
On 2015/12/09 16:22:38, jww wrote: > On 2015/12/09 05:27:10, commit-bot: I haz the power wrote: ...
2 years, 11 months ago (2015-12-09 16:24:08 UTC) #49
sgurun-gerrit only
On 2015/12/09 16:24:08, sgurun wrote: > On 2015/12/09 16:22:38, jww wrote: > > On 2015/12/09 ...
2 years, 11 months ago (2015-12-09 19:17:33 UTC) #50
jww
On 2015/12/09 19:17:33, sgurun wrote: > On 2015/12/09 16:24:08, sgurun wrote: > > On 2015/12/09 ...
2 years, 11 months ago (2015-12-09 20:54:27 UTC) #51
sgurun-gerrit only
On 2015/12/09 20:54:27, jww wrote: > On 2015/12/09 19:17:33, sgurun wrote: > > On 2015/12/09 ...
2 years, 11 months ago (2015-12-09 21:01:57 UTC) #52
Rick Byers
On 2015/12/09 21:01:57, sgurun wrote: > On 2015/12/09 20:54:27, jww wrote: > > On 2015/12/09 ...
2 years, 11 months ago (2015-12-09 21:12:45 UTC) #53
sgurun-gerrit only
On 2015/12/09 21:12:45, Rick Byers wrote: > On 2015/12/09 21:01:57, sgurun wrote: > > On ...
2 years, 11 months ago (2015-12-09 22:30:46 UTC) #54
jww
On 2015/12/09 22:30:46, sgurun wrote: > On 2015/12/09 21:12:45, Rick Byers wrote: > > On ...
2 years, 11 months ago (2015-12-09 23:32:14 UTC) #55
jww
On 2015/12/09 23:32:14, jww wrote: > On 2015/12/09 22:30:46, sgurun wrote: > > On 2015/12/09 ...
2 years, 11 months ago (2015-12-10 02:25:28 UTC) #56
sgurun-gerrit only
On 2015/12/10 02:25:28, jww wrote: > On 2015/12/09 23:32:14, jww wrote: > > On 2015/12/09 ...
2 years, 11 months ago (2015-12-10 03:28:27 UTC) #57
jww
On 2015/12/10 03:28:27, sgurun wrote: > On 2015/12/10 02:25:28, jww wrote: > > On 2015/12/09 ...
2 years, 11 months ago (2015-12-10 06:35:35 UTC) #58
sgurun-gerrit only
On 2015/12/10 06:35:35, jww wrote: > On 2015/12/10 03:28:27, sgurun wrote: > > On 2015/12/10 ...
2 years, 11 months ago (2015-12-10 17:21:29 UTC) #61
Torne
I think the major special thing about WebView here is that lots of WebView apps ...
2 years, 11 months ago (2015-12-10 18:22:58 UTC) #62
jww
Thanks, Torne. Special casing data: URIs as secure when loaded via loadUrl/loadData sounds reasonable to ...
2 years, 11 months ago (2015-12-10 18:33:20 UTC) #63
sgurun-gerrit only
On 2015/12/10 18:33:20, jww wrote: > Thanks, Torne. Special casing data: URIs as secure when ...
2 years, 11 months ago (2015-12-10 18:36:28 UTC) #64
Torne
On 2015/12/10 18:33:20, jww wrote: > Thanks, Torne. Special casing data: URIs as secure when ...
2 years, 11 months ago (2015-12-10 18:58:13 UTC) #65
jww
On 2015/12/10 18:58:13, Torne wrote: > On 2015/12/10 18:33:20, jww wrote: > > Thanks, Torne. ...
2 years, 11 months ago (2015-12-10 21:41:07 UTC) #66
sgurun-gerrit only
On 2015/12/10 21:41:07, jww wrote: > On 2015/12/10 18:58:13, Torne wrote: > > On 2015/12/10 ...
2 years, 11 months ago (2015-12-10 21:52:38 UTC) #67
jww
On 2015/12/10 21:52:38, sgurun wrote: > On 2015/12/10 21:41:07, jww wrote: > > On 2015/12/10 ...
2 years, 11 months ago (2015-12-10 22:09:18 UTC) #68
sgurun-gerrit only
On 2015/12/10 22:09:18, jww wrote: > On 2015/12/10 21:52:38, sgurun wrote: > > On 2015/12/10 ...
2 years, 11 months ago (2015-12-10 22:29:50 UTC) #69
jww
On 2015/12/10 22:29:50, sgurun wrote: > On 2015/12/10 22:09:18, jww wrote: > > On 2015/12/10 ...
2 years, 11 months ago (2015-12-10 23:55:57 UTC) #70
sgurun-gerrit only
On 2015/12/10 23:55:57, jww wrote: > On 2015/12/10 22:29:50, sgurun wrote: > > On 2015/12/10 ...
2 years, 11 months ago (2015-12-10 23:58:29 UTC) #73
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1485973002/100001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1485973002/100001
2 years, 11 months ago (2015-12-10 23:59:12 UTC) #74
commit-bot: I haz the power
Try jobs failed on following builders: linux_android_rel_ng on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_android_rel_ng/builds/109102)
2 years, 11 months ago (2015-12-11 02:55:35 UTC) #76
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1485973002/100001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1485973002/100001
2 years, 11 months ago (2015-12-11 06:07:33 UTC) #78
commit-bot: I haz the power
Committed patchset #6 (id:100001)
2 years, 11 months ago (2015-12-11 07:34:31 UTC) #80
commit-bot: I haz the power
Patchset 6 (id:??) landed as https://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8 Cr-Commit-Position: refs/heads/master@{#364642}
2 years, 11 months ago (2015-12-11 07:35:17 UTC) #82
johnme
A revert of this CL (patchset #6 id:100001) has been created in https://codereview.chromium.org/1515103003/ by johnme@chromium.org. ...
2 years, 11 months ago (2015-12-11 13:24:43 UTC) #83
Torne
On 2015/12/10 23:55:57, jww wrote: > On 2015/12/10 22:29:50, sgurun wrote: > > On 2015/12/10 ...
2 years, 11 months ago (2015-12-11 14:33:24 UTC) #84
sgurun-gerrit only
On 2015/12/11 14:33:24, Torne wrote: > On 2015/12/10 23:55:57, jww wrote: > > On 2015/12/10 ...
2 years, 11 months ago (2015-12-11 16:41:28 UTC) #85
sgurun-gerrit only
On 2015/12/11 14:33:24, Torne wrote: > On 2015/12/10 23:55:57, jww wrote: > > On 2015/12/10 ...
2 years, 11 months ago (2015-12-11 16:41:36 UTC) #86
Torne
We can talk to the CTS maintainers about updating the tests to use loadDataWithBaseURL, but ...
2 years, 11 months ago (2015-12-11 17:07:37 UTC) #87
jww
On 2015/12/11 17:07:37, Torne wrote: > We can talk to the CTS maintainers about updating ...
2 years, 11 months ago (2015-12-12 01:46:02 UTC) #88
sgurun-gerrit only
On 2015/12/12 01:46:02, jww wrote: > On 2015/12/11 17:07:37, Torne wrote: > > We can ...
2 years, 11 months ago (2015-12-12 01:50:31 UTC) #89
jww
2 years, 11 months ago (2015-12-12 01:54:51 UTC) #90
Message was sent while issue was closed.
On 2015/12/12 01:50:31, sgurun wrote:
> On 2015/12/12 01:46:02, jww wrote:
> > On 2015/12/11 17:07:37, Torne wrote:
> > > We can talk to the CTS maintainers about updating the tests to use
> > > loadDataWithBaseURL, but we'd have to wait until CTS has been updated for
> 5.0,
> > > 5.1 and 6.0 and all three of those have been released for vendors to use.
> > 
> > Hi guys. It seems weird to me that we would leave a security hole in WebView
> > because of tests. Is there no way to ship a new set of tests that would, in
> this
> > case, actually reduce the number of tests that needed to be passed? That is,
> we
> > could temporarily remove those tests from CTS, and then add them back in
with
> > loadDataWithBaseURL for the next Android release.
> 
> these tests are not integration or unit tests. These tests define how devices
> become compatible with Android platform and released as part of android
> schedule. It is probably better to meet and talk.

I understand, but I'm surprised that there is no ability to release an update
that removes the burden for vendors. But as I mentioned offline, I setup a
meeting to chat. Happy to hash it out then.

Powered by Google App Engine
This is Rietveld 408576698