DescriptionRevert of Implement inline signin with iframe (https://codereview.chromium.org/134263005/)
Reason for revert:
As discussed with Karen, this CL will hit canary again by tongiht. Since we won't have a fix till tmrw noon (EST) at the earliest, we need to revert it for now.
Original issue's description:
> Implement inline signin with iframe
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> This is a dup of https://codereview.chromium.org/130963006/ since I cannot
> upload to that issue. The only change is to address Xiyuan's two comments
> in patchset 3 of that CL.
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>
> Inline signin chrome://chrome-signin is currently implemented using webview embedded in webUI, which breaks a couple of features in webUI and has serious accessbility issues. Since webview will be reimplemented based on OOPIF in the near future, and all the issues we have today will no longer apply, thus it is not worth the effort to fix them as they are throw away work. Instead, as suggested by John and prototyped in https://codereview.chromium.org/141363006/, we decide to switch to iframe instead. A few issues worth to mention,
>
> 1. The iframe shares the same renderer as the embedder webUI, and thus could be potentially exposed to dangerous webUI privileges. John suggested a fix by assigning a unique storage partition ID to the inline signin page. As a result the inline signin and its embedded web content should never share the same renderer with other webUI pages.
>
> 2. webview provides a direct API to inject script and to monitor requests/responses, which is not (directly) available with iframe. The CL works around the issue using content script and background script, quite similar to what CrOS is doing for SAML flow today. Thus it is also the first step towards unifying SAML flows on CrOS and desktop.
>
> 3. with webview approach, we used to have a unique temporary partition for each instance of inline signin, in order to make sure multiple instances do not interfere with each other. This is more difficult with the iframe approach, since the partition ID is hardcoded in a quite low layer. In this CL, all inline signin pages share the same persistent partition, which means we have to handle the case when user loads the sign in page with a dirty cookie jar, and thus the newly connected user may not be stored in the primary session. The CL solves the issue by reading 'session_index' from 'google-accounts-signin' header.
>
> BUG=338127
>
> Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=251503
TBR=xiyuan@chromium.org,jam@chromium.org,nasko@chromium.org,rogerta@chromium.org
NOTREECHECKS=true
NOTRY=true
BUG=338127
Patch Set 1 #
Created: 6 years, 10 months ago
(Patch set is too large to download)
Messages
Total messages: 10 (0 generated)
|