Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(428)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 18104009: Mixed content iframe checks should use top (Closed)

Created:
7 years, 5 months ago by abarth-chromium
Modified:
7 years, 5 months ago
Reviewers:
Tom Sepez, Chris Evans
CC:
blink-reviews, dglazkov+blink, Nate Chapin, eae+blinkwatch, gavinp+loader_chromium.org
Visibility:
Public.

Description

Mixed content iframe checks should use top Prior to this CL, we were using the parent frame when checking iframes for mixed content. Unfortunately, that breaks the iTunes download page because it uses an HTTPS iframe to kick off the HTTP download. This CL causes us to use the top-level frame for this check. That's reasonable because if the top-level frame is HTTP, the user doesn't have any expectation that they're being protected from network attackers This change effectively reverts https://src.chromium.org/viewvc/blink?revision=150260&view=revision. I tried partially reverting that revision by keeping the blocking behavior, but that broke a number of assumptions in Chromium about how didRunInsecureContent works. It also broke the ReferrerPolicyTest browser tests in worrying ways. I would like to get back to blocking mixed content iframes, but we'll need to do that without breaking the iTunes download page. R=tsepez@chromium.org BUG=244210 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=153937

Patch Set 1 #

Patch Set 2 : Update expected results #

Patch Set 3 : Drop back to canDisplay #

Unified diffs Side-by-side diffs Delta from patch set Stats (+25 lines, -16 lines) Patch
M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt View 1 chunk +0 lines, -3 lines 0 comments Download
M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-allowed-expected.txt View 1 2 1 chunk +2 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-blocked-expected.txt View 1 2 1 chunk +6 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt View 1 2 1 chunk +2 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt View 1 2 1 chunk +2 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt View 1 2 1 chunk +2 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/originHeader/origin-header-for-https-expected.txt View 1 2 1 chunk +2 lines, -0 lines 0 comments Download
M LayoutTests/http/tests/security/referrer-policy-redirect-link-expected.txt View 1 2 1 chunk +2 lines, -0 lines 0 comments Download
M LayoutTests/http/tests/ssl/referer-301-expected.txt View 1 2 1 chunk +2 lines, -0 lines 0 comments Download
M LayoutTests/http/tests/ssl/referer-303-expected.txt View 1 2 1 chunk +2 lines, -0 lines 0 comments Download
M Source/core/loader/DocumentLoader.cpp View 1 2 1 chunk +3 lines, -3 lines 0 comments Download

Messages

Total messages: 20 (0 generated)
abarth-chromium
7 years, 5 months ago (2013-07-09 22:13:48 UTC) #1
Tom Sepez
LGTM, and I think the policy is OK.
7 years, 5 months ago (2013-07-09 22:21:00 UTC) #2
abarth-chromium
On 2013/07/09 22:21:00, Tom Sepez wrote: > LGTM, and I think the policy is OK. ...
7 years, 5 months ago (2013-07-09 22:24:14 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/abarth@chromium.org/18104009/1
7 years, 5 months ago (2013-07-09 22:24:49 UTC) #4
commit-bot: I haz the power
Retried try job too often on mac_layout_rel for step(s) webkit_tests http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=mac_layout_rel&number=12058
7 years, 5 months ago (2013-07-10 00:57:08 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/abarth@chromium.org/18104009/1
7 years, 5 months ago (2013-07-10 01:24:41 UTC) #6
commit-bot: I haz the power
Retried try job too often on mac_layout_rel for step(s) webkit_tests http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=mac_layout_rel&number=12082
7 years, 5 months ago (2013-07-10 02:44:59 UTC) #7
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/abarth@chromium.org/18104009/1
7 years, 5 months ago (2013-07-10 03:56:34 UTC) #8
commit-bot: I haz the power
Retried try job too often on linux_layout_rel for step(s) webkit_tests http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=linux_layout_rel&number=15718
7 years, 5 months ago (2013-07-10 04:57:40 UTC) #9
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/abarth@chromium.org/18104009/1
7 years, 5 months ago (2013-07-10 05:57:23 UTC) #10
commit-bot: I haz the power
Retried try job too often on linux_layout_rel for step(s) webkit_tests http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=linux_layout_rel&number=15742
7 years, 5 months ago (2013-07-10 06:47:21 UTC) #11
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/abarth@chromium.org/18104009/1
7 years, 5 months ago (2013-07-10 07:34:22 UTC) #12
commit-bot: I haz the power
Failed to trigger a try job on linux_layout_rel HTTP Error 400: Bad Request
7 years, 5 months ago (2013-07-10 08:01:35 UTC) #13
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/abarth@chromium.org/18104009/53002
7 years, 5 months ago (2013-07-10 08:02:42 UTC) #14
commit-bot: I haz the power
Change committed as 153879
7 years, 5 months ago (2013-07-10 10:19:53 UTC) #15
abarth-chromium
This CL was reverted because it broke a bunch of Chromium-side code. There's some discussion ...
7 years, 5 months ago (2013-07-10 18:25:00 UTC) #16
abarth-chromium
@tsepez: Would you like to review this CL again?
7 years, 5 months ago (2013-07-10 18:31:56 UTC) #17
Tom Sepez
On 2013/07/10 18:31:56, abarth wrote: > @tsepez: Would you like to review this CL again? ...
7 years, 5 months ago (2013-07-10 20:15:53 UTC) #18
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/abarth@chromium.org/18104009/59002
7 years, 5 months ago (2013-07-10 20:16:59 UTC) #19
commit-bot: I haz the power
7 years, 5 months ago (2013-07-10 23:08:57 UTC) #20
Message was sent while issue was closed. 
Change committed as 153937

Powered by Google App Engine
This is Rietveld 408576698