Issue 1918253002: CREDENTIAL: Credentials should be submitted within a registrable domain.

Issue 1918253002: CREDENTIAL: Credentials should be submitted within a registrable domain. (Closed)

Created:
4 years, 8 months ago by Mike West

Modified:
4 years, 8 months ago

Reviewers:
vabr (Chromium)

CC:
blink-reviews, chromium-reviews, haraken

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

CREDENTIAL: Credentials should be submitted within a registrable domain. The current code checks for an exact origin match when creating a Request. That doesn't match the specification; see step 3.1 of https://w3c.github.io/webappsec-credential-management/#body-extraction. BUG=606788 Committed: https://crrev.com/6036e62ac8638c3cdfd76db5dfe44ca05c62f682 Cr-Commit-Position: refs/heads/master@{#389858}

Patch Set 1 #

Patch Set 2 : php #

Total comments: 4

Patch Set 3 : vabr@ #

Created: 4 years, 8 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+69 lines, -3 lines)			Patch
A	third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-fetch-registrabledomain.html	View		1 chunk	+59 lines, -0 lines	0 comments	Download
M	third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/echo-post.php	View	1	1 chunk	+6 lines, -0 lines	0 comments	Download
M	third_party/WebKit/Source/modules/fetch/Request.cpp	View	1 2	2 chunks	+4 lines, -3 lines	0 comments	Download

Messages

Total messages: 11 (4 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

vabr (Chromium)

Thanks, Mike, this LGTM with comments. To be honest, I'm not sure I understand the ...

4 years, 8 months ago (2016-04-26 16:49:19 UTC) #3

Mike West

On 2016/04/26 at 16:49:19, vabr wrote: > Thanks, Mike, this LGTM with comments. > > ...

4 years, 8 months ago (2016-04-26 18:14:15 UTC) #4

On 2016/04/26 at 16:49:19, vabr wrote:
> Thanks, Mike, this LGTM with comments.
> 
> To be honest, I'm not sure I understand the tests
> completely, e.g., the initial change of the host

Blink's layout tests are loaded from `http://127.0.0.1:8000`. IP addresses are
not registrable domains; we resolve `*.test` to 127.0.0.1 for this purpose.
Navigating to `subdomain.example.test` loads the same test file from that
origin, which means we can check variants of that origin to see if we're allowed
to make the request. 

> or that all the URLs are HTTP

I'm being sneaky here. The `navigator.credentials.*` bits of the API are locked
to HTTPS. `PasswordCredential` objects are not. I'm not sure there's a good
security reason to hide the object on nonsecure origins, as without
`navigator.credentials.*`, you can't actually do much of anything with them
(except create them, and submit a form in a much more complicated way than you
could do by just submitting the form...).

> But you are the expert there so I trust you

AND THAT WAS YOUR FIRST MISTAKE MUWAHAHAHA. *cough*

> I'll grab you this week to chat about CM API anyway, so you can explain to me
there. :)

My calendar is your calendar.

https://codereview.chromium.org/1918253002/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/modules/fetch/Request.cpp (right):

https://codereview.chromium.org/1918253002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/modules/fetch/Request.cpp:330: const
OriginAccessEntry& accessEntry = OriginAccessEntry(r->url().protocol(),
r->url().host(), OriginAccessEntry::AllowRegisterableDomains);
On 2016/04/26 at 16:49:18, vabr (Chromium) wrote:
> This should be just const OriginAccessEntry, not a reference.

Indeed, thanks!

https://codereview.chromium.org/1918253002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/modules/fetch/Request.cpp:332:
exceptionState.throwTypeError("Credentials may only be submitted to endpoints on
the same registrable domain.");
On 2016/04/26 at 16:49:19, vabr (Chromium) wrote:
> nit: The spelling in the spec is with "e" between "t" and "r": registerable.
> 
> https://w3c.github.io/webappsec-credential-management/#body-extraction

Ha! That's a typo in the spec, thanks (see https://publicsuffix.org/list/ (and
http://www.merriam-webster.com/dictionary/registrable)).

vabr (Chromium)

Thanks, Mike, for the explanation of the tests, it's much more clearer now! Also, happy ...

4 years, 8 months ago (2016-04-26 18:19:46 UTC) #5

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1918253002/40001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1918253002/40001

4 years, 8 months ago (2016-04-26 18:23:27 UTC) #8

commit-bot: I haz the power

4 years, 8 months ago (2016-04-26 19:54:00 UTC) #11

Message was sent while issue was closed.

Patchset 3 (id:??) landed as
https://crrev.com/6036e62ac8638c3cdfd76db5dfe44ca05c62f682
Cr-Commit-Position: refs/heads/master@{#389858}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages