|
|
DescriptionUpstream: Add WebAPK security check in WebappLauncherActivity.
BUG=609122
Committed: https://crrev.com/3429e4e39615924504f2c95c1b97f61fed654881
Cr-Commit-Position: refs/heads/master@{#396547}
Patch Set 1 : #
Total comments: 5
Patch Set 2 : pkotwicz@'s comments. #
Total comments: 6
Patch Set 3 : dfalcantara@'s comments. #Messages
Total messages: 22 (10 generated)
Patchset #1 (id:1) has been deleted
Description was changed from ========== Upstream WebAPK security check in WebappLauncherActivity. BUG=609122 ========== to ========== Upstream: Add WebAPK security check in WebappLauncherActivity. BUG=609122 ==========
hanxi@chromium.org changed reviewers: + pkotwicz@chromium.org
Hi Peter, could you please take a look? Thanks!
LGTM Looks ready to send over for a security review https://codereview.chromium.org/2010403002/diff/20001/chrome/android/java/src... File chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java (right): https://codereview.chromium.org/2010403002/diff/20001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:95: * Returns whether the MAC is present and valid for the fullscreen PWA to be opened. Nit: PWA -> "Progressive Web App" dfalcantara@ will probably have a better name to put in https://codereview.chromium.org/2010403002/diff/20001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:172: * @param webapkPackage The package name of the requested WebAPK. For the sake of consistency: webapkPackage -> webApkPackage https://codereview.chromium.org/2010403002/diff/20001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:181: boolean isValidWebApk = WebApkValidator.isValidWebApk(this, webapkPackage); This can be cleaned up a bit. How about: if (webApkPackage == null) { return false; } if (!WebApkValidator.isValidWebApk(this, webApkPackage)) { Log.d(TAG, "%s is not valid WebAPK", webApkPackage); return false; } if (!webApkPackage.equals(WebApkValidator.queryWebApkPackage(this, url)) { Log.d(TAG, "%s is not within scope of %s WebAPK", url, webApkPackage); return false; } return true; You can use "%s" in Log statements thanks to the magic of org.chromium.base.Log
hanxi@chromium.org changed reviewers: + dfalcantara@chromium.org
Hi Dan, could you please take a look? Thanks! https://codereview.chromium.org/2010403002/diff/20001/chrome/android/java/src... File chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java (right): https://codereview.chromium.org/2010403002/diff/20001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:172: * @param webapkPackage The package name of the requested WebAPK. On 2016/05/27 15:20:16, pkotwicz wrote: > For the sake of consistency: webapkPackage -> webApkPackage Done. https://codereview.chromium.org/2010403002/diff/20001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:181: boolean isValidWebApk = WebApkValidator.isValidWebApk(this, webapkPackage); On 2016/05/27 15:20:15, pkotwicz wrote: > This can be cleaned up a bit. How about: > > if (webApkPackage == null) { > return false; > } > > if (!WebApkValidator.isValidWebApk(this, webApkPackage)) { > Log.d(TAG, "%s is not valid WebAPK", webApkPackage); > return false; > } > > if (!webApkPackage.equals(WebApkValidator.queryWebApkPackage(this, url)) { > Log.d(TAG, "%s is not within scope of %s WebAPK", url, webApkPackage); > return false; > } > return true; > > You can use "%s" in Log statements thanks to the magic of org.chromium.base.Log > Done.
https://codereview.chromium.org/2010403002/diff/40001/chrome/android/java/src... File chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java (right): https://codereview.chromium.org/2010403002/diff/40001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:63: // Permit the launch to a standalone web app frame if: if any of the following are true https://codereview.chromium.org/2010403002/diff/40001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:95: * Returns whether the MAC is present and valid for the fullscreen Progressive Web App to be Web apps are currently almost never Progressive. /** * Checks whether or not the MAC is present and valid for the web app shortcut. * * The MAC is used to prevent malicious apps from launching Chrome into a full screen * Activity for phishing attacks (among other reasons). * * @param url The URL for the web app. * @param mac MAC to compare the URL against. See {@link WebappAuthenticator}. * @return Whether the MAC is valid for the URL. */ private boolean isValidMacForUrl(String url, String mac) { } https://codereview.chromium.org/2010403002/diff/40001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:107: return IntentHandler.wasIntentSenderChrome(intent, does this not fit on a line?
Thanks Dan, ptal. https://codereview.chromium.org/2010403002/diff/40001/chrome/android/java/src... File chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java (right): https://codereview.chromium.org/2010403002/diff/40001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:63: // Permit the launch to a standalone web app frame if: On 2016/05/27 18:20:49, dfalcantara wrote: > if any of the following are true Done. https://codereview.chromium.org/2010403002/diff/40001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:95: * Returns whether the MAC is present and valid for the fullscreen Progressive Web App to be On 2016/05/27 18:20:49, dfalcantara wrote: > Web apps are currently almost never Progressive. > > /** > * Checks whether or not the MAC is present and valid for the web app shortcut. > * > * The MAC is used to prevent malicious apps from launching Chrome into a full > screen > * Activity for phishing attacks (among other reasons). > * > * @param url The URL for the web app. > * @param mac MAC to compare the URL against. See {@link WebappAuthenticator}. > * @return Whether the MAC is valid for the URL. > */ > private boolean isValidMacForUrl(String url, String mac) { > } Thanks! https://codereview.chromium.org/2010403002/diff/40001/chrome/android/java/src... chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java:107: return IntentHandler.wasIntentSenderChrome(intent, On 2016/05/27 18:20:49, dfalcantara wrote: > does this not fit on a line? Updated.
lgtm
hanxi@chromium.org changed reviewers: + rsesseta@gmail.com
Hi Robert, could you please review this CL from security perspective? Thanks!
hanxi@chromium.org changed reviewers: + rsesek@chromium.org - rsesseta@gmail.com
Hi Robert, could you please review this CL from the security perspective?
lgtm
The CQ bit was checked by hanxi@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from pkotwicz@chromium.org Link to the patchset: https://codereview.chromium.org/2010403002/#ps60001 (title: "dfalcantara@'s comments.")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2010403002/60001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/2010403002/60001
Message was sent while issue was closed.
Description was changed from ========== Upstream: Add WebAPK security check in WebappLauncherActivity. BUG=609122 ========== to ========== Upstream: Add WebAPK security check in WebappLauncherActivity. BUG=609122 ==========
Message was sent while issue was closed.
Committed patchset #3 (id:60001)
Message was sent while issue was closed.
Description was changed from ========== Upstream: Add WebAPK security check in WebappLauncherActivity. BUG=609122 ========== to ========== Upstream: Add WebAPK security check in WebappLauncherActivity. BUG=609122 Committed: https://crrev.com/3429e4e39615924504f2c95c1b97f61fed654881 Cr-Commit-Position: refs/heads/master@{#396547} ==========
Message was sent while issue was closed.
Patchset 3 (id:??) landed as https://crrev.com/3429e4e39615924504f2c95c1b97f61fed654881 Cr-Commit-Position: refs/heads/master@{#396547} |