Issue 2118583003: Display when PKP is bypassed in devtools

Issue 2118583003: Display when PKP is bypassed in devtools (Closed)

Created:
4 years, 5 months ago by dadrian

Modified:
4 years, 5 months ago

Reviewers:
lgarron, Charlie Reis, dgozman, estark

CC:
apavlov+blink_chromium.org, blink-reviews, caseq+blink_chromium.org, chromium-reviews, darin-cc_chromium.org, devtools-reviews_chromium.org, jam, kozyatinskiy+blink_chromium.org, lushnikov+blink_chromium.org, pfeldman+blink_chromium.org, pfeldman, sergeyv+blink_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Display when PKP is bypassed in devtools This adds a security explanation to devtools for when public-key pinning is bypassed due to a local trust anchor. It does not affect the security state of the page, and enforces that "Info" explanations are shown last. BUG=566144 Committed: https://crrev.com/727e23f969ad3c54184efd67c6fae4bc7935b72a Cr-Commit-Position: refs/heads/master@{#404253}

Patch Set 1 #

Total comments: 4

Patch Set 2 : Address comments. #

Total comments: 10

Patch Set 3 : Reviewer comments #

Total comments: 4

Patch Set 4 : Move to explanation #

Total comments: 4

Patch Set 5 : Fix typos. #

Total comments: 4

Patch Set 6 : Add comments #

Created: 4 years, 5 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+125 lines, -18 lines)			Patch
M	chrome/browser/ssl/chrome_security_state_model_client.cc	View	1 2 3	2 chunks	+8 lines, -1 line	0 comments	Download
M	chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc	View	1 2 3	11 chunks	+11 lines, -0 lines	0 comments	Download
M	content/browser/devtools/protocol/security_handler.cc	View	1 2 3	1 chunk	+2 lines, -0 lines	0 comments	Download
M	content/public/browser/security_style_explanations.h	View	1 2 3 4 5	2 chunks	+4 lines, -1 line	0 comments	Download
A +	third_party/WebKit/LayoutTests/http/tests/inspector/security/security-explanation-ordering.html	View	1 2 3	2 chunks	+19 lines, -2 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/inspector/security/security-explanation-ordering-expected.txt	View	1 2 3	1 chunk	+52 lines, -0 lines	0 comments	Download
M	third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js	View	1 2 3 4	7 chunks	+23 lines, -12 lines	0 comments	Download
M	third_party/WebKit/Source/devtools/front_end/security/mainView.css	View	1 2 3	1 chunk	+6 lines, -2 lines	0 comments	Download

Messages

Total messages: 27 (8 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

dadrian

From what I can tell, this works? My testing was limited, anyone got a Superfish ...

4 years, 5 months ago (2016-07-01 00:13:00 UTC) #2

estark

devtools js style is not my forte but lgtm from what I can tell. Oh, ...

4 years, 5 months ago (2016-07-01 01:02:43 UTC) #3

lgarron

LGTM with nit. https://codereview.chromium.org/2118583003/diff/1/third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js File third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js (right): https://codereview.chromium.org/2118583003/diff/1/third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js#newcode619 third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js:619: var pkpBypassedExplanation = WebInspector.UIString("Public-key pinning was ...

4 years, 5 months ago (2016-07-01 01:33:40 UTC) #4

dadrian

dgozman@chromium.org: We're back with the rest of the devtools changes from Tuesday! Looking for review ...

4 years, 5 months ago (2016-07-01 01:58:45 UTC) #6

dgozman

https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Source/core/inspector/browser_protocol.json File third_party/WebKit/Source/core/inspector/browser_protocol.json (right): https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Source/core/inspector/browser_protocol.json#newcode825 third_party/WebKit/Source/core/inspector/browser_protocol.json:825: { "name": "mixedContentStatus", "$ref": "MixedContentStatus", "description": "Information about mixed ...

4 years, 5 months ago (2016-07-05 17:37:21 UTC) #7

dadrian

4 years, 5 months ago (2016-07-06 18:35:46 UTC) #8

https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/inspector/browser_protocol.json (right):

https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/inspector/browser_protocol.json:825: { "name":
"mixedContentStatus", "$ref": "MixedContentStatus", "description": "Information
about mixed content on the page.", "optional": true },
On 2016/07/05 17:37:20, dgozman wrote:
> Why all of these are optional, if we set them in security_handler
> unconditionally? Let's remove optional from mixedContentStatus,
> schemeIsCrypthographic and pkpBypassed.

Done.

https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/inspector/browser_protocol.json:827: { "name":
"pkpBypassed", "type": "boolean", "description": "True if public-key pinning was
bypassed due to a local trust anochor.", "optional": true }
On 2016/07/05 17:37:20, dgozman wrote:
> typo: anochor

Done.

I had to reorder the parameters to put the optionals at the end.

https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/devtools/front_end/security/SecurityModel.js
(right):

https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/devtools/front_end/security/SecurityModel.js:79:
WebInspector.PageSecurityState = function(securityState, explanations,
mixedContentStatus, schemeIsCryptographic, pkpBypassed) {
On 2016/07/05 17:37:20, dgozman wrote:
> style: while you are here, please move { to the next line

Done.

https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js
(right):

https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js:647:
this._addExplanation(/** @type {!SecurityAgent.SecurityStateExplanation} */ ({
On 2016/07/05 17:37:20, dgozman wrote:
> I wonder why we send a separate flag to frontend instead of generating an
> explanation on the backend?

I was matching mixed content status. PKP bypass is a touchy issue in terms of
whether or not it should affect security state, so here we're basically just
leveraging the UI framework, rather than adding a new security state.

dgozman

https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js File third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js (right): https://codereview.chromium.org/2118583003/diff/20001/third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js#newcode647 third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js:647: this._addExplanation(/** @type {!SecurityAgent.SecurityStateExplanation} */ ({ On 2016/07/06 18:35:46, dadrian ...

4 years, 5 months ago (2016-07-06 19:01:35 UTC) #9

lgarron

https://codereview.chromium.org/2118583003/diff/40001/third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js File third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js (right): https://codereview.chromium.org/2118583003/diff/40001/third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js#newcode649 third_party/WebKit/Source/devtools/front_end/security/SecurityPanel.js:649: "summary": WebInspector.UIString("Public-Key Pinning"), Could you change this to "Public-Key ...

4 years, 5 months ago (2016-07-06 22:19:43 UTC) #10

dadrian

4 years, 5 months ago (2016-07-07 00:59:06 UTC) #11

dgozman

lgtm from devtools side. @lgarron: will you take another look from security side? https://codereview.chromium.org/2118583003/diff/60001/third_party/WebKit/LayoutTests/http/tests/inspector/security/security-all-resources-secure.html File ...

4 years, 5 months ago (2016-07-07 01:55:48 UTC) #12

dadrian

https://codereview.chromium.org/2118583003/diff/60001/third_party/WebKit/LayoutTests/http/tests/inspector/security/security-all-resources-secure.html File third_party/WebKit/LayoutTests/http/tests/inspector/security/security-all-resources-secure.html (right): https://codereview.chromium.org/2118583003/diff/60001/third_party/WebKit/LayoutTests/http/tests/inspector/security/security-all-resources-secure.html#newcode10 third_party/WebKit/LayoutTests/http/tests/inspector/security/security-all-resources-secure.html:10: InspectorTest.mainTarget.model(WebInspector.SecurityModel).dispatchEventToListeners(WebInspector.SecurityModel.EventTypes.SecurityStateChanged, new WebInspector.PageSecurityState(SecurityAgent.SecurityState.Secure, [], mixedContentStatus, true, false)); On 2016/07/07 ...

4 years, 5 months ago (2016-07-07 01:59:48 UTC) #13

dadrian

creis@chromium.org: Can you approve the one line change in security_style_explanations.h?

4 years, 5 months ago (2016-07-07 16:48:00 UTC) #15

Charlie Reis

content/public LGTM with nits. https://codereview.chromium.org/2118583003/diff/80001/content/public/browser/security_style_explanations.h File content/public/browser/security_style_explanations.h (right): https://codereview.chromium.org/2118583003/diff/80001/content/public/browser/security_style_explanations.h#newcode26 content/public/browser/security_style_explanations.h:26: // different explanations of "secure", ...

4 years, 5 months ago (2016-07-07 17:06:32 UTC) #16

dadrian

https://codereview.chromium.org/2118583003/diff/80001/content/public/browser/security_style_explanations.h File content/public/browser/security_style_explanations.h (right): https://codereview.chromium.org/2118583003/diff/80001/content/public/browser/security_style_explanations.h#newcode26 content/public/browser/security_style_explanations.h:26: // different explanations of "secure", "warning", and "broken" severity ...

4 years, 5 months ago (2016-07-07 17:33:03 UTC) #17

lgarron

LGTM, since the new DevTools changes are ones I asked dadrian@ to patch in. :-)

4 years, 5 months ago (2016-07-07 19:46:50 UTC) #19

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2118583003/100001

4 years, 5 months ago (2016-07-07 19:47:58 UTC) #22

commit-bot: I haz the power

4 years, 5 months ago (2016-07-07 22:19:37 UTC) #27

Message was sent while issue was closed.

Patchset 6 (id:??) landed as
https://crrev.com/727e23f969ad3c54184efd67c6fae4bc7935b72a
Cr-Commit-Position: refs/heads/master@{#404253}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages