Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(335)

Issue 2603823002: Prohibit web payments on sites with bad SSL certificates (Closed)

Created:
3 years, 12 months ago by please use gerrit instead
Modified:
3 years, 11 months ago
Reviewers:
palmer, lgarron
CC:
agrieve+watch_chromium.org, android-webview-reviews_chromium.org, chromium-reviews, creis+watch_chromium.org, darin-cc_chromium.org, estade+watch_chromium.org, gogerald+paymentswatch_chromium.org, jam, mathp+autofillwatch_chromium.org, nasko+codewatch_chromium.org, rouslan+autofill_chromium.org, rouslan+payments_chromium.org, sebsg+autofillwatch_chromium.org, sebsg+paymentswatch_chromium.org, vabr+watchlistautofill_chromium.org
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Prohibit web payments on sites with bad SSL certificates. This patch moves the SSL certificate validity check to the common location in WebContents and gates usage of web payments API on the calling website having a valid SSL certificate. The same check is also used by credit card and password autofill. To better accommodate web developers, the SSL certificate check is disabled for localhost and file:/// schemes. Note that web payments API is available only in secure context. https://w3c.github.io/webappsec-secure-contexts/#secure-context Also note that credit card autofill additionally checks that the <form> target URL scheme is not http://. Password autofill does not perform this check. (Web payments API does not use <form> elements.) BUG=678764

Patch Set 1 #

Total comments: 8

Messages

Total messages: 32 (26 generated)
please use gerrit instead
Lucas and Chris, ptal.
3 years, 11 months ago (2017-01-05 22:25:23 UTC) #25
palmer
Are any tests necessary/possible? https://codereview.chromium.org/2603823002/diff/60001/content/browser/web_contents/web_contents_impl.cc File content/browser/web_contents/web_contents_impl.cc (right): https://codereview.chromium.org/2603823002/diff/60001/content/browser/web_contents/web_contents_impl.cc#newcode831 content/browser/web_contents/web_contents_impl.cc:831: return true; Why return true ...
3 years, 11 months ago (2017-01-05 22:55:06 UTC) #26
lgarron
https://codereview.chromium.org/2603823002/diff/60001/content/browser/web_contents/web_contents_impl.cc File content/browser/web_contents/web_contents_impl.cc (right): https://codereview.chromium.org/2603823002/diff/60001/content/browser/web_contents/web_contents_impl.cc#newcode831 content/browser/web_contents/web_contents_impl.cc:831: return true; On 2017/01/05 at 22:55:06, palmer wrote: > ...
3 years, 11 months ago (2017-01-05 23:00:20 UTC) #27
please use gerrit instead
One of the goals of this patch is to move the existing SSL validity checks ...
3 years, 11 months ago (2017-01-06 18:07:15 UTC) #30
lgarron
https://codereview.chromium.org/2603823002/diff/60001/content/browser/web_contents/web_contents_impl.cc File content/browser/web_contents/web_contents_impl.cc (right): https://codereview.chromium.org/2603823002/diff/60001/content/browser/web_contents/web_contents_impl.cc#newcode831 content/browser/web_contents/web_contents_impl.cc:831: return true; On 2017/01/06 at 18:07:15, rouslan wrote: > ...
3 years, 11 months ago (2017-01-06 23:21:25 UTC) #31
please use gerrit instead
3 years, 11 months ago (2017-01-10 20:49:56 UTC) #32
Closing this patch in favor of the plan outlined in the e-mail discussion.

Powered by Google App Engine
This is Rietveld 408576698