PasswordProtectionService verdict cache management

components/safe_browsing/csd.proto

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This proto file includes:
 // (1) Client side phishing and malware detection request and response
 //   protocol buffers.  Those protocol messages should be kept in sync
 //   with the server implementation.
 //
 // (2) Safe Browsing reporting protocol buffers.
@@ skipping 229 matching lines @@
   // hosting sites (e.g., geocities.com), we further divide the domains.
   //
   // Examples:
   //    www.google.com/foo/bar?param=val -> google.com
   //    www.geocities.com/foo/bar.html -> geocities.com/foo
   //    adwords.blogspot.com/index.html -> adwords.blogspot.com
   //
   // The pattern will always match the page_url of the request, and will be
   // a substring of page_url.
   optional string cache_expression = 3;
+
+  // If set true, we do not match a url's path-prefix with the cache_expression.
+  //
+  // Examples:
+  //    If set true, a cache_expression "dropbox.com" will match
+  //      "dropbox.com",
+  //      "dropbox.com/",
+  //      "dropbox.com/login.html?param=val",
+  //      "test.dropbox.com/"
+  //    but will NOT match
+  //      "dropbox.com/abc/"
+  optional bool cache_expression_exact_match = 4;

[Nathan Parker, 2017/03/20 15:55:35]

This isn't really "exact match," since we're ignoring the path in the cache
expression (or assuming it has none?), correct?  It _would_ be exact match if we
ensured the candidate URL matched the expression up to both of their last /'s.
Then 

dropbox.com/foo [exact] would match
     dropbox.com/foo
     dropbox.com/foo/bar.cgi
 NOT dropbox.com/foo/dog/cat.cgi

I think that's a generalization of what you described -- it may or may not be
useful.


Alternately, we could change the name to "cache_expression_root_path" or some
such and have it be only allowed when cache_expresion has no path.  That'd be
simpler.

[Jialiu Lin, 2017/03/20 18:02:39]

Ah, I copied this change from cl/150491510.
I believe Weining tried to express the same thing. But somehow he used an
example only has root path. Your examples are much better, much more
generalized.
I changed this comment according to your feedback. and I've forward your
feedback to him too. 

 }
 
 message ClientMalwareResponse {
   required bool blacklist = 1;
   // The confirmed blacklisted bad IP and its url, which will be shown in
   // malware warning, if the blacklist verdict is true.
   // This IP string could be either in IPv4 or IPv6 format, which is the same
   // as the ones client sent to server.
   optional string bad_ip = 2;
   optional string bad_url = 3;
@@ skipping 747 matching lines @@
 // There is no response (an empty body) to this request.
 message NotificationImageReportRequest {
   optional string notification_origin = 1;  // Src-origin of the notification.
   optional ImageData image = 2;             // The bitmap of the image.
 
   // Note that the image URL is deliberately omitted as it would be untrusted,
   // since the notification image fetch may be intercepted by a Service Worker
   // (even if the image URL is cross-origin). Otherwise a website could mislead
   // Safe Browsing into associating phishing image bitmaps with safe image URLs.
 }