Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(714)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: components/payments/content/payment_request.cc

Issue 2859613002: Disable web payments API on blob: and data: schemes. (Closed)
Patch Set: Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: components/payments/content/payment_request.cc
diff --git a/components/payments/content/payment_request.cc b/components/payments/content/payment_request.cc
index 2cc645f189121f621636186a3c7f0213e6d0f42d..3ca4a8fa49fba940504c0a0df09e956de87edb30 100644
--- a/components/payments/content/payment_request.cc
+++ b/components/payments/content/payment_request.cc
@@ -45,17 +45,28 @@ void PaymentRequest::Init(mojom::PaymentRequestClientPtr client,
DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
client_ = std::move(client);
- if (!OriginSecurityChecker::IsOriginSecure(
- delegate_->GetLastCommittedURL())) {
+ GURL last_committed_url = delegate_->GetLastCommittedURL();
meacer 2017/05/02 21:21:54 nit: const GURL
please use gerrit instead 2017/05/03 20:53:51 Done.
+ if (!OriginSecurityChecker::IsOriginSecure(last_committed_url)) {
meacer 2017/05/02 21:21:54 IsOriginSecure returns true for a bunch of schemes
please use gerrit instead 2017/05/03 20:53:51 This check is to verify that the renderer is behav
meacer 2017/05/03 21:08:53 Thanks for the clarification. I didn't notice the
LOG(ERROR) << "Not in a secure origin";
OnConnectionTerminated();
return;
}
- if (OriginSecurityChecker::IsSchemeCryptographic(
- delegate_->GetLastCommittedURL()) &&
- !delegate_->IsSslCertificateValid()) {
+ bool allowed_origin =
+ OriginSecurityChecker::IsSchemeCryptographic(last_committed_url) ||
+ OriginSecurityChecker::IsOriginLocalhostOrFile(last_committed_url);
+ if (!allowed_origin) {
+ LOG(ERROR) << "Only localhost, file://, and cryptographic scheme origins "
+ "allowed";
+ }
+
+ bool invalid_ssl =
+ OriginSecurityChecker::IsSchemeCryptographic(last_committed_url) &&
+ !delegate_->IsSslCertificateValid();
+ if (invalid_ssl)
LOG(ERROR) << "SSL certificate is not valid";
+
+ if (!allowed_origin || invalid_ssl) {
// Don't show UI. Resolve .canMakepayment() with "false". Reject .show()
// with "NotSupportedError".
spec_ = base::MakeUnique<PaymentRequestSpec>(
« no previous file with comments | « chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698