android:Early reject non-https origins for postMessage

Early reject non-https origins for postMessage

For security reasons, we only accept https postMessage origins verified
through Digital Asset Links for postMessage. Add a way to early reject
all other origins.

BUG=719096
Review-Url: https://codereview.chromium.org/2893483007
Cr-Commit-Position: refs/heads/master@{#473739}
Committed: https://chromium.googlesource.com/chromium/src/+/fd352340a07c78ff117285aadcac01ac5af2aab1

[Yusuf, 2017-05-19 21:47:45]

The CQ bit was checked by yusufo@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-05-19 21:48:39]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-19 23:01:34]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-19 23:01:34]

Dry run: This issue passed the CQ dry run.

[Yusuf, 2017-05-19 23:04:14]

yusufo@chromium.org changed reviewers:
+ lizeb@chromium.org

[Benoit L, 2017-05-22 12:50:22]

lgtm with a small comment.

Can you also start the commit message with "android:"? postMessage() is used on
other platforms as well.

https://codereview.chromium.org/2893483007/diff/1/chrome/android/java/src/org...
File
chrome/android/java/src/org/chromium/chrome/browser/customtabs/OriginVerifier.java
(right):

https://codereview.chromium.org/2893483007/diff/1/chrome/android/java/src/org...
chrome/android/java/src/org/chromium/chrome/browser/customtabs/OriginVerifier.java:113:
if (!mOrigin.getScheme().equals(UrlConstants.HTTPS_SCHEME)) {
nit: can you reverse the comparison?

The URI might not have a scheme, and the javadoc says that getScheme() may
return null.

Also, should the comparison be case-insensitive?

[Yusuf, 2017-05-22 22:00:02]

Description was changed from

==========
Early reject non-https origins for postMessage

For security reasons, we only accept https postMessage origins verified
through Digital Asset Links for postMessage. Add a way to early reject
all other origins.

BUG=719096
==========

to

==========
Early reject non-https origins for postMessage

For security reasons, we only accept https postMessage origins verified
through Digital Asset Links for postMessage. Add a way to early reject
all other origins.

BUG=719096
==========

[Yusuf, 2017-05-22 22:00:16]

https://codereview.chromium.org/2893483007/diff/1/chrome/android/java/src/org...
File
chrome/android/java/src/org/chromium/chrome/browser/customtabs/OriginVerifier.java
(right):

https://codereview.chromium.org/2893483007/diff/1/chrome/android/java/src/org...
chrome/android/java/src/org/chromium/chrome/browser/customtabs/OriginVerifier.java:113:
if (!mOrigin.getScheme().equals(UrlConstants.HTTPS_SCHEME)) {
On 2017/05/22 12:50:22, Benoit L wrote:
> nit: can you reverse the comparison?
> 
> The URI might not have a scheme, and the javadoc says that getScheme() may
> return null.
> 
> Also, should the comparison be case-insensitive?

Done.

[Yusuf, 2017-05-22 22:00:27]

The CQ bit was checked by yusufo@chromium.org

[Yusuf, 2017-05-22 22:00:27]

The patchset sent to the CQ was uploaded after l-g-t-m from lizeb@chromium.org
Link to the patchset: https://codereview.chromium.org/2893483007/#ps20001
(title: "lizeb@ comments")

[commit-bot: I haz the power, 2017-05-22 22:01:09]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-22 22:26:35]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-22 22:26:36]

Try jobs failed on following builders:
  android_n5x_swarming_rel on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_n5x_...)

[Yusuf, 2017-05-22 22:34:39]

The CQ bit was checked by yusufo@chromium.org

[Yusuf, 2017-05-22 22:34:39]

The patchset sent to the CQ was uploaded after l-g-t-m from lizeb@chromium.org
Link to the patchset: https://codereview.chromium.org/2893483007/#ps40001
(title: "Lint")

[commit-bot: I haz the power, 2017-05-22 22:35:09]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-22 23:16:01]

CQ is committing da patch.

Bot data: {"patchset_id": 40001, "attempt_start_ts": 1495492479179160,
"parent_rev": "7d5b724780d484c91a46232ec2fd6c51e0d15f37", "commit_rev":
"fd352340a07c78ff117285aadcac01ac5af2aab1"}

[commit-bot: I haz the power, 2017-05-22 23:16:13]

Description was changed from

==========
Early reject non-https origins for postMessage

For security reasons, we only accept https postMessage origins verified
through Digital Asset Links for postMessage. Add a way to early reject
all other origins.

BUG=719096
==========

to

==========
Early reject non-https origins for postMessage

For security reasons, we only accept https postMessage origins verified
through Digital Asset Links for postMessage. Add a way to early reject
all other origins.

BUG=719096

Review-Url: https://codereview.chromium.org/2893483007
Cr-Commit-Position: refs/heads/master@{#473739}
Committed:
https://chromium.googlesource.com/chromium/src/+/fd352340a07c78ff117285aadcac...
==========

[commit-bot: I haz the power, 2017-05-22 23:16:14]

Committed patchset #3 (id:40001) as
https://chromium.googlesource.com/chromium/src/+/fd352340a07c78ff117285aadcac...