Avoid treating the load of about:blank as a failure in the web auth flow.

Avoid treating the load of about:blank as a failure in the web auth flow.

As part of the OAUth 2.0 protocol with GAIA, at the end of the web
authorization flow, GAIA redirects to a custom scheme URL of type
|com.googleusercontent.apps.123:/<extension_id>|, where
|com.googleusercontent.apps.123| is the reverse DNS notation of the
client ID.

It look like this URL is not an web accessible URL from within a Guest WebView, so
during the load of this URL, Chrome validates and changes it to "about:blank",
which then fails to be loaded within the context of the Identity Scope Approval
Dialog extension. Note that in fact, it is better to avoid the load of |about:blank|
as the dialog will actually be closed right after this load fails.

This CL avoids treating the failure of loading |about:blank| as a failure
of the web auth flow.

BUG=722323
Review-Url: https://codereview.chromium.org/2901283002
Cr-Commit-Position: refs/heads/master@{#475894}
Committed: https://chromium.googlesource.com/chromium/src/+/a8f5066a367be8011a77a7be6a32853d3448ec06

[msarda, 2017-05-24 13:35:57]

msarda@chromium.org changed reviewers:
+ courage@chromium.org

[msarda, 2017-05-24 13:35:57]

Please take a look.

[msarda, 2017-05-24 13:38:57]

Description was changed from

==========
Avoid treating the load of about:blank as a failure in the web auth flow.

As part of the OAUth 2.0 protocol with GAIA, at the end of the web

authorization flow, GAIA redirects to a custom scheme URL of type

|com.googleusercontent.apps.123:/<extension_id>|, where

|com.googleusercontent.apps.123| is the reverse DNS notation of the

client ID.

It look like this URL is not an web accessible URL from within a Guest WebView,
so
during the load of this URL, Chrome validates and changes it to "about:blank",
which then fails to be loaded within the context of the Identity Scope Approval
Dialog extension. Note that in fact, it is better to avoid the load of
|about:blank|
as the dialog will actually be closed right after this load fails.

This CL avoids treating the failure of loading |about:blank| as a failure
of the web auth flow.

BUG=722323
==========

to

==========
Avoid treating the load of about:blank as a failure in the web auth flow.

As part of the OAUth 2.0 protocol with GAIA, at the end of the web
authorization flow, GAIA redirects to a custom scheme URL of type
|com.googleusercontent.apps.123:/<extension_id>|, where
|com.googleusercontent.apps.123| is the reverse DNS notation of the
client ID.

It look like this URL is not an web accessible URL from within a Guest WebView,
so
during the load of this URL, Chrome validates and changes it to "about:blank",
which then fails to be loaded within the context of the Identity Scope Approval
Dialog extension. Note that in fact, it is better to avoid the load of
|about:blank|
as the dialog will actually be closed right after this load fails.

This CL avoids treating the failure of loading |about:blank| as a failure
of the web auth flow.

BUG=722323
==========

[msarda, 2017-05-24 13:52:37]

Patchset #1 (id:1) has been deleted

[msarda, 2017-05-24 13:52:43]

Patchset #1 (id:20001) has been deleted

[msarda, 2017-05-24 13:53:37]

The CQ bit was checked by msarda@chromium.org to run a CQ dry run

[msarda, 2017-05-24 13:53:42]

Patchset #1 (id:40001) has been deleted

[commit-bot: I haz the power, 2017-05-24 13:53:59]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-24 14:43:16]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-24 14:43:18]

Dry run: This issue passed the CQ dry run.

[Michael Courage, 2017-05-30 22:55:39]

lgtm

https://codereview.chromium.org/2901283002/diff/60001/chrome/browser/extensio...
File chrome/browser/extensions/api/identity/web_auth_flow.cc (right):

https://codereview.chromium.org/2901283002/diff/60001/chrome/browser/extensio...
chrome/browser/extensions/api/identity/web_auth_flow.cc:218: // This URL is not
an accessible URL from within a Guest WebView, so
the intent of this weird URL scheme was to make sure it couldn't be loaded
anywhere at all. this makes it much harder to pull off a cross-site attack that
could leak the returned oauth token to a malicious script or site.

[msarda, 2017-05-31 12:26:14]

https://codereview.chromium.org/2901283002/diff/60001/chrome/browser/extensio...
File chrome/browser/extensions/api/identity/web_auth_flow.cc (right):

https://codereview.chromium.org/2901283002/diff/60001/chrome/browser/extensio...
chrome/browser/extensions/api/identity/web_auth_flow.cc:218: // This URL is not
an accessible URL from within a Guest WebView, so
On 2017/05/30 22:55:39, Michael Courage wrote:
> the intent of this weird URL scheme was to make sure it couldn't be loaded
> anywhere at all. this makes it much harder to pull off a cross-site attack
that
> could leak the returned oauth token to a malicious script or site. 

That makes sense. I've updated the comment to make clear the intent of this URL.

[msarda, 2017-05-31 12:26:19]

The CQ bit was checked by msarda@chromium.org

[msarda, 2017-05-31 12:26:19]

The patchset sent to the CQ was uploaded after l-g-t-m from courage@chromium.org
Link to the patchset: https://codereview.chromium.org/2901283002/#ps80001
(title: "Nit")

[commit-bot: I haz the power, 2017-05-31 12:26:31]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-31 13:26:35]

CQ is committing da patch.

Bot data: {"patchset_id": 80001, "attempt_start_ts": 1496233579283020,
"parent_rev": "3f9a1acfe86c090f44bb6c7cb168540f1bdab3cd", "commit_rev":
"a8f5066a367be8011a77a7be6a32853d3448ec06"}

[commit-bot: I haz the power, 2017-05-31 13:26:50]

Description was changed from

==========
Avoid treating the load of about:blank as a failure in the web auth flow.

As part of the OAUth 2.0 protocol with GAIA, at the end of the web
authorization flow, GAIA redirects to a custom scheme URL of type
|com.googleusercontent.apps.123:/<extension_id>|, where
|com.googleusercontent.apps.123| is the reverse DNS notation of the
client ID.

It look like this URL is not an web accessible URL from within a Guest WebView,
so
during the load of this URL, Chrome validates and changes it to "about:blank",
which then fails to be loaded within the context of the Identity Scope Approval
Dialog extension. Note that in fact, it is better to avoid the load of
|about:blank|
as the dialog will actually be closed right after this load fails.

This CL avoids treating the failure of loading |about:blank| as a failure
of the web auth flow.

BUG=722323
==========

to

==========
Avoid treating the load of about:blank as a failure in the web auth flow.

As part of the OAUth 2.0 protocol with GAIA, at the end of the web
authorization flow, GAIA redirects to a custom scheme URL of type
|com.googleusercontent.apps.123:/<extension_id>|, where
|com.googleusercontent.apps.123| is the reverse DNS notation of the
client ID.

It look like this URL is not an web accessible URL from within a Guest WebView,
so
during the load of this URL, Chrome validates and changes it to "about:blank",
which then fails to be loaded within the context of the Identity Scope Approval
Dialog extension. Note that in fact, it is better to avoid the load of
|about:blank|
as the dialog will actually be closed right after this load fails.

This CL avoids treating the failure of loading |about:blank| as a failure
of the web auth flow.

BUG=722323

Review-Url: https://codereview.chromium.org/2901283002
Cr-Commit-Position: refs/heads/master@{#475894}
Committed:
https://chromium.googlesource.com/chromium/src/+/a8f5066a367be8011a77a7be6a32...
==========

[commit-bot: I haz the power, 2017-05-31 13:26:52]

Committed patchset #2 (id:80001) as
https://chromium.googlesource.com/chromium/src/+/a8f5066a367be8011a77a7be6a32...