Description[webcrypto] Only allow crypto.subtle.* to be used from "secure origins".
The meaning of a secure origin is defined by:
http://www.chromium.org/Home/chromium-security/security-faq#TOC-Which-origins-are-secure-
In essence, "secure origins" are those that load resources either from the local machine or over the network from a cryptographically-authenticated server.
For example these are considered secure origins:
* chrome-extension://xxx
* https://xxx
* wss://xxx
* file://xxx
* http://localhost/
* http://127.0.0.1/
Whereas these are considered insecure:
* http://foobar
* ws://foobar
crypto.subtle itself is visible from insecure origins. However all of its methods will fail by returning a rejected Promise for NotSupportedError.
BUG=373032, 245025, 362214
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=175916
Patch Set 1 #
Total comments: 5
Patch Set 2 : Address palmer's review comments #Patch Set 3 : reformat comments #
Total comments: 1
Patch Set 4 : Add tests for filesystem and blob URLs, and comments on data: URLs #Patch Set 5 : Clean up some comments #
Total comments: 9
Patch Set 6 : Address abarth comments, and test for 127.0.0.1/8 #Patch Set 7 : ensureCanAccessWebCrypto --> canAccessWebCrypto #Patch Set 8 : Add more tests #
Total comments: 4
Patch Set 9 : Address abarth comments #
Messages
Total messages: 21 (0 generated)
|