chrome/browser/ui/login/login_prompt.cc - Issue 410373003: Fix cross origin check when deciding to show the HTTP auth interstitial.

Side by Side Diff: chrome/browser/ui/login/login_prompt.cc

Issue 410373003: Fix cross origin check when deciding to show the HTTP auth interstitial. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Check only LastCommittedURL Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/browser/ui/login/login_prompt.h"	5 #include "chrome/browser/ui/login/login_prompt.h"

6	6

7 #include <vector>	7 #include <vector>

8	8

9 #include "base/bind.h"	9 #include "base/bind.h"

10 #include "base/command_line.h"	10 #include "base/command_line.h"

(...skipping 491 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
502 DCHECK_CURRENTLY_ON(BrowserThread::UI);	502 DCHECK_CURRENTLY_ON(BrowserThread::UI);

503 WebContents* parent_contents = handler->GetWebContentsForLogin();	503 WebContents* parent_contents = handler->GetWebContentsForLogin();

504 if (!parent_contents \|\| handler->WasAuthHandled()) {	504 if (!parent_contents \|\| handler->WasAuthHandled()) {

505 // The request may have been cancelled, or it may be for a renderer	505 // The request may have been cancelled, or it may be for a renderer

506 // not hosted by a tab (e.g. an extension). Cancel just in case	506 // not hosted by a tab (e.g. an extension). Cancel just in case

507 // (cancelling twice is a no-op).	507 // (cancelling twice is a no-op).

508 handler->CancelAuth();	508 handler->CancelAuth();

509 return;	509 return;

510 }	510 }

511	511

	512 // Check if the request is cross origin. There are two different ways it can
	Peter Kasting 2014/08/06 01:07:54 Nit: "it can be cross origin" -> "the navigation c Nit: "it can be cross origin" -> "the navigation can occur" meacer 2014/08/06 17:36:49 Done. Show quoted text On 2014/08/06 01:07:54, Peter Kasting wrote: > Nit: "it can be cross origin" -> "the navigation can occur" Done.
	513 // be cross origin:

	514 // 1- The user enters the resource URL in the omnibox.
	nasko 2014/08/06 10:17:36 nit: This will not be true once site isolation is nit: This will not be true once site isolation is enabled, as any navigation could cause a cross-process swap, including link clicks. It will only happen for sites that are opted into isolation though. Not sure if it is worth changing the comment, just pointing it out. meacer 2014/08/06 17:36:49 I added your description as a note to the end. Show quoted text On 2014/08/06 10:17:36, nasko (in Munich) wrote: > nit: This will not be true once site isolation is enabled, as any navigation > could cause a cross-process swap, including link clicks. It will only happen for > sites that are opted into isolation though. Not sure if it is worth changing the > comment, just pointing it out. I added your description as a note to the end.
	515 // 2- The page redirects to the resource.

	516 // In both cases, the last committed URL is different than the resource URL,

	517 // so checking it is sufficient.

512 if (is_main_frame &&	518 if (is_main_frame &&

513 parent_contents->GetVisibleURL().GetOrigin() != request_url.GetOrigin()) {	519 parent_contents->GetLastCommittedURL().GetOrigin() !=

	520 request_url.GetOrigin()) {

514 // Show a blank interstitial for main-frame, cross origin requests	521 // Show a blank interstitial for main-frame, cross origin requests

515 // so that the correct URL is shown in the omnibox.	522 // so that the correct URL is shown in the omnibox.

516 base::Closure callback = base::Bind(&ShowLoginPrompt,	523 base::Closure callback = base::Bind(&ShowLoginPrompt,

517 request_url,	524 request_url,

518 make_scoped_refptr(auth_info),	525 make_scoped_refptr(auth_info),

519 make_scoped_refptr(handler));	526 make_scoped_refptr(handler));

520 // This is owned by the interstitial it creates.	527 // This is owned by the interstitial it creates.

521 new LoginInterstitialDelegate(parent_contents,	528 new LoginInterstitialDelegate(parent_contents,

522 request_url,	529 request_url,

523 callback);	530 callback);

(...skipping 11 matching lines...) Expand all Loading...
535 net::URLRequest* request) {	542 net::URLRequest* request) {

536 bool is_main_frame = (request->load_flags() & net::LOAD_MAIN_FRAME) != 0;	543 bool is_main_frame = (request->load_flags() & net::LOAD_MAIN_FRAME) != 0;

537 LoginHandler* handler = LoginHandler::Create(auth_info, request);	544 LoginHandler* handler = LoginHandler::Create(auth_info, request);

538 BrowserThread::PostTask(	545 BrowserThread::PostTask(

539 BrowserThread::UI, FROM_HERE,	546 BrowserThread::UI, FROM_HERE,

540 base::Bind(&LoginDialogCallback, request->url(),	547 base::Bind(&LoginDialogCallback, request->url(),

541 make_scoped_refptr(auth_info), make_scoped_refptr(handler),	548 make_scoped_refptr(auth_info), make_scoped_refptr(handler),

542 is_main_frame));	549 is_main_frame));

543 return handler;	550 return handler;

544 }	551 }

OLD	NEW

« no previous file with comments | « no previous file | chrome/browser/ui/login/login_prompt_browsertest.cc » ('j') | chrome/browser/ui/login/login_prompt_browsertest.cc » ('J')