commit | af855dc85932a14378771b13363d01c10ba1e5b1 | [log] [tgz] |
---|---|---|
author | Christopher Thompson <cthomp@chromium.org> | Wed Aug 01 16:43:12 2018 |
committer | Commit Bot <commit-bot@chromium.org> | Wed Aug 01 16:43:12 2018 |
tree | f233b73bd85334c1f60552bc02a5130d8d82ab50 | |
parent | 521a221d210d903618f7168b4c41c380673c0980 [diff] |
Fix for UnsafelyTreatInsecureOriginAsSecure policy in browser UI This CL updates secure_origin_whitelist::GetWhitelist() to delegate parsing the set of whitelisted sites to a new function, ParseWhitelist, which takes in a string and returns the parsed vector of strings. This allows callers in the browser process to explicitly parse a whitelist from either prefs or command-line switches. This allows SecurityStateTabHelper to have its own custom IsOriginSecureWithWhitelist function to which it can bind an explicitly passed whitelist of origins, rather than just using content::IsOriginSecure as the callback to security_state functions. content::IsOriginSecure uses GetWhitelist() which only loads the whitelist from command-line flags, which are only correctly set for renderer processes. The custom callback for SecurityStateTabHelper allows it to also check prefs for the whitelist, which is how the enterprise policy is accessible in the browser process (where security indicator UI logic occurs). This can cause the pref and the switch to be two different sources of truth for the origin whitelist, however this simpler fix will be easier to backport. This fix favors the switch over the pref if both are set, allowing developers to still set temporary overrides while maintaining the policy behavior for general users. More general fixes may involve changing how the whitelist propagates between parts of Chrome (including in content and blink). Bug: 869422 Change-Id: I93b46d66844af8cee00d919537ce66fc2c56cd46 Reviewed-on: https://chromium-review.googlesource.com/1157029 Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Commit-Queue: Christopher Thompson <cthomp@chromium.org> Cr-Commit-Position: refs/heads/master@{#579835}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .