Google Git
Sign in
chromium / chromium / src / ae2f3eb465c5786729e26c6d4a1cdc32c0159cc8
commitae2f3eb465c5786729e26c6d4a1cdc32c0159cc8[log] [tgz]
authorRouslan Solomakhin <rouslan@chromium.org>Fri Mar 05 15:52:46 2021
committerChromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>Fri Mar 05 15:52:46 2021
treecd5a29319a1ea09491d06eaa2feb4770a819f9bf
parent99e02f4fd873ee6c3b9f412ecfac2ab1a8bad659 [diff]
[Web Payment] Remove line terminators from payment app label.

Before this patch, the payment app name with newlines and carriage
returns could be displayed in the Android payment app chooser in
multiple lines, which would push the origin (URL) of the payment app
lower. A malicious payment app could use this to attempt to spoof its
origin.

This patch removes "\r", "\f", "\n", "\u0085", "\u2028", and "\u2029"
line terminators from the labels of the payment app base class on
Android, which is used by the service worker and Android payment apps.

The user interface uses newlines to combine multiple pieces of
information, which is especially useful for shipping addresses and
contact information. The same user interface is also used by Autofill
assistant. Therefore, making the UI use a single line for all labels
requires a more involved solution.

After this patch, PaymentRequest payment apps (service worker and
Android apps) cannot use line terminators in their name to show
multi-line app names.

Bug: 1184147
Change-Id: Ia4e4e8fc4d6467f438d265015e13d91d2ac3bf85
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2736000
Reviewed-by: Liquan (Max) Gu <maxlg@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#860249}
1 file changed
tree: cd5a29319a1ea09491d06eaa2feb4770a819f9bf
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. cloud_print/
  13. codelabs/
  14. components/
  15. content/
  16. courgette/
  17. crypto/
  18. dbus/
  19. device/
  20. docs/
  21. extensions/
  22. fuchsia/
  23. gin/
  24. google_apis/
  25. google_update/
  26. gpu/
  27. headless/
  28. infra/
  29. ios/
  30. ipc/
  31. jingle/
  32. media/
  33. mojo/
  34. native_client_sdk/
  35. net/
  36. pdf/
  37. ppapi/
  38. printing/
  39. remoting/
  40. rlz/
  41. sandbox/
  42. services/
  43. skia/
  44. sql/
  45. storage/
  46. styleguide/
  47. testing/
  48. third_party/
  49. tools/
  50. ui/
  51. url/
  52. weblayer/
  53. .clang-format
  54. .clang-tidy
  55. .eslintrc.js
  56. .git-blame-ignore-revs
  57. .gitattributes
  58. .gitignore
  59. .gn
  60. .vpython
  61. .vpython3
  62. .yapfignore
  63. AUTHORS
  64. BUILD.gn
  65. CODE_OF_CONDUCT.md
  66. codereview.settings
  67. DEPS
  68. DIR_METADATA
  69. ENG_REVIEW_OWNERS
  70. LICENSE
  71. LICENSE.chromium_os
  72. OWNERS
  73. PRESUBMIT.py
  74. PRESUBMIT_test.py
  75. PRESUBMIT_test_mocks.py
  76. README.md
  77. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.