Google Git
Sign in
chromium / chromium / src / c74e2f09211e8eff3f2c39f85d9fbe6ea4f540ec
commitc74e2f09211e8eff3f2c39f85d9fbe6ea4f540ec[log] [tgz]
authorRouslan Solomakhin <rouslan@chromium.org>Wed Jan 11 00:11:10 2023
committerChromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Jan 11 00:11:10 2023
treee62b7f0b5918d024a035bad78c4ab86b31e742b5
parent8545909d2e888118686519904a5f1d94ec43f944 [diff]
[Payment] Launch enforcing Content Security Policy

Before this patch, calling `new PaymentRequest(https://example.test)`
would always ping https://example.test, even if the Content Security
Policy (CSP) prohibited connections to that URL.

This patch launches the enforcement of CSP in the Web Payment API.

After this patch, if CSP connect-src directive blocks access to
https://example.test, then calling
`new PaymentRequest(https://example.test)` will not ping the blocked
URL, `PaymentRequest.canMakePayment()` will return "false" and
`PaymentRequest.show()` will return "NotSupportedError", unless the user
has the temporary flag chrome://flags/#ignore-csp-in-web-payment-api
enabled or the website participates in the (temporary) reverse origin
trial.

Chrome status:
https://chromestatus.com/feature/6286595631087616

Intent:
https://groups.google.com/a/chromium.org/g/blink-dev/c/mlTnVIovBc0/m/uWMMIM2MCAAJ

Launch:
http://launch/4200427

Bug: 1013080, 1349091
Change-Id: I483a97503bc646384a565b766124c0d9f64bed84
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4139782
Reviewed-by: Mason Freed <masonf@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Reviewed-by: Stephen McGruer <smcgruer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1091086}
10 files changed
tree: e62b7f0b5918d024a035bad78c4ab86b31e742b5
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. codelabs/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia_web/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. media/
  31. mojo/
  32. native_client_sdk/
  33. net/
  34. pdf/
  35. ppapi/
  36. printing/
  37. remoting/
  38. rlz/
  39. sandbox/
  40. services/
  41. skia/
  42. sql/
  43. storage/
  44. styleguide/
  45. testing/
  46. third_party/
  47. tools/
  48. ui/
  49. url/
  50. weblayer/
  51. .clang-format
  52. .clang-tidy
  53. .eslintrc.js
  54. .git-blame-ignore-revs
  55. .gitattributes
  56. .gitignore
  57. .gn
  58. .mailmap
  59. .rustfmt.toml
  60. .vpython3
  61. .yapfignore
  62. ATL_OWNERS
  63. AUTHORS
  64. BUILD.gn
  65. CODE_OF_CONDUCT.md
  66. codereview.settings
  67. DEPS
  68. DIR_METADATA
  69. LICENSE
  70. LICENSE.chromium_os
  71. OWNERS
  72. PRESUBMIT.py
  73. PRESUBMIT_test.py
  74. PRESUBMIT_test_mocks.py
  75. README.md
  76. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.

If you found a bug, please file it at https://crbug.com/new.