Google Git
Sign in
chromium / chromium / src / 3ea904e3488e7af8b03e29fc71d9b9998ffc325b
commit3ea904e3488e7af8b03e29fc71d9b9998ffc325b[log] [tgz]
authorPeter Beverloo <peter@chromium.org>Sun Aug 27 03:16:16 2017
committerCommit Bot <commit-bot@chromium.org>Sun Aug 27 03:16:16 2017
tree0fdbc00817fccbabcefd7ca8e788dc9ba13e16ee
parent6c90e5bcd7448108a241823372d7b57e217da9fd [diff]
Restrict notification permission requests to top-level secure contexts

Requesting notification permission could previously happen from any
context, which included cross-origin iframes and insecure origins.
Starting with Chrome 62 we're restricting this to top-level secure
contexts and same-origin secure iframes.

Usage will continue to be allowed in any iframe once permission has
been granted from one of these contexts. Origins could easily work
around such a restriction by posting a message to their Service
Worker, so it doesn't make sense to impose it.

This change is covered by the following intents:

Insecure origin usage of Notifications:
https://groups.google.com/a/chromium.org/d/topic/blink-dev/IVgkxkRNtMo/discussion

Requesting notification permission from iframes:
https://groups.google.com/a/chromium.org/d/topic/blink-dev/n37ij1E_1aY/discussion

TBR=raymes for permission_context_base_feature_policy_unittest.cc
BUG=695693

Change-Id: I76769971609a483e2c40e5e7775b1e159a2cc96d
Reviewed-on: https://chromium-review.googlesource.com/613901
Commit-Queue: Peter Beverloo <peter@chromium.org>
Reviewed-by: Bernhard Bauer <bauerb@chromium.org>
Reviewed-by: John Mellor <johnme@chromium.org>
Reviewed-by: Rick Byers <rbyers@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497674}
13 files changed
tree: 0fdbc00817fccbabcefd7ca8e788dc9ba13e16ee
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. blink/
  6. breakpad/
  7. build/
  8. build_overrides/
  9. cc/
  10. chrome/
  11. chrome_elf/
  12. chromecast/
  13. chromeos/
  14. cloud_print/
  15. components/
  16. content/
  17. courgette/
  18. crypto/
  19. dbus/
  20. device/
  21. docs/
  22. extensions/
  23. gin/
  24. google_apis/
  25. google_update/
  26. gpu/
  27. headless/
  28. infra/
  29. ios/
  30. ipc/
  31. jingle/
  32. mash/
  33. media/
  34. mojo/
  35. native_client_sdk/
  36. net/
  37. pdf/
  38. ppapi/
  39. printing/
  40. remoting/
  41. rlz/
  42. sandbox/
  43. sdch/
  44. services/
  45. skia/
  46. sql/
  47. storage/
  48. styleguide/
  49. testing/
  50. third_party/
  51. tools/
  52. ui/
  53. url/
  54. .clang-format
  55. .eslintrc.js
  56. .git-blame-ignore-revs
  57. .gitattributes
  58. .gitignore
  59. .gn
  60. AUTHORS
  61. BUILD.gn
  62. CODE_OF_CONDUCT.md
  63. codereview.settings
  64. DEPS
  65. ENG_REVIEW_OWNERS
  66. LICENSE
  67. LICENSE.chromium_os
  68. OWNERS
  69. PRESUBMIT.py
  70. PRESUBMIT_test.py
  71. PRESUBMIT_test_mocks.py
  72. README.md
  73. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .