commit | 3ea904e3488e7af8b03e29fc71d9b9998ffc325b | [log] [tgz] |
---|---|---|
author | Peter Beverloo <peter@chromium.org> | Sun Aug 27 03:16:16 2017 |
committer | Commit Bot <commit-bot@chromium.org> | Sun Aug 27 03:16:16 2017 |
tree | 0fdbc00817fccbabcefd7ca8e788dc9ba13e16ee | |
parent | 6c90e5bcd7448108a241823372d7b57e217da9fd [diff] |
Restrict notification permission requests to top-level secure contexts Requesting notification permission could previously happen from any context, which included cross-origin iframes and insecure origins. Starting with Chrome 62 we're restricting this to top-level secure contexts and same-origin secure iframes. Usage will continue to be allowed in any iframe once permission has been granted from one of these contexts. Origins could easily work around such a restriction by posting a message to their Service Worker, so it doesn't make sense to impose it. This change is covered by the following intents: Insecure origin usage of Notifications: https://groups.google.com/a/chromium.org/d/topic/blink-dev/IVgkxkRNtMo/discussion Requesting notification permission from iframes: https://groups.google.com/a/chromium.org/d/topic/blink-dev/n37ij1E_1aY/discussion TBR=raymes for permission_context_base_feature_policy_unittest.cc BUG=695693 Change-Id: I76769971609a483e2c40e5e7775b1e159a2cc96d Reviewed-on: https://chromium-review.googlesource.com/613901 Commit-Queue: Peter Beverloo <peter@chromium.org> Reviewed-by: Bernhard Bauer <bauerb@chromium.org> Reviewed-by: John Mellor <johnme@chromium.org> Reviewed-by: Rick Byers <rbyers@chromium.org> Cr-Commit-Position: refs/heads/master@{#497674}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .