Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(71)

Issue 10412025: Re-enable embedded identities in URLs for HTTP authentication. (Closed)

Created:
6 years, 11 months ago by asanka
Modified:
6 years, 2 months ago
Reviewers:
Tom Sepez, cbentzel, jschuh
CC:
chromium-reviews, cbentzel+watch_chromium.org, darin-cc_chromium.org
Visibility:
Public.

Description

Re-enable embedded identities in URLs for HTTP authentication. This effectively reverts r121506. BUG=123150 TEST=net_unittests. Username/passwords specified in URLs work. XmlHttpRequests() with credentials passed as arguments work. Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=138264

Patch Set 1 : #

Patch Set 2 : Unit tests #

Patch Set 3 : Merge with trunk #

Unified diffs Side-by-side diffs Delta from patch set Stats (+331 lines, -11 lines) Patch
M net/http/http_auth_controller.cc View 1 chunk +11 lines, -7 lines 0 comments Download
M net/http/http_network_transaction_spdy2_unittest.cc View 1 2 chunks +145 lines, -2 lines 0 comments Download
M net/http/http_network_transaction_spdy3_unittest.cc View 1 2 chunks +145 lines, -2 lines 0 comments Download
M net/url_request/url_request_unittest.cc View 1 2 1 chunk +30 lines, -0 lines 0 comments Download

Messages

Total messages: 13 (0 generated)
asanka
Excludes restoring HttpNetworkTransaction unit tests for now.
6 years, 11 months ago (2012-05-21 21:47:51 UTC) #1
asanka
HttpNetworkTransaction*Tests added. I manually verified that identities specified via arguments to XHR work, but I ...
6 years, 11 months ago (2012-05-21 23:37:42 UTC) #2
cbentzel
I wish this was a simpler revert. Seems good, looking again.
6 years, 11 months ago (2012-05-22 01:18:04 UTC) #3
cbentzel
LGTM
6 years, 11 months ago (2012-05-22 01:37:00 UTC) #4
asanka
Thanks. I'll put this on the CQ once the win_rel try job goes through. This ...
6 years, 11 months ago (2012-05-22 02:06:05 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/asanka@chromium.org/10412025/7001
6 years, 11 months ago (2012-05-22 06:53:02 UTC) #6
commit-bot: I haz the power
Try job failure for 10412025-7001 (retry) on win_rel for steps "base_unittests, sync_unit_tests". It's a second ...
6 years, 11 months ago (2012-05-22 09:26:29 UTC) #7
jschuh
This change was done without consulting the security team and introduced a security regression crbug.com/174129 ...
6 years, 2 months ago (2013-02-12 10:17:39 UTC) #8
asanka
On 2013/02/12 10:17:39, Justin Schuh wrote: > This change was done without consulting the security ...
6 years, 2 months ago (2013-02-12 16:08:00 UTC) #9
jschuh
On 2013/02/12 16:08:00, asanka wrote: > On 2013/02/12 10:17:39, Justin Schuh wrote: > > This ...
6 years, 2 months ago (2013-02-12 16:27:27 UTC) #10
asanka
On 2013/02/12 16:27:27, Justin Schuh wrote: > On 2013/02/12 16:08:00, asanka wrote: > > On ...
6 years, 2 months ago (2013-02-12 16:54:28 UTC) #11
jschuh
On 2013/02/12 16:54:28, asanka wrote: > On 2013/02/12 16:27:27, Justin Schuh wrote: > > On ...
6 years, 2 months ago (2013-02-12 17:09:08 UTC) #12
asanka
6 years, 2 months ago (2013-02-13 17:33:35 UTC) #13
Message was sent while issue was closed.
On 2013/02/12 17:09:08, Justin Schuh wrote:
> On 2013/02/12 16:54:28, asanka wrote:
> > On 2013/02/12 16:27:27, Justin Schuh wrote:
> > > On 2013/02/12 16:08:00, asanka wrote:
> > > > On 2013/02/12 10:17:39, Justin Schuh wrote:
> > > > > This change was done without consulting the security team and
introduced
> a
> > > > > security regression crbug.com/174129  I intend on reverting it
tomorrow
> > > unless
> > > > > there's some reasonable justification, which is lacking from the
> > discussion
> > > in
> > > > > crbug.com/123150
> > > > 
> > > > The change was discussed as mentioned in
> > > > http://code.google.com/p/chromium/issues/detail?id=123150#c69.  It was
> done
> > to
> > > > restore support in XHR for passing explicit credentials. I'll comment on
> > > > crbug.com/174129 regarding this.
> > > 
> > > Apparently the conversation was not interpreted the same by both sides.
So,
> > I'm
> > > still inclined to revert this, and more so because this change left things
> in
> > a
> > > broken state.
> > 
> > Ah. Unfortunately allowing the use of explicit credentials with XHR would, I
> > think, lead to the same problem as described in crbug.com/174129. I'll open
a
> > separate issue for figuring out how to resolve this in a safe manner.
> 
> Please CC tsepez and add the Feature-Security flag. We should work out a
> solution that doesn't revert the phishing protection but doesn't simplify
XSRF.

FYI: Filed https://code.google.com/p/chromium/issues/detail?id=175836 yesterday.
As I noted in the bug, I don't believe reverting this is sufficient to resolve
174129 nor is it a regression.

Powered by Google App Engine
This is Rietveld 408576698