Set Ready For Review
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Hi Mason, could you please take a look at this?
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Code-Review | +1 |
Looks good to me! I'm not a CSP expert though - it'd be good if you got someone with more direct experience to also take another look.
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Antonio, could you please take a look at the CL?
Basically, the PEPC requires the presence of a frame-ancestors directive. This directive is required if the document using PEPC is embedded in a cross origin to top-level frame.
We have considered several approaches:
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Code-Review | +1 |
Thanks. The CL LGTM, I left a couple comments on the design doc though.
bool HasEnforceFrameAncestorsCSPPresent(ExecutionContext* context) {
I generally wonder if it would make more sense to put this logic inside content_security_policy.cc. Ideally external components would not inspect the parsed CSP policies directly (even if they are exposed), but rely instead on common methods. This is a bit of a particular case though, since the logic is very ad-hoc (and there is not much logic at all).
Just for you to think about it, but it's fine to leave it here for me.
"frame-ancestors 'self' https://example.com"}};
(nit) I think we generally prefer using reserved test hosts (like example.test and cross-example.test) in tests and avoid including in our source code domains that can actually be registered and exist for real
permission_service()->set_pepc_registered_callback(
base::BindOnce(&NotReachedForPEPCRegistered));
(super nit, feel free to ignore): It would seem safer to do this by instantiating an object that resets the pepc_registered_callback when it is destroyed.
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
bool HasEnforceFrameAncestorsCSPPresent(ExecutionContext* context) {
I generally wonder if it would make more sense to put this logic inside content_security_policy.cc. Ideally external components would not inspect the parsed CSP policies directly (even if they are exposed), but rely instead on common methods. This is a bit of a particular case though, since the logic is very ad-hoc (and there is not much logic at all).
Just for you to think about it, but it's fine to leave it here for me.
+1, I will make the move, thanks for the feedback
(nit) I think we generally prefer using reserved test hosts (like example.test and cross-example.test) in tests and avoid including in our source code domains that can actually be registered and exist for real
Done
permission_service()->set_pepc_registered_callback(
base::BindOnce(&NotReachedForPEPCRegistered));
(super nit, feel free to ignore): It would seem safer to do this by instantiating an object that resets the pepc_registered_callback when it is destroyed.
That's an interesting point, I guess we might have to change the TestPermissionService as well. I will do that, when this pattern is expanded in the future.
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Thanks. The CL LGTM, I left a couple comments on the design doc though.
I moved the function to CSP code, can you please take a look?
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Code-Review | +1 |
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Thomas NguyenThanks. The CL LGTM, I left a couple comments on the design doc though.
I moved the function to CSP code, can you please take a look?
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
5 is the latest approved patch-set.
No files were changed between the latest approved patch-set and the submitted one.
[PEPC] Not allow PEPC in cross-origin subframe without frame-ancestors
The frame-ancestors CSP directive must be explicitly included to allow a
document using PEPC to be embedded cross-origin (to the top level
frame). That's a security measure outlined in DD
https://docs.google.com/document/d/1a1gjlJ4VkAWoG8AeGKZDcQXm_c0q-cFTs_5MxmjWVYI/edit?tab=t.0
Explainer PR: https://github.com/WICG/PEPC/pull/15/commits
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |