IWA: Implement entitlement enforcement for user-installed apps [chromium/src : main]
0 views
Skip to first unread message
Andrew Rayskiy (Gerrit)
Feb 26, 2026, 7:26:13 AM (5 days ago) Feb 26
to Zgroza (Luke) Klimek, Rijubrata Bhaumik, Chromium LUCI CQ, Simon Hangl, AyeAye, phoglun...@chromium.org, feature-me...@chromium.org, chfreme...@chromium.org, japhet+...@chromium.org, aixba+wat...@chromium.org, mek+w...@chromium.org, webap...@microsoft.com, kuragin+web-ap...@chromium.org, zelin+watch-we...@chromium.org, loyso...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org, mgiuca...@chromium.org, dmurph+watc...@chromium.org, philli...@chromium.org, network-ser...@chromium.org, rmcelra...@chromium.org, dibyapal+wa...@chromium.org
Attention needed from Zgroza (Luke) Klimek
Andrew Rayskiy added 5 comments![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 12 (Latest):
Andrew Rayskiy . unresolved
(as discussed offline, this requires splitting)
File chrome/browser/media/webrtc/get_all_screens_media_browsertest.cc
Line 224, Patchset 12 (Latest):
&web_app::IsolatedWebAppInstallSource::FromExternalPolicy)Andrew Rayskiy . unresolved
InstallWithSource(web_app::IsolatedWebAppInstallSource::FromExternalPolicy) isn't great for multiple reasons. We shouldn't do this.
File chrome/browser/ui/views/web_apps/web_app_integration_test_driver.cc
Line 1562, Patchset 12 (Latest):
IsolatedWebAppInstallSource::FromDevCommandLine(Andrew Rayskiy . unresolved
Why is this change needed? Are we sure it doesn't break any underlying assumptions?
File chrome/browser/web_applications/isolated_web_apps/runtime_data/BUILD.gn
Line 17, Patchset 12 (Latest):
defines += [ "ENABLE_SMART_CARD" ]Andrew Rayskiy . unresolved
Why is this needed? `runtime_data` knows nothing about the specifics of the smart card API.
File chrome/browser/web_applications/isolated_web_apps/test/fake_chrome_iwa_runtime_data_provider.h
Line 122, Patchset 12 (Latest):
void set_allow_all_user_installs_with_all_entitlements(bool allow_all) {Andrew Rayskiy . unresolved
That would be a -1 from me -- let's either update the affected tests or introduce a separate fake provider that returns true for any entitlement requests.
Related details
Attention is currently required from:
- Zgroza (Luke) Klimek
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Zgroza (Luke) Klimek (Gerrit)
Feb 26, 2026, 9:20:21 AM (5 days ago) Feb 26
to Rijubrata Bhaumik, Chromium LUCI CQ, Andrew Rayskiy, Simon Hangl, AyeAye, phoglun...@chromium.org, feature-me...@chromium.org, chfreme...@chromium.org, japhet+...@chromium.org, aixba+wat...@chromium.org, mek+w...@chromium.org, webap...@microsoft.com, kuragin+web-ap...@chromium.org, zelin+watch-we...@chromium.org, loyso...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org, mgiuca...@chromium.org, dmurph+watc...@chromium.org, philli...@chromium.org, network-ser...@chromium.org, rmcelra...@chromium.org, dibyapal+wa...@chromium.org
Attention needed from Andrew Rayskiy
Zgroza (Luke) Klimek voted and added 2 comments![]( "Open in Gerrit")
Votes added by Zgroza (Luke) Klimek
| Commit-Queue | +1 |
2 comments
File chrome/browser/ui/views/web_apps/web_app_integration_test_driver.cc
Line 1562, Patchset 12:
IsolatedWebAppInstallSource::FromDevCommandLine(Andrew Rayskiy . unresolved
Why is this change needed? Are we sure it doesn't break any underlying assumptions?
Zgroza (Luke) Klimek
It should not. Essentially this is about tests that do not use IWA test harness, and as such do not have auto-injected fake entitlements provider. Editing all of those by hand and adding entitlements would be a bit of a pain.
File chrome/browser/web_applications/isolated_web_apps/runtime_data/BUILD.gn
Line 17, Patchset 12:
defines += [ "ENABLE_SMART_CARD" ]Andrew Rayskiy . unresolved
Why is this needed? `runtime_data` knows nothing about the specifics of the smart card API.
Zgroza (Luke) Klimek
It's about the general effort of not compiling smart card specific stuff on systems that do not support the API, it's similar in many other places. Here it's about iffing-out smart card permissions policy related stuff if the browser does not support the API anyway.
Related details
Attention is currently required from:
- Andrew Rayskiy
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Rayskiy (Gerrit)
Feb 26, 2026, 9:57:56 AM (5 days ago) Feb 26
to Zgroza (Luke) Klimek, Rijubrata Bhaumik, Chromium LUCI CQ, Simon Hangl, AyeAye, phoglun...@chromium.org, feature-me...@chromium.org, chfreme...@chromium.org, japhet+...@chromium.org, aixba+wat...@chromium.org, mek+w...@chromium.org, webap...@microsoft.com, kuragin+web-ap...@chromium.org, zelin+watch-we...@chromium.org, loyso...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org, mgiuca...@chromium.org, dmurph+watc...@chromium.org, philli...@chromium.org, network-ser...@chromium.org, rmcelra...@chromium.org, dibyapal+wa...@chromium.org
Attention needed from Zgroza (Luke) Klimek
Andrew Rayskiy added 1 comment![]( "Open in Gerrit")
File chrome/browser/web_applications/isolated_web_apps/test/fake_chrome_iwa_runtime_data_provider.cc
Line 200, Patchset 13 (Latest):
return IwaKeyDistributionInfoProvider::GetInstanceForTesting()Andrew Rayskiy . unresolved
Oh, I didn't notice that too. It's even worse, so please don't :/
Related details
Attention is currently required from:
- Zgroza (Luke) Klimek
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Zgroza (Luke) Klimek (Gerrit)
Feb 26, 2026, 10:15:51 AM (5 days ago) Feb 26
to Rijubrata Bhaumik, Chromium LUCI CQ, Andrew Rayskiy, Simon Hangl, AyeAye, phoglun...@chromium.org, feature-me...@chromium.org, chfreme...@chromium.org, japhet+...@chromium.org, aixba+wat...@chromium.org, mek+w...@chromium.org, webap...@microsoft.com, kuragin+web-ap...@chromium.org, zelin+watch-we...@chromium.org, loyso...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org, mgiuca...@chromium.org, dmurph+watc...@chromium.org, philli...@chromium.org, network-ser...@chromium.org, rmcelra...@chromium.org, dibyapal+wa...@chromium.org
Attention needed from Andrew Rayskiy
Zgroza (Luke) Klimek voted and added 1 comment![]( "Open in Gerrit")
Votes added by Zgroza (Luke) Klimek
| Commit-Queue | +1 |
1 comment
File chrome/browser/web_applications/isolated_web_apps/test/fake_chrome_iwa_runtime_data_provider.cc
Line 200, Patchset 13:
return IwaKeyDistributionInfoProvider::GetInstanceForTesting()Andrew Rayskiy . resolved
Oh, I didn't notice that too. It's even worse, so please don't :/
Zgroza (Luke) Klimek
I don't remember why I did that, frankly, probably a relic of one of the past approaches.
Related details
Attention is currently required from:
- Andrew Rayskiy
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Zgroza (Luke) Klimek (Gerrit)
Mar 2, 2026, 9:30:15 AM (yesterday) Mar 2
to Rijubrata Bhaumik, Chromium LUCI CQ, Andrew Rayskiy, Simon Hangl, AyeAye, phoglun...@chromium.org, feature-me...@chromium.org, chfreme...@chromium.org, japhet+...@chromium.org, aixba+wat...@chromium.org, mek+w...@chromium.org, webap...@microsoft.com, kuragin+web-ap...@chromium.org, zelin+watch-we...@chromium.org, loyso...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org, mgiuca...@chromium.org, dmurph+watc...@chromium.org, philli...@chromium.org, network-ser...@chromium.org, rmcelra...@chromium.org, dibyapal+wa...@chromium.org
Attention needed from Andrew Rayskiy
Zgroza (Luke) Klimek voted Commit-Queue+0![]( "Open in Gerrit")
| Commit-Queue | +0 |
Reply all
Reply to author
Forward
0 new messages