Don't allow HTTP origins for the CryptoToken extension.

BUG=448214 Review URL: https://codereview.chromium.org/847193003 Cr-Commit-Position: refs/heads/master@{#311410}
crosswalk-project · Jan 14, 2015 · 0ee19a5 · 0ee19a5
1 parent 936c15c
commit 0ee19a5
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/chrome/browser/resources/cryptotoken/cryptotokenbackground.js b/chrome/browser/resources/cryptotoken/cryptotokenbackground.js
@@ -11,6 +11,9 @@
 /** @const */
 var BROWSER_SUPPORTS_TLS_CHANNEL_ID = true;
 
+/** @const */
+var HTTP_ORIGINS_ALLOWED = false;
+
 /** @const */
 var LOG_SAVER_EXTENSION_ID = 'fjajfjhkeibgmiggdfehjplbhmfkialk';
 

diff --git a/chrome/browser/resources/cryptotoken/enroller.js b/chrome/browser/resources/cryptotoken/enroller.js
@@ -50,6 +50,10 @@ function handleWebEnrollRequest(messageSender, request, sendResponse) {
     sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
     return null;
   }
+  if (sender.origin.indexOf('http://') == 0 && !HTTP_ORIGINS_ALLOWED) {
+    sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
+    return null;
+  }
 
   if (!isValidEnrollRequest(request, 'enrollChallenges', 'signData')) {
     sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
@@ -124,6 +128,10 @@ function handleU2fEnrollRequest(messageSender, request, sendResponse) {
     sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
     return null;
   }
+  if (sender.origin.indexOf('http://') == 0 && !HTTP_ORIGINS_ALLOWED) {
+    sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
+    return null;
+  }
 
   if (!isValidEnrollRequest(request, 'registerRequests', 'signRequests',
       'registeredKeys')) {

diff --git a/chrome/browser/resources/cryptotoken/signer.js b/chrome/browser/resources/cryptotoken/signer.js
@@ -43,6 +43,10 @@ function handleWebSignRequest(messageSender, request, sendResponse) {
     sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
     return null;
   }
+  if (sender.origin.indexOf('http://') == 0 && !HTTP_ORIGINS_ALLOWED) {
+    sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
+    return null;
+  }
 
   queuedSignRequest =
       validateAndEnqueueSignRequest(
@@ -82,6 +86,10 @@ function handleU2fSignRequest(messageSender, request, sendResponse) {
     sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
     return null;
   }
+  if (sender.origin.indexOf('http://') == 0 && !HTTP_ORIGINS_ALLOWED) {
+    sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
+    return null;
+  }
 
   queuedSignRequest =
       validateAndEnqueueSignRequest(