| commit | bb85a6f15e6ba1c38e533bfbcc9a319bf3f31b9f | |
| author | vabr@chromium.org <vabr@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | |
| Thu, 27 Feb 2014 14:41:59 +0000 (27 14:41 +0000) | ||
| committer | vabr@chromium.org <vabr@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | |
| Thu, 27 Feb 2014 14:41:59 +0000 (27 14:41 +0000) | ||
| tree | 65b8d09efca7809b7f91e8f7214e1f6e23d922cf | treesnapshot (tar.gz zip) |
| parent | 73f127cbcc988d6f3874bf49cdeee5dceacb06b9 | commitdiff |
Temporarily disable "gate password autofill on user gesture" on mobile.
The recent implementation (https://codereview.chromium.org/163843002) of the security feature for password autofill broke password autofill on Android.
The discussions about the proper fix are ongoing, but it's not clear at this point whether the feature makes much sense for mobile platforms:
The attack it defends against consists of a rapid redirection through hundreds of (XSS) owned pages, checking for any autofilled passwords. Because this can still take some time, the redirection should take place outside of the active tab (otherwise the user will see it, and the attack would need to be changed to something involving user iteraction anyway). This redirection in background does not seem possible on mobile.
To un-break Andorid until all is clarified, this CL disables the feature for mobile platforms (also iOS).
BUG=345510
Review URL: https://codereview.chromium.org/181323003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@253818 0039d316-1c4b-4281-b951-d872f2087c98
The recent implementation (https://codereview.chromium.org/163843002) of the security feature for password autofill broke password autofill on Android.
The discussions about the proper fix are ongoing, but it's not clear at this point whether the feature makes much sense for mobile platforms:
The attack it defends against consists of a rapid redirection through hundreds of (XSS) owned pages, checking for any autofilled passwords. Because this can still take some time, the redirection should take place outside of the active tab (otherwise the user will see it, and the attack would need to be changed to something involving user iteraction anyway). This redirection in background does not seem possible on mobile.
To un-break Andorid until all is clarified, this CL disables the feature for mobile platforms (also iOS).
BUG=345510
Review URL: https://codereview.chromium.org/181323003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@253818 0039d316-1c4b-4281-b951-d872f2087c98
| chrome/browser/password_manager/password_manager_browsertest.cc | diffblobblamehistory | |
| components/autofill/content/renderer/password_autofill_agent.cc | diffblobblamehistory |