Prevent usage of web payments API over insecure HTTPS.

Desktop / Chromium - rouslan [chromium.org] - 17 April 2017 17:23 EDT

Before this patch, the web payments UI would allow user to make payments easily on pages with invalid HTTPS certificates. Even if the URL bar showed a red, crossed-out "https", the web payments UI would show a green "https" with a green lock icon.

This patch fixes the problem by checking the security level of the page. An HTTPS page that's not EV_SECURE, SECURE, or SECURE_WITH_POLICY_INSTALLED_CERT is prevented from using any payment apps.

After this patch, invoking PaymentRequest.show() will always return NotSupportedError on pages with invalid HTTPS certificates. This is because Chrome is not providing any payment apps for such pages. Invoking PaymentRequest.canMakePayment() will always return "false" for the same reason.

Caveat: Pages with invalid HTTPS certificates are still considered "SecureContext" in web platform, so throwing "SecurityError" in the PaymentRequest constructor is not an option.

To test an invalid HTTPS certificate: 1) Visit https://edellroot.badssl.com/input/web-payment. 2) Bypass the interstitial. 3) Tap [Initiate payment] button. Observe: The web payments UI does not show.

To test a valid HTTPS certificate: 1) Visit https://badssl.com/input/web-payment. 2) Tap [Initiate payment] button. Observe: The web payments UI shows.

BUG=678764

Review-Url: https://codereview.chromium.org/2815763002 Cr-Commit-Position: refs/heads/master@{#465022}

6e3cf7c Prevent usage of web payments API over insecure HTTPS.
.../browser/payments/PaymentRequestImpl.java | 35 +++++++++----
.../browser/payments/SslValidityChecker.java | 26 +++++++++
chrome/android/java_sources.gni | 1 +
chrome/browser/BUILD.gn | 5 ++
.../android/chrome_payments_jni_registrar.cc | 2 +
.../android/ssl_validity_checker_android.cc | 27 ++++++++++
.../android/ssl_validity_checker_android.h | 16 ++++++
.../payments/chrome_payment_request_delegate.cc | 9 ++++
.../payments/chrome_payment_request_delegate.h | 2 +
chrome/browser/payments/ssl_validity_checker.cc | 29 ++++++++++
chrome/browser/payments/ssl_validity_checker.h | 29 ++++++++++
.../cvc_unmask_view_controller_browsertest.cc | 3 +-
.../views/payments/order_summary_view_controller.h | 1 -
.../views/payments/payment_request_browsertest.cc | 47 ++++++++++++-----
.../payments/payment_request_browsertest_base.cc | 35 ++++++++++---
.../payments/payment_request_browsertest_base.h | 9 +++-
...payment_request_can_make_payment_browsertest.cc | 26 ++++++---
.../views/payments/payment_request_dialog_view.h | 1 -
.../payment_request_payment_app_browsertest.cc | 29 ++++++++++
...payment_request_payment_response_browsertest.cc | 61 ++++++++--------------
.../views/payments/payment_sheet_view_controller.h | 1 -
.../payments/shipping_option_view_controller.h | 1 -
.../test_chrome_payment_request_delegate.cc | 12 +++--
.../test_chrome_payment_request_delegate.h | 7 ++-
chrome/test/BUILD.gn | 1 +
components/payments/content/BUILD.gn | 2 +
components/payments/content/android/BUILD.gn | 4 ++
.../content/android/component_jni_registrar.cc | 2 +
.../components/payments/OriginSecurityChecker.java | 37 +++++++++++++
.../android/origin_security_checker_android.cc | 41 +++++++++++++++
.../android/origin_security_checker_android.h | 16 ++++++
.../payments/content/origin_security_checker.cc | 22 ++++++++
.../payments/content/origin_security_checker.h | 29 ++++++++++
components/payments/content/payment_request.cc | 59 ++++++++++++++++-----
components/payments/content/payment_request.h | 2 +-
.../payments/content/payment_request_spec.cc | 23 ++------
components/payments/content/payment_request_spec.h | 5 --
.../content/payment_request_spec_unittest.cc | 17 +-----
.../payments/content/payment_request_state.cc | 13 +++--
.../payments/content/payment_request_state.h | 6 +++
.../content/payment_response_helper_unittest.cc | 11 +++-
.../payments/core/payment_request_data_util.cc | 5 +-
.../payments/core/payment_request_data_util.h | 7 ++-
.../payments/core/payment_request_delegate.h | 9 ++++
ios/chrome/browser/payments/payment_request.mm | 11 ++--
45 files changed, 574 insertions(+), 162 deletions(-)

Upstream: git.chromium.org


  • Share