diff options
author | Alex Rudenko <alexrudenko@chromium.org> | 2022-12-21 07:54:07 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-04 10:07:00 +0000 |
commit | 0717211ca9d7ee2dcc17a7964170d633aafcfb98 (patch) | |
tree | 9e1fc4c58a58d313143b307341f86ce7839e4180 /chromium/components/media_message_center/BUILD.gn | |
parent | a2a695e382ec345f1f5da6380b262f04a6e7d295 (diff) | |
download | qtwebengine-chromium-0717211ca9d7ee2dcc17a7964170d633aafcfb98.tar.gz |
[Backport] CVE-2023-0704: Insufficient policy enforcement in DevTools
Manual cherry-pick of patch originaly reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4106102:
DevTools: reject debugging web socket connections with a defined Origin header
Unless the browser is started with a new flag `--remote-allow-origins=<origin>[,<origin>, ...]`. The star origin `*` allows all origins.
This CL should not affect non-browser clients such as Puppeteer and WebDriver. It affects DevTools e2e tests in the hosted mode which is fixed in [1]. It should not affect features like remote debugging that
don't use web sockets.
[1]: https://crrev.com/c/4112007
Bug: chromium:1385982
Change-Id: I721f7db3167ebab63416c8a1f48281735f063e48
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4106102
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Alex Rudenko <alexrudenko@chromium.org>
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Reviewed-by: Danil Somsikov <dsv@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1085812}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/461071
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/components/media_message_center/BUILD.gn')
0 files changed, 0 insertions, 0 deletions