| commit | 9e714442b731a1fbc40e1017b406e78ba6c78be5 | |
| author | bartfab <bartfab@chromium.org> | |
| Fri, 17 Apr 2015 16:36:40 +0000 (17 09:36 -0700) | ||
| committer | Commit bot <commit-bot@chromium.org> | |
| Fri, 17 Apr 2015 16:40:57 +0000 (17 16:40 +0000) | ||
| tree | 49eb6ce238f3d950c86b18cd3267c64364f137c0 | treesnapshot (tar.gz zip) |
| parent | 9f07769a87f59dd4f70b9a481a4f594faf18c8ab | commitdiff |
Be more strict about accepting SAML passwords
When a Chrome OS user authenticates via SAML, we have to extracts
the password from the IdP's login form(s). Since the auth flow can
span multiple pages, we need to collect potential passwords from all
those pages. However, if we see the same page again, we should assume
that the user went backwards in the flow or typed the wrong password
and any password typed into the second instance of a page should
overwrite the one we extracted from the first instance.
We used to check whether we are on the same page again by comparing
entire URLs. With this CL, we strip the query string and anchor, thus
looking at the protocol, host, port and path only.
BUG=476511
TEST=Manual, with crosdev1.biz
Review URL: https://codereview.chromium.org/1092933002
Cr-Commit-Position: refs/heads/master@{#325652}
When a Chrome OS user authenticates via SAML, we have to extracts
the password from the IdP's login form(s). Since the auth flow can
span multiple pages, we need to collect potential passwords from all
those pages. However, if we see the same page again, we should assume
that the user went backwards in the flow or typed the wrong password
and any password typed into the second instance of a page should
overwrite the one we extracted from the first instance.
We used to check whether we are on the same page again by comparing
entire URLs. With this CL, we strip the query string and anchor, thus
looking at the protocol, host, port and path only.
BUG=476511
TEST=Manual, with crosdev1.biz
Review URL: https://codereview.chromium.org/1092933002
Cr-Commit-Position: refs/heads/master@{#325652}
| chrome/browser/resources/gaia_auth/saml_injected.js | diffblobblamehistory |