-
Liquan (Max) Gu authored
Motivation: Currently, we allow all mime-types except for pdf as Payment Handler pages. This exposes payment handlers to the vulnerabilities of certain less-maintained mime-types. Since "text/*", "image/*", "video/*", javascript, xml, json could satisfy a majority of use cases, this CL allowlist the supported mime-types for payment handlers. Before, we disallowed the "application/pdf" mime-type for payment-handler pages. After, we allowlist the following mime-types for payment handler pages: * text/* * image/* * video/* * application/javascript * application/xml * application/json Before, we applied the throttle to mainframes. After, we apply the throttle to all frames. Bug: 1165367, 1165392 Change-Id: Ie69e296dc2c287c38a10ed08c1c40527f941ee47 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2622871 Commit-Queue: Liquan (Max) Gu <maxlg@chromium.org> Reviewed-by:
Rouslan Solomakhin <rouslan@chromium.org> Cr-Commit-Position: refs/heads/master@{#843124}
36d2cb43
