-
Adam Langley authored
The spec suggests aborting an operation when focus[1] is lost, but that's advice for site developers. I can't find anything in the spec about preventing background tabs from triggering operations. The cryptotoken extension refused to start a registration request, or to send a registration response to, anything but the active tab in the focused window. But background tabs could complete an authentication request. This change does something similar: it rejects both authentication and registration requests unless the requesting frame is in a focused window. It also performs that check before returning responses. This is slightly different from the cryptotoken behaviour because cryptotoken could only use what the extensions API exposed. For example, if the omnibox was focused, cryptotoken would complete a registration from the foreground tab but this code will reject it. I think this behaviour is better, and it's certainly far more inline with the content / browser separation. This change has been split from its tests, which will come in a future CL. [1] https://w3c.github.io/webauthn/#abortoperation Bug: 827266 Change-Id: If6e97dd6526e175f40718724eda21e3efd434f7f Reviewed-on: https://chromium-review.googlesource.com/991073 Commit-Queue: Adam Langley <agl@chromium.org> Reviewed-by:
Nasko Oskov <nasko@chromium.org> Reviewed-by:
Robert Sesek <rsesek@chromium.org> Reviewed-by:
Balazs Engedy <engedy@chromium.org> Cr-Commit-Position: refs/heads/master@{#550195}
441a5eae
