Comment updates for presenting web content on the net error page.

TBR=edwardjung@chromium.org Bug: 852872 Change-Id: I6a48dca2ccb00fcac5f4ad2420694478d93639b7 Reviewed-on: https://chromium-review.googlesource.com/c/1285693Reviewed-by: Carlos Knippschild <carlosk@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Commit-Queue: Carlos Knippschild <carlosk@chromium.org> Cr-Commit-Position: refs/heads/master@{#600621}

Comment updates for presenting web content on the net error page.
TBR=edwardjung@chromium.org Bug: 852872 Change-Id: I6a48dca2ccb00fcac5f4ad2420694478d93639b7 Reviewed-on: https://chromium-review.googlesource.com/c/1285693Reviewed-by: Carlos Knippschild <carlosk@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Commit-Queue: Carlos Knippschild <carlosk@chromium.org> Cr-Commit-Position: refs/heads/master@{#600621}
4f1e56c0 · Carlos Knippschild · Commit Bot · 9cdf6a51 · 4f1e56c0 · 4f1e56c0
Commit 4f1e56c0 authored Oct 18, 2018 by Carlos Knippschild Committed by Commit Bot Oct 18, 2018
3 changed files
--- a/chrome/browser/offline_pages/thumbnail_decoder_impl.h
+++ b/chrome/browser/offline_pages/thumbnail_decoder_impl.h
@@ -12,10 +12,11 @@

 namespace offline_pages {

-// Decodes the downloaded JPEG image, crops it and re-encode it as a PNG
+// Decodes the downloaded JPEG image, crops it and re-encodes it as a PNG
 // file to be used as the thumbnail of an offlined suggested article.
 // Note: the local decoding in a separate process and local re-encoding as a PNG
-// are important security measures as these downloaded images are web content.
+// are important security measures to disarm a potential maliciously-crafted
+// JPEG, which cannot maintain its evil nature after being converted to PNG.
 class ThumbnailDecoderImpl : public ThumbnailDecoder {
 public:
  explicit ThumbnailDecoderImpl(

--- a/chrome/common/available_offline_content.mojom
+++ b/chrome/common/available_offline_content.mojom
@@ -23,9 +23,12 @@ enum AvailableContentType {
 };

 // A single piece of content that is available offline.
-// Note: Some of the content pieces stored in this struct are web content and
-// must be properly handled for securing their presentation on the net error
-// page.
+// Note: Some of the data stored in this struct is web content and must be
+// properly handled for securing their presentation on the net error page:
+// * Textual content must be set into the  page using the |textContent| property
+//   of the respective DOM elements.
+// * Images must be safely decoded and re-encoded to eliminate any potential
+//   malicious content.
 struct AvailableOfflineContent {
  // Together id and name_space define a unique ID for this item.
  string id;

--- a/components/neterror/resources/neterror.js
+++ b/components/neterror/resources/neterror.js
@@ -246,9 +246,9 @@ function getSuggestedContentDiv(item, index) {

 // Populates a list of suggested offline content.
 // Note: For security reasons all content downloaded from the web is considered
-// unsafe and must be securely handled to be presented on the dino page. The
-// image content is already safely re-encoded after being downloaded but the
-// textual content, like title and attribution, must be properly handled here.
+// unsafe and must be securely handled to be presented on the dino page. Images
+// have already been safely re-encoded but textual content -- like title and
+// attribution -- must be properly handled here.
 function offlineContentAvailable(suggestions) {
  if (!suggestions || !loadTimeData.valueExists('offlineContentList'))
    return;