Add security note to URLLoaderFactoryParams

For instance, kBrowserProcessId allows for access to file:// urls and other urls, effectively allowing user data to be read and sent to the network. Change-Id: Iabbb9cdd56061a689c35f4b84550a78a4eed9957 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2429871Reviewed-by: Matthew Denton <mpdenton@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#810602}

Add security note to URLLoaderFactoryParams
For instance, kBrowserProcessId allows for access to file:// urls and other urls, effectively allowing user data to be read and sent to the network. Change-Id: Iabbb9cdd56061a689c35f4b84550a78a4eed9957 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2429871Reviewed-by: Matthew Denton <mpdenton@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#810602}
7a768a5e · Alex Gough · Commit Bot · 4adc9af7 · 7a768a5e
Commit 7a768a5e authored Sep 25, 2020 by Alex Gough Committed by Commit Bot Sep 25, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

services/network/public/mojom/network_context.mojom services/network/public/mojom/network_context.mojom +3 -0

No files found.
--- a/services/network/public/mojom/network_context.mojom
+++ b/services/network/public/mojom/network_context.mojom
@@ -605,6 +605,9 @@ enum TrustTokenRedemptionPolicy {
 struct URLLoaderFactoryParams {
  // Process requesting the URLLoaderFactory.
  // Set to kBrowserProcessId to indicate the browser process.
+  //
+  // SECURITY NOTE: Factories with kBrowserProcessId should not be sent
+  // to untrustworthy processes.
  int32 process_id = kInvalidProcessId;

  // If specified, then |request_initiator_origin_lock| locks