Remove SecurityPolicy::IsUrlTrustworthySafelisted()

This CL removes SecurityPolicy::IsUrlTrustworthySafelisted() which is basically a wrapper to IsOriginTrustworthySafelisted(). The only place where it is used outside SecurityOrigin::IsSecure() is in PaymentsValidators::IsValidMethodFormat() for a non-opaque http URL. However, the corresponding section can thus just be replaced with a call to SecurityOrigin::IsPotentiallyTrustworthy(). Bug: 1153336 Change-Id: I3f3362aa12ab10ee2a2ed945064203deec622ca7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2587738Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Frédéric Wang <fwang@igalia.com> Cr-Commit-Position: refs/heads/master@{#836620}

Remove SecurityPolicy::IsUrlTrustworthySafelisted()
This CL removes SecurityPolicy::IsUrlTrustworthySafelisted() which is basically a wrapper to IsOriginTrustworthySafelisted(). The only place where it is used outside SecurityOrigin::IsSecure() is in PaymentsValidators::IsValidMethodFormat() for a non-opaque http URL. However, the corresponding section can thus just be replaced with a call to SecurityOrigin::IsPotentiallyTrustworthy(). Bug: 1153336 Change-Id: I3f3362aa12ab10ee2a2ed945064203deec622ca7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2587738Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Frédéric Wang <fwang@igalia.com> Cr-Commit-Position: refs/heads/master@{#836620}
82d96048 · Frédéric Wang · Chromium LUCI CQ · 03fc57a3 · 82d96048 · 82d96048
Commit 82d96048 authored Dec 14, 2020 by Frédéric Wang Committed by Chromium LUCI CQ Dec 14, 2020
4 changed files
--- a/third_party/blink/renderer/modules/payments/payments_validators.cc
+++ b/third_party/blink/renderer/modules/payments/payments_validators.cc
@@ -168,16 +168,7 @@ bool PaymentsValidators::IsValidMethodFormat(const String& identifier) {
  if (url.Protocol() != "http")
    return false;
-  // Allow http://localhost for local development.
+  return SecurityOrigin::Create(url)->IsPotentiallyTrustworthy();
-  if (SecurityOrigin::Create(url)->IsLocalhost())
-    return true;
-  // Allow http:// origins from
-  // --unsafely-treat-insecure-origin-as-secure=<origin> for local development.
-  if (SecurityPolicy::IsUrlTrustworthySafelisted(url))
-    return true;
-  return false;
 }
 void PaymentsValidators::ValidateAndStringifyObject(

--- a/third_party/blink/renderer/platform/weborigin/security_origin.cc
+++ b/third_party/blink/renderer/platform/weborigin/security_origin.cc
@@ -308,10 +308,8 @@ bool SecurityOrigin::IsSecure(const KURL& url) {
                                    ExtractInnerURL(url).Protocol()))
    return true;
-  if (SecurityPolicy::IsUrlTrustworthySafelisted(url))
+  return SecurityPolicy::IsOriginTrustworthySafelisted(
-    return true;
+      *SecurityOrigin::Create(url).get());
-  return false;
 }
 base::Optional<base::UnguessableToken>

--- a/third_party/blink/renderer/platform/weborigin/security_policy.cc
+++ b/third_party/blink/renderer/platform/weborigin/security_policy.cc
@@ -202,13 +202,6 @@ bool SecurityPolicy::IsOriginTrustworthySafelisted(
  return false;
 }
-bool SecurityPolicy::IsUrlTrustworthySafelisted(const KURL& url) {
-  // Early return to avoid initializing the SecurityOrigin.
-  if (TrustworthyOriginSafelist().IsEmpty())
-    return false;
-  return IsOriginTrustworthySafelisted(*SecurityOrigin::Create(url).get());
-}
 bool SecurityPolicy::IsOriginAccessAllowed(
    const SecurityOrigin* active_origin,
    const SecurityOrigin* target_origin) {

--- a/third_party/blink/renderer/platform/weborigin/security_policy.h
+++ b/third_party/blink/renderer/platform/weborigin/security_policy.h
@@ -93,7 +93,6 @@ class PLATFORM_EXPORT SecurityPolicy {
  static void AddOriginToTrustworthySafelist(const String&);
  static bool IsOriginTrustworthySafelisted(const SecurityOrigin&);
-  static bool IsUrlTrustworthySafelisted(const KURL&);
  static bool ReferrerPolicyFromString(const String& policy,
                                       ReferrerPolicyLegacyKeywordsSupport,