Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix unsafe javascript calls in brave://rewards #8740

Merged
merged 4 commits into from
May 11, 2021
Merged

Fix unsafe javascript calls in brave://rewards #8740

merged 4 commits into from
May 11, 2021

Conversation

wchen342
Copy link
Contributor

@wchen342 wchen342 commented May 7, 2021

Resolves brave/brave-browser/issues/15672.

Submitter Checklist:

  • I confirm that no security/privacy review is needed, or that I have requested one
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally: npm run test -- brave_browser_tests, npm run test -- brave_unit_tests, npm run lint, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

@wchen342 wchen342 requested a review from bridiver May 7, 2021 06:33
@wchen342 wchen342 requested a review from a team as a code owner May 7, 2021 06:33
@wchen342 wchen342 self-assigned this May 7, 2021
@wchen342 wchen342 force-pushed the fix-unsafe-javascript-call-rewards-ui branch 4 times, most recently from 56b295f to ceaeef7 Compare May 7, 2021 14:13
@emerick emerick requested a review from zenparsing May 7, 2021 14:25
@wchen342 wchen342 force-pushed the fix-unsafe-javascript-call-rewards-ui branch 2 times, most recently from 4510a5b to 18be654 Compare May 7, 2021 15:17
emerick
emerick approved these changes May 7, 2021
View reviewed changes
Copy link
Contributor

@emerick emerick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

zenparsing
zenparsing approved these changes May 7, 2021
View reviewed changes
Copy link
Collaborator

@zenparsing zenparsing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good. Have we done a sanity check on the rewards page for both desktop and Android?

@wchen342
Copy link
Contributor Author

wchen342 commented May 7, 2021

No I don't think so. I have checked the page on Android by clicking some buttons though.

bridiver
bridiver reviewed May 10, 2021
View reviewed changes
browser/ui/webui/brave_rewards_page_ui.cc
const base::ListValue* args) {
if (!web_ui()->CanCallJavascript()) {
return;
void RewardsDOMHandler::OnJavascriptDisallowed() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you also need to call weak_factory_.InvalidateWeakPtrs() to make sure no callbacks complete after this is called

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@wchen342 wchen342 force-pushed the fix-unsafe-javascript-call-rewards-ui branch from 18be654 to 60ec2da Compare May 10, 2021 17:29
@wchen342
Copy link
Contributor Author

CI failures unrelated to the PR.

@wchen342 wchen342 merged commit 967d6fe into master May 11, 2021
@wchen342 wchen342 deleted the fix-unsafe-javascript-call-rewards-ui branch May 11, 2021 07:25
@wchen342 wchen342 added this to the 1.26.x - Nightly milestone May 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zenparsing zenparsing zenparsing approved these changes

@emerick emerick emerick approved these changes

@bridiver bridiver bridiver approved these changes

@deeppandya deeppandya Awaiting requested review from deeppandya

Assignees

@wchen342 wchen342

Labels
None yet
Projects
None yet
Milestone
1.26.x - Release
Development

Successfully merging this pull request may close these issues.

Remove unsafe Javascript calls from brave://rewards
4 participants
@wchen342 @bridiver @emerick @zenparsing