phawind111 / google-cast-sdk

Automatically exported from code.google.com/p/google-cast-sdk
0 stars 0 forks source link

Security: Insecure transfers to Google-Analytics #654

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?

  Open Chrome with Google Cast extension installed.
  Observe: Data leaks out over HTTP. Screenshot: https://twitter.com/ericlaw/status/649439380625469440

What is the expected output? What do you see instead?

Expect HTTPS is used.

What version of the product are you using? On what operating system?
Google Cast 15.827.0.2

Please provide any additional information below.

The manifest.json file included in the extension appears to allow insecure 
transfers to Google-Analytics:

 "content_security_policy": "default-src 'self'; img-src 'self' https://www.google-analytics.com http://www.google-analytics.com;

Original issue reported on code.google.com by bay...@gmail.com on 1 Oct 2015 at 4:24

GoogleCodeExporter commented 8 years ago
We are looking into the issue.

Original comment by jonathan...@google.com on 1 Oct 2015 at 6:32

GoogleCodeExporter commented 8 years ago
We've pushed an update (version 15.827.0.6) that resolves this issue.

Original comment by jonathan...@google.com on 12 Oct 2015 at 11:33