Add a note to SkGlobalInitialization_chromium.cpp.

BUG=chromium:486947 Review URL: https://codereview.chromium.org/1193453004
author: mtklein <mtklein@chromium.org> 2015-06-16 13:23:03 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-06-16 13:23:03 -0700
commit: 921827bbc78717f514ebd11bf55ac0dd2fe9308c (patch)
tree: 7c32a0723c1bcfbbd379484d6ac92709985c1e46
parent: 85ab55114f3e2d688d0705e3482fc77ec8a46a64 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/src/ports/SkGlobalInitialization_chromium.cpp b/src/ports/SkGlobalInitialization_chromium.cpp
index 0f7d71b207..b3eb3aa743 100644
--- a/src/ports/SkGlobalInitialization_chromium.cpp
+++ b/src/ports/SkGlobalInitialization_chromium.cpp
@@ -61,6 +61,23 @@
 #include "SkMatrixImageFilter.h"
 #include "SkXfermodeImageFilter.h"
 
+//  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+//
+//  Adding new classes to Init() below has security consequences in Chrome.
+//
+//  In particular, it is important that we don't create code paths that
+//  deserialize untrusted data as SkImageFilters; SkImageFilters are sent from
+//  Chrome renderers (untrusted) to the main (trusted) process.
+//
+//  If you add a new SkImageFilter here _or_ other effect that can be part of
+//  an SkImageFilter, it's a good idea to have chrome-security@google.com sign
+//  off on the CL, and at minimum extend SampleFilterFuzz.cpp to fuzz it.
+//
+//  SkPictures are untrusted data.  Please be extremely careful not to allow
+//  SkPictures created in a Chrome renderer to be deserialized in the main process.
+//
+//  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
 class SkPrivateEffectInitializer {
 public:
     static void Init() {
author	mtklein <mtklein@chromium.org>	2015-06-16 13:23:03 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-06-16 13:23:03 -0700
commit	921827bbc78717f514ebd11bf55ac0dd2fe9308c (patch)
tree	7c32a0723c1bcfbbd379484d6ac92709985c1e46
parent	85ab55114f3e2d688d0705e3482fc77ec8a46a64 (diff)