Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 3 users
Status: WontFix
Owner:
Closed: Aug 2014
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment
Security: fullscreen nagbar forces (unsafe) site whitelist
Reported by wes.tur...@gmail.com, Aug 31 2014 Back to list
VULNERABILITY DETAILS
The full-screen nagbar presents only two options: "Exit Full Screen" and "Allow"; effectively forcing a use to whitelist the site or not utilize fullscreen at all.

The user should be able to utilize fullscreen without opening themselves up to clickjacking from any content hosted on a particular domain.

See: https://code.google.com/p/chromium/issues/detail?id=100879

VERSION
Chrome Version: [x.x.x.x] + [stable, beta, or dev]
Operating System: All

REPRODUCTION CASE
Click 'fullscreen' to appreciate a brand's excellent fullscreen content.




 
A one-time 'Okay' button would alleviate this risk
Comment 2 by wfh@chromium.org, Aug 31 2014
Labels: Cr-UI-Browser-FullScreen Cr-Security-UX
Owner: f...@chromium.org
Status: Assigned
felt@ to comment on why a single "allow" button is not available for HTTPs sites.
Comment 3 by f...@chromium.org, Aug 31 2014
Status: WontFix
You can already do this, either:

1. Click allow
2. Later, click on the lock next to the URL for that page
3. You'll see the PageInfo bubble open up. Find the full screen entry
4. Set the fullscreen permission back to "ask by default" or "block"

-or-

Simply ignore the nagbar and don't click either option. You'll still be in full screen.
Screen Shot 2014-08-31 at 9.48.34 PM.png
151 KB View Download
> Simply ignore the nagbar and don't click either option. You'll still be in full screen.

This is distracting; like a un-secure watermark.

> You can already do this, either:
> 
> 1. Click allow
> 2. Later, click on the lock next to the URL for that page
> 3. You'll see the PageInfo bubble open up. Find the full screen entry
> 4. Set the fullscreen permission back to "ask by default" or "block"

So, the current position is un-secure default (whitelist allow) or distracting nagbar.
Should the secure path be easy or should users be duped into whitelisting by default?
Comment 7 by f...@chromium.org, Sep 1 2014
The default in this case is actually to show the nagbar. You need to take action (grant privilege to) get to an unsafe state.
Could you explain the reasoning behind providing a whitelist?
The reasoning for full screen permission is the same as the reasoning for all the permissions:

1. If the user trusts the web site not to abuse the permission, they can grant the permission.

2. If the user does not trust the web site with the permission, they can deny the web site access.

3. In any case, the user can always revoke (or grant) the permission in the Permissions tab of the Page Info Bubble (as seen in the screenshot in https://code.google.com/p/chromium/issues/detail?id=409458#c3, above).

So, this system gives the user considerable power over what web sites are allowed and disallowed to do.

If you want to use a web site in full screen mode without the "nagbar", but don't want to give the site permanent access to the full screen permission, you can either:

1. Browse the site in incognito mode, and grant the permission. The nagbar will go away. When you close your last incognito window, all its memory of your preferences — including the permission grant — will disappear.

- or -

2. Browse the site in normal mode, grant the permission, and then revoke it when you are done using the site.

- or -

3. Create a dedicate Chrome profile for the site (chrome://settings/createProfile), and grant the permission to the site only in that profile.
> 3. In any case, the user can always revoke (or grant) the permission in the Permissions tab of the Page Info Bubble (as seen in the screenshot in https://code.google.com/p/chromium/issues/detail?id=409458#c3, above).
> [...]
> If you want to use a web site in full screen mode without the "nagbar", but don't want to give the site permanent access to the full screen permission, you can either:
> 
> 1. Browse the site in incognito mode, and grant the permission. The nagbar will go away. When you close your last incognito window, all its memory of your preferences — including the permission grant — will disappear.
> 
> - or -
> 
> 2. Browse the site in normal mode, grant the permission, and then revoke it when you are done using the site.
> 
> - or -
> 
> 3. Create a dedicate Chrome profile for the site (chrome://settings/createProfile), and grant the permission to the site only in that profile.

Got it. Thanks!
Project Member Comment 11 by clusterf...@chromium.org, Dec 7 2014
Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
> Simply ignore the nagbar and don't click either option. You'll still be in full screen.

This is problematic for content producers.

No, I am not seeking a bounty here.
Comment 13 by meacer@google.com, Dec 9 2014
Please note that we are still planning to retouch the full screen permission bubble. You can follow the discussion at  bug 352425 .
Thank you again for the screenshot.

Is there a link to the documentation for this feature?
I'm not aware of a design document for the new proposal, but once it's ready I'd expect it to be posted on the other bug.
Project Member Comment 16 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 17 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label
Sign in to add a comment