Security: Address bar spoofing with chrome://newtab + 204 No Content
Reported by
chromium...@gmail.com,
Mar 3 2016
|
||||||
Issue descriptionVERSION Chrome Version: 51.0.2665.0 canary Operating System: Windows 7 REPRODUCTION CASE 1. Open new tab "chrome://newtab" 2. Type https://www.google.com/csi in the omnibox and press ENTER. 3. As yu can see http://www.google.com/csi in address bar, but it is incorrect.
,
Mar 3 2016
From http://expample.com to google.com/csi -> not allowed From chrome://newtab to google.com/csi -> allowed When I use any website "expample.com" then I try to access google.com/csi doesn't navigate, and that's what I expected with chrome://newtab.
,
Mar 3 2016
I think the omnibox must be empty after trying to access google.com/csi (as I tested on Firefox).
,
Mar 3 2016
Thanks, Khalil! Add component label for better triage.
,
Mar 3 2016
,
Mar 3 2016
,
Mar 7 2016
I couldn't repro this issue when I tried on incognito window. That's what I expected on simple window.
,
Mar 7 2016
This is working as intended, and matches Firefox's behavior. For motivation, see comment 17 of issue 355537 . The fix was implemented in https://codereview.chromium.org/232463007/ (in Browser::ShouldPreserveAbortedURLs). There's a comment explaining it in NavigatorImpl::DidFailProvisionalLoadWithError: // However, we do preserve the pending entry in some cases, such as on the // initial navigation of an unmodified blank tab. We also allow the // delegate to say when it's safe to leave aborted URLs in the omnibox, to // let the user edit the URL and try again. This may be useful in cases // that the committed page cannot be attacker-controlled. In these cases, // we still allow the view to clear the pending entry and typed URL if the // user requests (e.g., hitting Escape with focus in the address bar).
,
Mar 7 2016
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by jialiul@chromium.org
, Mar 3 2016Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback Type-Bug