New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 592956 link

Starred by 1 user
Status: Fixed
Owner:
treib@chromium.org
Closed: Mar 2016
Cc:
mkwst@chromium.org
slekies@google.com
claudioc@google.com
nepper@chromium.org
ramyan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: XSS on NTP

Project Member Reported by jochen@chromium.org, Mar 8 2016 
From claudioc@google.com

repro steps:

chrome-search://most-visited/single.html?removeTooltip=%27%22%20class%3dmv-x%3E%3C/div%3E%3C/a%3E%3Ca%20href%3d%22javascript:alert(1)%22%3Efoo%3C/a%3E

then 
window.postMessage({cmd: "tile", id: 123, tid:456, url: "javascript:alert(1)", title: "foo", thumbnailUrl: "javascript:alert(2)"},"*")
window.postMessage({cmd:"show"}, "*")

[in fairness, you can also leave the removeTooltip empty, it's going to trigger anyway]. 

CSP blocks us here so it's not really exploitable, but I figured I'd mention in case you see something we don't.

The CSP in this case is interesting:

Content-Security-Policy:script-src chrome://resources 'self' 'unsafe-eval'; object-src 'none';frame-src 'none';

It contains chrome://resources, which contains the latest copy of the Polymer library. I think we can circumvent CSP in this case if we can include resources from chrome://resource. However, in our manual tests, the inclusion was blocked by Chrome since the "chrome-search" scheme seems to have some special handling for script includes. We were thus unsure why chrome://resource is even on the white list if you cannot include scripts from it.

Comment 1 by infe...@chromium.org, Mar 8 2016

Labels: Security_Severity-Low Security_Impact-Stable Pri-2
Status: Assigned (was: Untriaged)

Comment 2 by treib@chromium.org, Mar 9 2016

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 11 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/120894e0c50e42babadb6314cc997b1f3d7ddd00

commit 120894e0c50e42babadb6314cc997b1f3d7ddd00
Author: treib <treib@chromium.org>
Date: Fri Mar 11 15:27:42 2016

Fix potential XSS on the NTP

BUG= 592956 

Review URL: https://codereview.chromium.org/1775423002

Cr-Commit-Position: refs/heads/master@{#380640}

[modify] https://crrev.com/120894e0c50e42babadb6314cc997b1f3d7ddd00/chrome/browser/resources/local_ntp/most_visited_single.js

Comment 4 by treib@chromium.org, Mar 11 2016

Status: Fixed (was: Started)
Project Member

Comment 5 by ClusterFuzz, Mar 11 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 6 by sheriffbot@chromium.org, Jun 18 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment