Clicks to open a Chrome URL from an http/https page should be ignored and irresponsive |
||||||||||||||||
Issue descriptionCurrently on Chrome iOS, clicking on a Chrome URL link from an http/https is responsive and opens the Chrome link in the current tab. On Clank and Desktop, the click is intentionally ignored and irresponsive for some security reasons. Chrome iOS should be changed to do the same and ignore clicks to open a Chrome URL from an http/https page. https://window-opener-test.appspot.com/chrome_url can be used for testing this.
,
Apr 16 2016
Chris, do you know how serious is this bug from security perspective?
,
Apr 16 2016
,
Apr 17 2016
,
Apr 18 2016
chrome: URLs typically have increased power (e.g. access to APIs/internals that web origins do not have); for that reason, navigations to chrome: URLs also involve a process switch (since the previous process may have been controlled/compromised by malicious web content — at least on Desktop). Since we don't have the ability to control multi-process lifetimes on iOS, this mitigation is extra important.
,
Apr 18 2016
,
Apr 18 2016
CL on review: https://codereview.chromium.org/1900783003/ Andy, this probably should go into respin.
,
Apr 18 2016
Yes, this seems high priority. Looks like chrome://flags and chrome://sync-internals could pose risks for elevating privileges, and chrome://net-export could capture network dumps (after a quick skim of chrome://chrome-urls on iOS). Seems quite bad to let attackers navigate to these on iOS, as they could be used as a stepping stone in an attack (e.g., via UXSS).
,
Apr 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4998fbe285b9c857b454b70a2bfeda562a92c3ae commit 4998fbe285b9c857b454b70a2bfeda562a92c3ae Author: eugenebut <eugenebut@chromium.org> Date: Tue Apr 19 16:14:53 2016 [ios] Do not allow loading chrome:// URLs from regular http/https pages. BUG= 604086 Review URL: https://codereview.chromium.org/1900783003 Cr-Commit-Position: refs/heads/master@{#388217} [modify] https://crrev.com/4998fbe285b9c857b454b70a2bfeda562a92c3ae/ios/web/web_state/ui/crw_web_controller.mm
,
Apr 19 2016
,
Apr 19 2016
[Automated comment] Request affecting a post-stable build (M50), manual review required.
,
Apr 19 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
Apr 20 2016
,
Apr 20 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/ios_internal.git/+/27cbdfb5ef05b167b7b9f1f6c87d41ca0d2f7be1 commit 27cbdfb5ef05b167b7b9f1f6c87d41ca0d2f7be1 Author: eugenebut <eugenebut@google.com> Date: Wed Apr 20 04:22:22 2016
,
Apr 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/80a55f9c60ca00265c54990db53a7b5956818e86 commit 80a55f9c60ca00265c54990db53a7b5956818e86 Author: eugenebut <eugenebut@chromium.org> Date: Wed Apr 27 04:15:13 2016 [ios] Do not allow loading chrome:// URLs from regular http/https pages. Merged trunk CL: https://codereview.chromium.org/1900783003/ BUG= 604086 NOTRY=true NOPRESUBMIT=true TEST=WebUI still works, but can not be loaded from http/https pages Review URL: https://codereview.chromium.org/1921553006 Cr-Commit-Position: refs/branch-heads/2661@{#635} Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081} [modify] https://crrev.com/80a55f9c60ca00265c54990db53a7b5956818e86/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
,
Apr 29 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 29 2016
,
Apr 29 2016
Verified on M50.0.2661.95 dev. Device: iPhone6s, iPad Pro iOS: 9.2.1, 9.3.2 Tapping on links to chrome:// performs no action. Verified using the testpage given in the bug report.
,
Apr 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fc59faef05b8cacef5c05138fb183b4bad6ce233 commit fc59faef05b8cacef5c05138fb183b4bad6ce233 Author: eugenebut <eugenebut@chromium.org> Date: Fri Apr 29 22:25:44 2016 [ios] Do not allow loading chrome:// URLs from regular http/https pages. Merged trunk CL: https://codereview.chromium.org/1900783003/ BUG= 604086 NOTRY=true NOPRESUBMIT=true TEST=WebUI still works, but can not be loaded from http/https pages Review-Url: https://codereview.chromium.org/1926563002 Cr-Commit-Position: refs/branch-heads/2704@{#318} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/fc59faef05b8cacef5c05138fb183b4bad6ce233/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
,
Jul 27 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by cma...@chromium.org
, Apr 16 2016