Block page initiated navigations to view-source: URLs |
||||
Issue descriptionLooks like all major browsers now block navigations to view-source: URLs: https://en.wikipedia.org/wiki/View-source_URI_scheme Most recently Firefox blocked it at https://bugzilla.mozilla.org/show_bug.cgi?id=1172165 I don't think there is a good reason we should allow it either.
,
Apr 26 2016
Being consistent with other browsers here seems good to me. That said, I don't fully understand the motivation for this because view-source isn't privileged in any way, but I suppose it prevents pages from taking advantage of any logic bugs around the unusual way view-source is built.
,
Apr 26 2016
My motivation to file this was bug 247151. Seems like there are a couple of other security related bugs involving view-source (bug 489894, bug 108611, bug 196636 ). Also as a long term objective, I think it'd be good for us to get to a state where a page can only initiate navigations to schemes that most users are familiar with (at this point that's http and https I guess).
,
May 6 2016
Blink intent to deprecate and remove: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/lyuWXZ_1kXo
,
Jun 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ce6b6603637ee045041ccb49359fbae617d84ba5 commit ce6b6603637ee045041ccb49359fbae617d84ba5 Author: meacer <meacer@chromium.org> Date: Thu Jun 02 20:56:05 2016 Block webpages from navigating to view-source URLs. This CL blocks navigations to view-source URLs initiated by a page via window.location, window.open, A tag, etc. It still allows user initiated navigations such as directly entering the URL, clicking "view page source" or "open in new tab" in the context menu. BUG=247151, 606619 Review-Url: https://codereview.chromium.org/1917073002 Cr-Commit-Position: refs/heads/master@{#397505} [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/browser/browser_side_navigation_browsertest.cc [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/browser/child_process_security_policy_impl.cc [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/browser/child_process_security_policy_unittest.cc [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/browser/site_per_process_browsertest.cc [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/browser/web_contents/web_contents_impl_browsertest.cc [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/browser/web_contents/web_contents_impl_unittest.cc [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/public/test/content_browser_test_utils.cc [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/public/test/content_browser_test_utils.h [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/renderer/render_thread_impl.cc [modify] https://crrev.com/ce6b6603637ee045041ccb49359fbae617d84ba5/content/test/data/simple_links.html
,
Jun 2 2016
,
Sep 7 2016
,
Dec 9 2016
Security>UX component is deprecated in favor of the Team-Security-UX label |
||||
►
Sign in to add a comment |
||||
Comment 1 by mea...@chromium.org
, Apr 26 2016