New issue
Advanced search Search tips

Issue 617260 link

Starred by 2 users
Status: WontFix
Owner:
tsepez@chromium.org
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 3
Type: Bug



Sign in to add a comment

XSS Auditor overly aggressive; blocks e.g. google search for "href='javascript:void()"

Reported by martin.t...@viison.com, Jun 3 2016 
Chrome Version       : 48.0.2564.116
URLs (if applicable) : https://www.google.com/search?q=href%3d%22javascript%3avoid()
Other browsers tested:
    Firefox: OK

What steps will reproduce the problem?
(1) Open https://www.google.com/search?q=href%3d%22javascript%3avoid()

What is the expected result?
Chrome displays the website

What happens instead?

The XSS Auditor recognizes that the search string is similar to the attribute of an '<a>' anchor element (<a href="javascript:void(0)" data-bucket="websearch" ...>) within the requested website and blocks the requested website from being loaded and displayed.

Opening https://www.google.com/search?q=href%3d%22javascript%3avoid(1) instead works as expected.
Opening https://www.google.com/search?q=href%3d%27javascript%3avoid() instead works as expected.

This can't be the expected behavior of the XSS Auditor.

Please provide any additional information below. Attach a screenshot if
possible.

Developer console log:

Navigated to https://www.google.de/search?q=href%3D%22javascript:void()&gws_rd=cr&ei=-N1RV8rMDIWOU_7_tFg

search?q=href%3D"javascript:void()&gws_rd=cr&ei=-N1RV8rMDIWOU_7_tFg:54 The XSS Auditor blocked access to 'https://www.google.de/search?q=href%3D%22javascript:void()&gws_rd=cr&ei=-N1RV8rMDIWOU_7_tFg' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.

Comment 2 by ssamanoori@chromium.org, Jun 9 2016

Components: Blink
Labels: M-53 OS-Linux OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on Windows 7, Mac 10.11.5, Ubuntu 14.04 using 48.0.2564.116, latest stable 51.0.2704.84, canary 53.0.2762.0 with below steps:

1.Opened URL: https://www.google.com/search?q=href%3d%22javascript%3avoid()
2.Observed that the website is not displayed and blank page opened.

This is non regression issue seen from M-30(30.0.1549.0).Hence, marking it as untriaged.

Could anyone from dev team look into this issue please.

Comment 3 by cbiesin...@chromium.org, Jun 9 2016

Components: -Blink Blink>SecurityFeature
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 7 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 Deleted

Comment 6 by mkwst@chromium.org, Feb 23 2017

Labels: XSSAuditor
Owner: tsepez@chromium.org
Status: Available (was: Untriaged)
Tom, opinions?

Comment 7 by tsepez@chromium.org, Feb 24 2017

Status: WontFix (was: Available)
Such is life.  About the only option would be to filter rather than block by default if this becomes a big deal.

Sign in to add a comment