Thanks for the report. I can repro this on Win M51 stable -- it gives a dir listing of C:\ after I reloaded it.

Marking it as medium severity since it's similar to  http://crbug.com/618333 .

Isn't the label supposed to be "Security_Impact-Stable" ? Stable channel is indeed affected by this issue [as confirmed in Comment#1].

Didn't verify this personally, but based on the comments here it would seem so.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/554517a4587bfb0071bcd3c7eff6645a0b06d72a

commit 554517a4587bfb0071bcd3c7eff6645a0b06d72a
Author: dgozman <dgozman@chromium.org>
Date: Mon Jun 20 20:33:22 2016

[DevTools] Whitelist remoteFrontendUrl and remoteBase params.

This also fixes loadScriptsPromise to not normalize hostname.

BUG= 619414 , 618333 

Review-Url: https://codereview.chromium.org/2065823004
Cr-Commit-Position: refs/heads/master@{#400768}

[modify] https://crrev.com/554517a4587bfb0071bcd3c7eff6645a0b06d72a/third_party/WebKit/Source/devtools/front_end/Runtime.js
[modify] https://crrev.com/554517a4587bfb0071bcd3c7eff6645a0b06d72a/third_party/WebKit/Source/devtools/front_end/devtools.js

dgozman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

FYI - One more Attack vector (besides malicious extension; copy-pasting URLs) is by sending a crafted chrome-devtools link via "Google Tone" extension. The extension allows sending URLs of any schemes to nearby machines.

Before we approve merge to M53, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

Also is this change applicable to all OS or any specific OS?

dgozman@, please reply to comment #16.

+awhalley@ whether to take this merge in for M53 Dev release on Tuesday (07/26).

The fix has landed as r400768, which is way before M53 was branched (r403382).

This is already in M53.  It's also baked enough for M52 merge.

Approving merge to M52 branch 2743 based on comment #19. Please merge ASAP (latest by 5:00 PM PDT Monday) so we can take it for next week M52 Stable release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2f0798392134f38c8c68a7911ab622dc128775e3

commit 2f0798392134f38c8c68a7911ab622dc128775e3
Author: Dmitry Gozman <dgozman@chromium.org>
Date: Sat Jul 23 00:31:46 2016

Merge to 2743 "[DevTools] Whitelist remoteFrontendUrl and remoteBase params."
> [DevTools] Whitelist remoteFrontendUrl and remoteBase params.
>
> This also fixes loadScriptsPromise to not normalize hostname.
>
> BUG= 619414 , 618333 
>
> Review-Url: https://codereview.chromium.org/2065823004
> Cr-Commit-Position: refs/heads/master@{#400768}
(cherry picked from commit 554517a4587bfb0071bcd3c7eff6645a0b06d72a)
TBR=pfeldman

Review URL: https://codereview.chromium.org/2179623002 .

Cr-Commit-Position: refs/branch-heads/2743@{#694}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/2f0798392134f38c8c68a7911ab622dc128775e3/third_party/WebKit/Source/devtools/front_end/Runtime.js
[modify] https://crrev.com/2f0798392134f38c8c68a7911ab622dc128775e3/third_party/WebKit/Source/devtools/front_end/devtools.js

And $1,000 for this one too.

Updating reward amount.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot