Measuring cross-origin vibrate usage and block them if feasible |
||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36 Steps to reproduce the problem: It's listed at bit.ly/proposed-interventions, and discussed internally at https://groups.google.com/a/google.com/forum/#!topic/safebrowsing-ads/CXL4W-qrrns. What is the expected behavior? What went wrong? Vibrate is being abused by unsafe third-party content (eg., ads), and we'd like to measure its usage in cross-origin context and see the possibility of blocking them. If blocking all cross-origin vibrate breaks too many pages, we could just block it if there is no user gestures. Did this work before? N/A Chrome version: 51.0.2704.63 Channel: n/a OS Version: OS X 10.11.5 Flash Version: Shockwave Flash 22.0 r0
,
Jun 21 2016
,
Jun 21 2016
,
Jun 21 2016
,
Jun 22 2016
[mac triage] I'm not too familiar with security issues like this. Do you have any insight on this, rsesek? Thanks!
,
Jun 22 2016
,
Jun 28 2016
This is a related bug: https://bugs.chromium.org/p/chromium/issues/detail?id=507703
,
Jun 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/318a9ac4bee905bae95b33a67f75a3e4a5214116 commit 318a9ac4bee905bae95b33a67f75a3e4a5214116 Author: binlu <binlu@google.com> Date: Tue Jun 28 23:53:00 2016 Measure detailed usage of navigator.vibrate for user gesture, subframe & cross-origin iframe. BUG= 621397 R=ojan@chromium.org,japhet@chromium.org Review-Url: https://codereview.chromium.org/2082463002 Cr-Commit-Position: refs/heads/master@{#402601} [modify] https://crrev.com/318a9ac4bee905bae95b33a67f75a3e4a5214116/third_party/WebKit/Source/modules/vibration/NavigatorVibration.cpp [modify] https://crrev.com/318a9ac4bee905bae95b33a67f75a3e4a5214116/third_party/WebKit/Source/modules/vibration/NavigatorVibration.h [modify] https://crrev.com/318a9ac4bee905bae95b33a67f75a3e4a5214116/tools/metrics/histograms/histograms.xml
,
Jul 19 2016
Hi binlu@, Is this bug already fixed?
,
Jul 20 2016
I'm working on it, and here is the intent to ship: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7iVcwNcO3xw Could you please help assign me as the owner? Thanks.
,
Aug 15 2016
We can't assign you because you are not a project member but don't worry, I'll close this one on your behalf. Let's used issue 625044 to track the actual change.
,
Aug 15 2016
,
Dec 9 2016
Security>UX component is deprecated in favor of the Team-Security-UX label |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 20 2016