Issue metadata
Sign in to add a comment
|
Security: Address bar spoofing on iOS
Reported by
chromium...@gmail.com,
Jul 17 2016
|
||||||||||||||||||||
Issue descriptionVERSION Chrome Version : 51.0.2704.104 OS : iOS REPRODUCTION CASE 1. Lunch chrome 2. Navigate to chrome://version >> navigate to google.com >> navigate to badssl.com 3. Double-click to go back to chrome://version >> again double-click to go forward to badssl.com 4. One click to go back 5. Observe
,
Jul 18 2016
Yeah I'd probably be the best person to look at this. Thanks for reporting, Khalil!
,
Jul 19 2016
,
Jul 19 2016
,
Aug 2 2016
kkhorimoto: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 5 2016
Any updates on this issue?
,
Aug 10 2016
,
Aug 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4838fe571d972fdbe6b76162c17ec1feb4035695 commit 4838fe571d972fdbe6b76162c17ec1feb4035695 Author: kkhorimoto <kkhorimoto@chromium.org> Date: Thu Aug 11 19:25:09 2016 Reset previous WKBackForwardListeItem when navigating to WebUI pages. Navigation to WebUI pages overwrites the current WKBackForwardListeItem such that it will load the WebUI page's URL and HTML when loaded via |-goToBackForwardListItem:|. This CL resets the previous NavigationItem's associated WKBackForwardListItem to ensure that it is loaded via an NSURLRequest rather than the WKBackForwardListeItem. BUG= 628920 Review-Url: https://codereview.chromium.org/2233063002 Cr-Commit-Position: refs/heads/master@{#411399} [modify] https://crrev.com/4838fe571d972fdbe6b76162c17ec1feb4035695/ios/web/web_state/ui/crw_web_controller.mm
,
Aug 11 2016
Requesting merge for M53 since this is a relatively self-contained CL that fixes a security issue.
,
Aug 11 2016
[Automated comment] Less than 2 weeks to go before AppStore submit on M53, manual review required.
,
Aug 12 2016
,
Aug 12 2016
,
Aug 12 2016
Tested the above bug with the given steps and the issue is fixed in 54.0.2827.0 canary M52 Behaviour 1. Launch chrome and navigate to chrome://version 2. Navigate to google.com 3. Navigate to mixed.badssl.com(as i see this in the given screenshot)(or) badssl.com 4. Double tap to go back to chrome://version 5. Double tap to go forward to badssl.com 6. Tap on back button Observed Results: Content of chrome://version is seen with google url in the omnibox (This is contradicting with the given screenshot as we see mixed.badssl.com in the omnibox) M54 Behaviour Followed the same steps as above Observed Results: Google webpage and URL matches and chrome://version content is no longer seen Verified on iPad Mini(9.3.3), iPhone 6(10.0) in 54.0.2827.0 canary
,
Aug 15 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 15 2016
,
Aug 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b9ad2c20ee862870a25fb0f65a800de7bff1d732 commit b9ad2c20ee862870a25fb0f65a800de7bff1d732 Author: Kurt Horimoto <kkhorimoto@google.com> Date: Tue Aug 16 22:39:24 2016 Reset previous WKBackForwardListeItem when navigating to WebUI pages. Navigation to WebUI pages overwrites the current WKBackForwardListeItem such that it will load the WebUI page's URL and HTML when loaded via |-goToBackForwardListItem:|. This CL resets the previous NavigationItem's associated WKBackForwardListItem to ensure that it is loaded via an NSURLRequest rather than the WKBackForwardListeItem. BUG= 628920 Review-Url: https://codereview.chromium.org/2233063002 Cr-Commit-Position: refs/heads/master@{#411399} (cherry picked from commit 4838fe571d972fdbe6b76162c17ec1feb4035695) Review URL: https://codereview.chromium.org/2252903002 . Cr-Commit-Position: refs/branch-heads/2785@{#634} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/b9ad2c20ee862870a25fb0f65a800de7bff1d732/ios/web/web_state/ui/crw_web_controller.mm
,
Aug 24 2016
,
Aug 29 2016
,
Aug 30 2016
I'm afraid the panel declined to make a reward for this bug, due to it not being a realistic attack scenario.
,
Nov 18 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 9 2016
Security>UX component is deprecated in favor of the Team-Security-UX label |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ta...@google.com
, Jul 18 2016Labels: Security_Severity-Medium Security_Impact-Stable OS-iOS Pri-2
Owner: kkhorimoto@chromium.org
Status: Assi (was: Unconfirmed)