New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 632738 link

Starred by 5 users

Issue metadata

Status: Archived
Owner: ----
Closed: Oct 24
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Javascript pollution from global variables created from unique DOM element ID

Reported by ja...@agilebits.com, Jul 29 2016

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.40 (KHTML, like Gecko) Version/10.0 Safari/602.1.40

Steps to reproduce the problem:
1. Install the attached Chrome extension
2. Open the attached HTML file or any file with an element with an id of "pollute"
3. Open the console

What is the expected behavior?
Both "pollute" and "nopollute" should be undefined

What went wrong?
"nopollute" remains undefined but clobber is defined because of the global variable created by the element with the unique id of "pollute"

WebStore page: 

Did this work before? N/A 

Chrome version: 51.0.2704.106 (Official Build) (64-bit)  Channel: stable
OS Version: OS X 10.12
Flash Version: 

If the pollute variable is declared in the content script, even without a value, it is not clobbered by the global defined as a result of the unique id on the page.
 
content_script_pollution.zip
3.0 KB Download
Labels: Needs-Bisect
Cc: brajkumar@chromium.org
Labels: Needs-Feedback
Tested this issue on Mac OS 10.11.6 & Windows-7 using chrome latest stable M52-52.0.2743.82 by following steps mentioned below.

1. Installed the attached Chrome polluted-extension
2. Opened the attached id_global HTML file 
3. Pressed Ctrl+Shift+I
4. Observed no text in the console.
 
jamie@ - Could you please upgrade your chrome to latest stable and recheck for this issue. In case if it still persists please provide a snapshot or screen-cast of the actual behavior for better understanding.

Thanks!


I think that it doesn't work when loading file:// URLs. I am on macOS using latest Chrome. I placed the included HTML file in a Pow project folder under public/ so that it would be served as a static HTML file and then navigated to http://testsite.dev/id_global.html to see the result. I'm attaching relevant screenshots.
screenshots.zip
520 KB Download
Tested the same on Mac OS using chrome latest stable. Still no luck, I am unable to see any console errors as shown in the provided screen-shot. Placed the id_global.html file in to polluted-extension folder and tried navigating to the link directly but still failed to repro it.

jamie@- Will you mind providing a screen-cast from your end for better understanding? You can record a screen-cast from below link.
https://screencast-o-matic.com/home

I will make a screencast as soon as my schedule allows, but I'm curious about this bit: "Placed the id_global.html file in to polluted-extension folder and tried navigating to the link directly but still failed to repro it."

The screenshot shows that I'm accessing this file from a real web server, and I'm not sure how placing the HTML file inside the extension folder would help. If you're accessing it over file:// I'm fairly sure that it will not work. Did you confirm that the script is showing up in the content scripts for the page?
Labels: TE-NeedsTriageHelp
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 18 2016

Labels: -Needs-Feedback Needs-Review
Owner: brajkumar@chromium.org
Thank you for providing more feedback. Adding requester "brajkumar@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 Deleted

Cc: -brajkumar@chromium.org
Cc: brajkumar@chromium.org
Labels: -TE-NeedsTriageHelp Needs-Feedback
jamie@ - Any update on this bug? As you mentioned in comment #5 could you please provide a screen-cast for this issue?And could you please take a look on comment #7 as David mentioned saying it's intended on Windows. Is this is the same case with Mac?
While I understand this is intended behavior within the page, what shouldn't be allowed is for those global variables to pollute my content script and define variables I don't expect to be defined in Chrome.

I'm honestly not sure what this screencast shows that isn't already in the screenshots I provided earlier.  My instinct says that the example page that causes the pollution isn't properly being loaded such that the content scripts are injected into the page, which is why I asked, "Did you confirm that the script is showing up in the content scripts for the page?" at the end of comment #5.
id_global_pollution.mov
1.9 MB Download
Labels: -Needs-Feedback -Needs-Bisect TE-NeedsTriageHelp
From Chrome-TE team we have no clue how to repro this issue, As per comment #5 and #12 it's sure this is intended behavior and not able to repro locally. So adding TE-NeedsTriageHelp label and requesting someone from Dev team to look in to it for further updates.
Labels: -Needs-Review
Cleaning up "Needs-Review" label as we are not using this label for triage anymore. Ref bug for this cleanup 684919
I guess this one could be confirmed now that Tavis has found a way to exploit it? https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6
Sorry for the delay.  Just to clarify, this is intended behavior in all browsers environments and on all operating systems.  It's one of those quirks that a browser vendor (Microsoft) implemented back in the day that's been kept around for backwards compatibility with older websites that may depend on this behavior.

You can easily reproduce this in the Developer Console:

// First check that the global doesn't yet exist.
console.log(typeof foobar); // 'undefined'

// Create a DOM Element, and give it the id 'foobar'.
var elt = document.createElement('div');
elt.id = 'foobar';
document.body.appendChild(elt);

// Verify that the foobar variable now exists and points to the DOM Element
console.log(typeof foobar); // 'object'
console.log(foobar instanceof Element);  // true
Yes, I understand that the behavior should work for the website. But my contention is that this global should not cross over the isolated world boundary into the extension. If the decision is that this is indeed allowed, then that is fine, but I wanted to make sure my objection to the behavior as it is now was clear and fully understood.

Comment 18 by woxxom@gmail.com, Oct 18 2017

Reporter, DOM is the same for both content script and the web page script so the observed behavior is correct. Only JS-related stuff is isolated for the content script.

Comment 19 by woxxom@gmail.com, Oct 23 2017

This is a duplicate of  issue 777545 .
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 24

Status: Archived (was: Unconfirmed)
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment