Can open an incognito tab despite it being disabled
Reported by
yougotbl...@gmail.com,
Aug 18 2016
|
|||||||||||||
Issue description
Version of Google Chrome (Wrench-> About Google Chrome):52.0.2743.116
Version of MSI (if applicable):
Using group policy settings? Yes
CHROMEOS_RELEASE_BOARD:candy-signed-mpkeys
CHROMEOS_RELEASE_BRANCH_NUMBER:68
CHROMEOS_RELEASE_BUILD_NUMBER:8350
CHROMEOS_RELEASE_BUILD_TYPE:Official Build
CHROMEOS_RELEASE_CHROME_MILESTONE:52
CHROMEOS_RELEASE_DESCRIPTION:8350.68.0 (Official Build) stable-channel candy
CHROMEOS_RELEASE_NAME:Chrome OS
CHROMEOS_RELEASE_PATCH_NUMBER:0
CHROMEOS_RELEASE_TRACK:stable-channel
CHROMEOS_RELEASE_VERSION:8350.68.0
ENTERPRISE_ENROLLED:Managed
Taken from chrome://system/
I have found a way to open an incognito tab on an enterprise managed Chromebook. To replicate the results: You will need a WiFi network that has Guest Access. Disconnect from all WiFi Networks from the login screen.
Then, click on a WiFi network that has Guest Access enabled and click "Connect" immediately login to a Google Account. While the logging in process is happening, a notification will appear in the bottom right corner telling you to go to the sign-in website for the WiFi Network's guest login. If you click the notification, it will open a browser. It will not be a regular browser, however. If you right click on it and click "View page source" the source page will be opened in incognito mode. From there, you can change the address bar to anything you desire, after you login to the WiFi network...
Email me at yougotbloxxed@gmail.com when you read this, or if you need video proof or more details.
,
Aug 18 2016
Hey Achuith, can you please figure out how this is possible or pull in the right people to investigate? It sounds like there is some race between the captive portal finishing its job and offline sign-in succeeding before that. It sounds like if this is possible either the captive-portal should restart in the user session with all the required restrictions or be let to finish on the login screen before any login is executed.
,
Aug 23 2016
,
Aug 23 2016
Could not repro in M54.Lulu Device M ChromeOS Chrome ARC Type Channel 54 8730.0.0 54.0.2831.0 3154127 release dev
,
Aug 25 2016
yougotbloxxed@ a video would be useful. We're unable to repro.
,
Aug 26 2016
Link to video here: https://www.youtube.com/watch?v=FXz7Oe03jzQ
,
Aug 30 2016
+Achuith please reassign if needed.
,
Sep 1 2016
Ugh. Yeah, that makes sense from the video. Obvious solution is to disable "view source" on the captive portal page.
,
Sep 2 2016
Albert - I don't have the cycles to look at this right now, and I'm not really familiar with the captive portal code. Who do you think could take this on?
,
Sep 2 2016
Not sure. With dzhioev@'s departure we no longer have anyone particularly familiar with captive portal code and everyone is slammed. I'll figure it out.
,
Sep 2 2016
I can try to see if there's a quick fix possible next week.
,
Sep 7 2016
Ok, thanks.
,
Sep 8 2016
Trapti/Krishna: Could you please try a repo with the above youtube video? I'll need to use the test team's network to try to fix this.
,
Sep 8 2016
Could repro once in 10 times try.Could not mention exact steps.Just tried with changing networks and updating policies on and off. M ChromeOS Chrome ARC Type Channel 54 8743.13.0 54.0.2840.13 3247538 release dev
,
Sep 8 2016
,
Sep 17
,
Sep 19
,
Dec 8
After following the steps on the bug, I was unable to reproduce this behavior. I am not able to inspect the page on the guest login. Tested this using a Daisy Chromebook using M72 |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by brajkumar@chromium.org
, Aug 18 2016