Issue 638853 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Aug 2016
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Chrome for mac&ios address bar allow spoofed url.

Reported by m1x...@gmail.com, Aug 18 2016

Issue description

url:inurl.pw/g00gl3/
poc:
<iframe src='http://www.google.com%2f@inurl.pw'></iframe>
<script>
alert(document.domain);
</script>

TestSoftware:Google Chrome Version 52.0.2743.116 (64-bit) for MacOs

Browser this web site: http://inurl.pw/g00gl3/

Comment 1 by jialiul@chromium.org, Aug 18 2016

Status: WontFix (was: Unconfirmed)

Safari and Chrome are using slightly different approach to identify phishing page. 
In order to judge whether a website is phishing page or not, chrome looks at both the address and its content to score whether it is bad. In this case, the score is not high enough to trigger a phishing warning (since there is no spoofed content inside).
Given that, I would say it is work as intended.

Project Member

Comment 2 by sheriffbot@chromium.org, Nov 25 2016

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 638853 link

Issue metadata

Security: Chrome for mac&ios address bar allow spoofed url.

Issue description

Comment 1 by jialiul@chromium.org, Aug 18 2016

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Nov 25 2016

Comment 2 Deleted

Sign in to add a comment