New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Closed: Aug 2016
EstimatedDays: ----
NextAction: ----
Pri: 2
Type: Bug-Security

Sign in to add a comment

Security: Navigating to "chrome://" URLs via 'about:' protocol

Reported by, Aug 21 2016 Back to list

Issue description

Steps to reproduce the problem:
1. Open the PoC.html
<a href="about:history-frame" target="x" onclick="setTimeout('d()', 2000);">Click Me</a>

Or you could visit the online PoC page:

2. You will find the Chrome iOS version opened a new window and navigated to "chrome://". But according to the Chrome desktop version, I could not find the same behavior. 

What is the expected behavior?

What went wrong?
There have been similar issues in the Chrome 44.0.2403.157 stable and Chrome 49.0.2623.87.

But the PoC I offered above bypassed the patch imposed on the Chrome iOS version.

Did this work before? N/A 

Chrome version: 52.0.2743.84  Channel: stable
OS Version: iOS 9.3.3
Flash Version: Shockwave Flash 22.0 r0
88 bytes View Download
Components: UI>Browser>Navigation
Labels: Security_Impact-Stable Security_Severity-Low
Status: Assigned
+eugenebut@, since you are the owner of
Could you help triage this issue? Please feel free to suggest other owner. 

Comment 2 by, Aug 22 2016

This should probably be higher severity, as it's similar to  issue 604086 .  That one was rated Security_Severity-Medium.
creis@, just FYI: 604086 allowed to load WebUI url in the same window (and same web process). This bug allows a WebUI child window which is run in a separate process. 
Project Member

Comment 5 by, Aug 23 2016

The following revision refers to this bug:

commit 5bdbf8b4a257e3264644900234c1d31126394c5f
Author: eugenebut <>
Date: Tue Aug 23 21:11:29 2016

[ios] Do not allow WebUI URLs for windows open by DOM.

BUG= 639658 

Cr-Commit-Position: refs/heads/master@{#413834}


Labels: M-54
Status: Fixed
Project Member

Comment 7 by, Aug 24 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Sure, we can take this to the reward panel to review. Ultimately it's up to them to determine if this qualifies for a reward. Low severity issues are usually case-by-case, and don't necessarily qualify.
Labels: Release-0-M54
Labels: CVE-2016-5193
Labels: -reward-topanel reward-unpaid reward-500
Congratulations, the panel awarded $500 for this bug.  A member of our finance team will be in touch shortly.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Labels: reward-inprocess
Labels: -reward-unpaid
Project Member

Comment 16 by, Nov 30 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment