Issue metadata
Sign in to add a comment
|
Security: Navigating to "chrome://" URLs via 'about:' protocol
Reported by
martinzh...@gmail.com,
Aug 21 2016
|
||||||||||||||||||||||
Issue description
Steps to reproduce the problem:
1. Open the PoC.html
<a href="about:history-frame" target="x" onclick="setTimeout('d()', 2000);">Click Me</a>
Or you could visit the online PoC page:
http://115.159.58.203/chrome/poc.html
2. You will find the Chrome iOS version opened a new window and navigated to "chrome://". But according to the Chrome desktop version, I could not find the same behavior.
What is the expected behavior?
What went wrong?
There have been similar issues in the Chrome 44.0.2403.157 stable and Chrome 49.0.2623.87.
https://bugs.chromium.org/p/chromium/issues/detail?id=528505
https://bugs.chromium.org/p/chromium/issues/detail?id=595514
But the PoC I offered above bypassed the patch imposed on the Chrome iOS version.
Did this work before? N/A
Chrome version: 52.0.2743.84 Channel: stable
OS Version: iOS 9.3.3
Flash Version: Shockwave Flash 22.0 r0
,
Aug 22 2016
This should probably be higher severity, as it's similar to issue 604086 . That one was rated Security_Severity-Medium.
,
Aug 22 2016
creis@, just FYI: 604086 allowed to load WebUI url in the same window (and same web process). This bug allows a WebUI child window which is run in a separate process.
,
Aug 22 2016
,
Aug 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5bdbf8b4a257e3264644900234c1d31126394c5f commit 5bdbf8b4a257e3264644900234c1d31126394c5f Author: eugenebut <eugenebut@chromium.org> Date: Tue Aug 23 21:11:29 2016 [ios] Do not allow WebUI URLs for windows open by DOM. BUG= 639658 Review-Url: https://codereview.chromium.org/2268053002 Cr-Commit-Position: refs/heads/master@{#413834} [modify] https://crrev.com/5bdbf8b4a257e3264644900234c1d31126394c5f/ios/web/web_state/ui/crw_web_controller.mm
,
Aug 23 2016
,
Aug 24 2016
,
Aug 26 2016
Reward-topanel?
,
Aug 26 2016
Sure, we can take this to the reward panel to review. Ultimately it's up to them to determine if this qualifies for a reward. Low severity issues are usually case-by-case, and don't necessarily qualify.
,
Oct 10 2016
,
Oct 11 2016
,
Oct 15 2016
,
Oct 15 2016
Congratulations, the panel awarded $500 for this bug. A member of our finance team will be in touch shortly. *** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Oct 16 2016
,
Oct 16 2016
,
Nov 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Aug 22 2016Labels: Security_Impact-Stable Security_Severity-Low
Owner: eugene...@chromium.org
Status: Assigned (was: Unconfirmed)