New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 645004 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 3
Type: Feature



Sign in to add a comment

Web Share: Implement browser-side kill switch

Project Member Reported by mgiuca@chromium.org, Sep 8 2016

Issue description

Version: 55
OS: Android

Web Share origin trial can be remotely disabled via the origin trials server itself. However, this only disables it in the renderer.

There is no server-controlled way to disable the Mojo service, which means a compromised renderer could talk directly to the WebShare service and create shares. If a WebShare browser-side vulnerability is discovered in the wild (e.g., a major Android app is being trivially compromised by a share payload), we would ideally have a way to remotely disable the Mojo service as well.

This is a low priority because it is just a mitigation for a combined renderer compromise + potential security bug in WebShare itself.
 
Status: Fixed (was: Assigned)
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 5 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 11 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment