New issue
Advanced search Search tips

Issue 668797 link

Starred by 1 user
Status: Duplicate
Merged: issue 657380
Owner: ----
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

UXSS using bookmark

Reported by s.h.h.n....@gmail.com, Nov 26 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36

Steps to reproduce the problem:
1.  Add bookmark and set URL to javascript:alert(1)
2. While visiting any website, if you click that bookmark, it will execute javascript on that website.

What is the expected behavior?
Does not allow javascript: bookmark (maybe)

What went wrong?
When clicking bookmark, Chrome tries to open that URL on current window. Therefore javascript executes on that website. Further more, Dropjacking (https://bugs.chromium.org/p/chromium/issues/detail?id=639750) that I report allow Drag and Drop to add new Bookmark. Which is very useful for this attack.

Did this work before? N/A 

Chrome version: 54.0.2840.98  Channel: stable
OS Version: OS X 10.11.6
Flash Version: Shockwave Flash 23.0 r0

Comment 1 by dominickn@chromium.org, Nov 27 2016

Mergedinto: 657380
Status: Duplicate (was: Unconfirmed)
This is working as intended, because Chrome supports bookmarklets (https://en.wikipedia.org/wiki/Bookmarklet).

The broader question is whether Chrome should prompt users that they are drag-and-dropping a bookmarklet. Duping into the existing bug for that.

Comment 2 by mmoroz@chromium.org, Jan 9 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Removing restrictions since it is not a security issue + other similar bugs are public.

Sign in to add a comment