Denied of service in chrome(iOS) just using a link
Reported by
zyzengst...@gmail.com,
Feb 2 2017
|
||||||||||||||
Issue descriptionSteps to reproduce the problem: 1. Open the following poc page html,then click this link: <a href="data:text/html,<script>var x=window;x.location='about:newtab';</script>" style="font-size:100px" target="_blank">click me</a> Or you can visit online poc: https://api.lightrains.org/poc/1.html 2. Then you will find chrome(iOS) try to open a "new tab" ,but the UI interface of chrome will crash.So it could cause a DoS attack,you must kill the chrome process to restart it. What is the expected behavior? What went wrong? Chrome crashes and needs to be killed and restarted. Did this work before? N/A Chrome version: <Copy from: 'about:version'> Channel: stable OS Version: 10.2.1 Flash Version:
,
Feb 2 2017
,
Feb 2 2017
,
Feb 2 2017
No blink on iOS
,
Feb 16 2017
Any follow-ups on this issue?
,
Mar 8 2017
Are any experts dealing with it?
,
Mar 8 2017
I can reproduce the issue on iPhone7. There is no crash in Chrome, its just that the NTP is corrupted. Chrome can be used again by swiping on omnibox to switch tabs, or doing pull to refresh in the corrupted tab will bring the NTP back to normal.
,
Mar 8 2017
,
Mar 9 2017
Yes,My report title is not quite right.I did not find it can be used again by swiping on omnibox to switch tabs at that time. So,I have tried to update my POC(#comment5,I delete it,because I don't think it's perfect) In #comment 5,if user have turned off "block popup-window",so that POC will open a lot of windows in a moment.If so,you can't swipe on omnibox to switch tabs to bring the NTP back to normal.
,
Mar 9 2017
,
Mar 15 2017
,
Apr 28 2017
eugenebut@ Seems to be related to web_controller push state -- web controller is showing about blank but not trying to load a native controller.
,
May 8 2017
Justin, web controlled has successfully loaded about:blank web page in the new window. Why do you think it should try to load a native controller for a web page? This looks like a bug in chrome layer, which does not present omnibox fox some reason. Can you take a look?
,
May 10 2017
about:newtab loads the ntp, not about:blank. if wkwebview is loading about:blank for whatever reason than chrome should get a url that reflects that. if we are hiding the toolbar it's probably because the url appears to be a full-screen-hack-NTP.
,
May 10 2017
WKWebView loads about:blank, however lastCommittedURL is this one: data:text/html,%3Cscript%3Evar%20x=window;x.location='about:newtab';%3C/script%3E That seems to be WAI from WebController's perspective. I suspect that NTP just freaks out because of this data URL and hides omnibox for some reason.
,
May 18 2017
DCHECK fires in CRWWebController, which is also a problem that needs to be fixed, so adding Mobile>WebView>Glue label.
,
May 30 2017
eugenebut@ BVC -updateToolbar is checking: [tab navigationManager]->GetVisibleItem()->GetURL(), which is returning "chrome://newtab/" BVC is doing what I think it's supposed to be doing...
,
May 30 2017
Oh, I see now. So ios/web reports that URL is native content, but did not present the native context. Thanks for pointing me to the code. I guess the right fix would be to load about:blank instead and correctly report lastCommittedURL.
,
Jun 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2bfd0fd3e968ff844ca121035ff9fe352375f62d commit 2bfd0fd3e968ff844ca121035ff9fe352375f62d Author: eugenebut <eugenebut@chromium.org> Date: Fri Jun 02 00:37:39 2017 Automated test case for crbug.com/687863 . BUG= 687863 Review-Url: https://codereview.chromium.org/2914193003 Cr-Commit-Position: refs/heads/master@{#476502} [modify] https://crrev.com/2bfd0fd3e968ff844ca121035ff9fe352375f62d/ios/chrome/browser/web/window_open_by_dom_egtest.mm [modify] https://crrev.com/2bfd0fd3e968ff844ca121035ff9fe352375f62d/ios/testing/data/http_server_files/window_open.html
,
Jun 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/657495c5b5591a13ca826a373ada0c0038d79b61 commit 657495c5b5591a13ca826a373ada0c0038d79b61 Author: eugenebut <eugenebut@chromium.org> Date: Fri Jun 02 18:00:44 2017 Do not rewrite about urls to chrome:// for cetain renderer-initated loads This fixes the bug where about:newtab gets rewritten to chrome://newtab and it corrupts omnibox UI. Chrome layer expects that chrome://newtab will be NTP, but about:newtab can be loaded as a regular web page as proven in crbug.com/687863 POS. This CL also enables testWindowOpenWithAboutNewTabScript, adds tests for URLRewriting and allows |currentURLWithTrustLevel:| to return all kinds of about:// urls (old workaround was put in place for UIWebView which used JS overrides for window.open). BUG= 687863 Review-Url: https://codereview.chromium.org/2918013002 Cr-Commit-Position: refs/heads/master@{#476716} [modify] https://crrev.com/657495c5b5591a13ca826a373ada0c0038d79b61/ios/chrome/browser/web/window_open_by_dom_egtest.mm [modify] https://crrev.com/657495c5b5591a13ca826a373ada0c0038d79b61/ios/web/navigation/crw_session_controller.mm [modify] https://crrev.com/657495c5b5591a13ca826a373ada0c0038d79b61/ios/web/navigation/navigation_manager_impl_unittest.mm [modify] https://crrev.com/657495c5b5591a13ca826a373ada0c0038d79b61/ios/web/web_state/ui/crw_web_controller.mm
,
Jun 2 2017
,
Jun 6 2017
about:newtab is displayed in omnibox and toolbar is always displayed after running the testcase from original bug report. Verified on M61.0.3112.0 canary. iPhone SE, iOS9.3.5 iPhone5, iOS 10.2 |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by zyzengst...@gmail.com
, Feb 2 2017