Issue metadata
Sign in to add a comment
|
CSP bypass in domain "chrome://" via.bookmark?
Reported by
zyzengst...@gmail.com,
Feb 15 2017
|
||||||||||||||||||||||
Issue descriptionSteps to reproduce the problem: 1.add a bookmark named "bypass" on chrome iOS version which link is: javascript:alert(document.location) 2.Then visiting "about:version" and click bookmarks->"bypass". 2. You will find that javascript can execute on "chrome://" of chrome iOS version;But I could not find the same behavior on Chrome desktop version. What is the expected behavior? javascript doesn't execute What went wrong? javascript executes on domain "chrome://" Did this work before? N/A Chrome version: 56.0.2924.79 Channel: stable OS Version: iOS 10.2.1 Flash Version:
,
Feb 15 2017
Tactically, this could be fixed by updating loadJavaScriptFromLocationBar to look at the current tab's URL and cancel the script-load operation if the tab is located on a prohibited scheme. That would cover both user-entered JS and bookmarks.
,
Feb 16 2017
marq: could you please help us find an appropriate owner for this? It looks like it's iOS specific.
,
Feb 16 2017
cc sky@ for bookmarks
,
Mar 4 2017
any follow-ups on this issue?
,
Mar 13 2017
Hello,are experts following up on this issue?
,
Mar 20 2017
Sorry for the delay in updating this. Assigning to eugenebut@.
,
Mar 20 2017
@marq OK,thank you very much
,
Mar 20 2017
,
Mar 20 2017
Bookmarks code calls |loadJavaScriptFromLocationBar:|: https://cs.chromium.org/chromium/src/ios/chrome/browser/ui/bookmarks/bookmark_interaction_controller.mm?q=loadJavaScriptFromLocationBar+package:%5Echromium$&l=305 Chris, what do you think about allowing Bookmarklets on iOS from a security perspective?
,
Mar 20 2017
Whether or not we support bookmarklets, and if they should be able to mess with WebUI (chrome://*) origins, are product design decisions that are not really in my bailiwick. It seems to me that bookmarklets (if we support them) shouldn't be able to mess with WebUI. If there is a security issue here, it's that.
,
Mar 20 2017
Thank you. Desktop does not allow running JavaScript for WebUI pages, so I'm just add the same limitation for iOS.
,
Mar 21 2017
,
Mar 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cfe21b64486c2a1bfed6e0e7304fcf8f1748ccfe commit cfe21b64486c2a1bfed6e0e7304fcf8f1748ccfe Author: eugenebut <eugenebut@chromium.org> Date: Thu Mar 23 18:17:55 2017 Disallow JS execution on WebUI pages. As a side effect TapWebViewElementWithId now actually opens windows instead of popups, which is definitely a correct behavior. BUG= 692378 Review-Url: https://codereview.chromium.org/2761173002 Cr-Commit-Position: refs/heads/master@{#459149} [modify] https://crrev.com/cfe21b64486c2a1bfed6e0e7304fcf8f1748ccfe/ios/chrome/browser/ui/settings/block_popups_egtest.mm [modify] https://crrev.com/cfe21b64486c2a1bfed6e0e7304fcf8f1748ccfe/ios/chrome/browser/ui/toolbar/toolbar_egtest.mm [modify] https://crrev.com/cfe21b64486c2a1bfed6e0e7304fcf8f1748ccfe/ios/web/public/test/web_view_interaction_test_util.mm [modify] https://crrev.com/cfe21b64486c2a1bfed6e0e7304fcf8f1748ccfe/ios/web/web_state/ui/crw_web_controller.mm [modify] https://crrev.com/cfe21b64486c2a1bfed6e0e7304fcf8f1748ccfe/ios/web/web_state/ui/crw_web_controller_unittest.mm [modify] https://crrev.com/cfe21b64486c2a1bfed6e0e7304fcf8f1748ccfe/ios/web/web_state/ui/web_view_js_utils.h
,
Mar 23 2017
,
Mar 23 2017
This bug requires manual review: Less than 29 days to go before AppStore submit on M58 Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 24 2017
Hello,can this Reward-topanel? And I aware that the title of the report maybe inappropriate,could you help me to change this title to be appropriated?such as:"Security:iOS chrome allow JS execution on domain chrome:// WebUI pages"
,
Mar 24 2017
Oh,sorry,I misspelled a word.It may cause ambiguity. "appropriated" =>"appropriate"
,
Mar 24 2017
,
Mar 24 2017
awhalley@ is this a candidate for "Reward-topanel"?
,
Mar 24 2017
,
Mar 24 2017
I'm afraid as a low severity bug it's likely out of scope of the Chrome VRP, but adding the label for consideration.
,
Mar 28 2017
Verified on M59.0.3054.0 canary Device: iPhone7, iPhone6 plus iOS: 10.3, 10.1.1 Bookmarklets are not executed in Chrome pages. Bookmarklets continues to work as usual in regular webpages.
,
Mar 31 2017
,
Mar 31 2017
,
Apr 5 2017
I'm afraid the panel declined to award for this bug. Many thanks for the submission though!
,
Apr 5 2017
But another low security bug has rewarded to panel(CVE-2016-5193),it also just a small bug in iOS. Could you think about it again?please.
,
Apr 6 2017
Hi zyzengstorm@. Low bugs end up going to the panel only when they are borderline; that one ended up falling on the reward side, this one not. See elawrence@'s comments in #1 about why we think this is very much a low severity issue. However, since it was in shipping Chrome and we made a fix, it will get a CVE and release noted - how would you like to be credited?
,
Apr 6 2017
@awhalley OK,thank you for your detail explanation. Please credit to "Zhiyang Zeng of Tencent security platform department"
,
May 25 2017
,
May 30 2017
,
Jun 30 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Feb 15 2017