New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 697649 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2017
Cc:
pfeldman@chromium.org
dgozman@chromium.org
dcheng@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: DevTools process remains the same across cross-process navigations

Project Member Reported by est...@chromium.org, Mar 1 2017 
(I can't convince myself whether this is or isn't a security issue, so I'm filing a bug to capture the discussion.)

The same DevTools process can attach to different renderer processes. For example, if you open DevTools, navigate to https://example.com, then navigate to https://google.com, the DevTools process stays the same even though the navigation was cross-process.

This seems non-ideal, especially in a site isolation world: if you attach DevTools to evil.com and evil.com can XSS DevTools, then that turns into a UXSS as long as DevTools is open.

OTOH, it's very convenient for DevTools to stay in the same process so that it can preserve console output, network logs, etc. across navigations.

cc'ing some people who might have opinions

Comment 1 by dgozman@chromium.org, Mar 1 2017

Cc: pfeldman@chromium.org
If site can break into DevTools, it can do whatever. For example, get all the cookies in the browser, which sounds bigger than what cross-processing could try to solve.

Making it cross-process is a huge amount of work and greatly regresses UX for the reasons you mentioned and more.

Comment 2 by vakh@chromium.org, Mar 2 2017

Labels: Security_Severity-Low Security_Impact-Stable
Setting the severity to Low since the exploitability and impact isn't clear.
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 2 2017

Labels: Pri-2

Comment 4 by pfeldman@chromium.org, Mar 2 2017

Status: WontFix (was: Unconfirmed)
As per comment #1, we consider breaking into DevTools compromising the browser instance (on par with breaking into WebUI).
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 9 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment