ChromeOS captive portal dialog doesn't show an omnibox |
||||||||
Issue descriptionOn ChromeOS, the captive portal system tray notification opens a dialog titled "Captive Portal Authorization" on ChromeOS which displays a webview containing the captive portal's login page. There are some problems with this dialog: - It's phishable as it doesn't have a URL bar. The user doesn't know where they are logging in, and there is also no back/forward/reload buttons. - Most features don't work with this dialog, including alert/confirm/prompt dialogs, autofill form-not-secure warnings etc. - There are multiple captive portal UI implementations on ChromeOS: (1) this dialog (NetworkPortalWebDialog) (2) captive portal login tab that automatically opens when an SSL error occurs behind a captive portal (3) the modal dialog that's displayed on the login page (SimpleWebViewDialog). Given that (2) is already used on desktop, we should simply keep using it and remove NetworkPortalWebDialog altogether.
,
Mar 7 2017
https://crbug.com/386837 is the original bug introduced NetworkPortalWebDialog. Add one more network label to increase the visibility of this issue.
,
Mar 7 2017
Thanks Jialiu! alemate: According to https://crbug.com/386837#c23 , this dialog is so that it can bypass proxy settings. Is there anything that can be done to improve the current situation? E.g. can we open an incognito window or something similar instead of using a webview? If that's still not possible, can we reuse SimpleWebViewDialog which displays a read only location bar? (FWIW I noticed SimpleWebViewDialog crashes on alert() dialogs)
,
Mar 7 2017
,
Mar 7 2017
This is more complex than just adding an omnibox. Captive portal can be triggered from a non-signed-in state meaning that if we added an omnibox there it could be used to do general browsing on a device with disabled guest mode. kuscher@ this really needs thought from a PM perspective. Is there any way to add an onmibox without enabling general browsing?
,
Mar 7 2017
> This is more complex than just adding an omnibox. Captive portal can be triggered from a non-signed-in state meaning that if we added an omnibox there it could be used to do general browsing on a device with disabled guest mode. I think you mean SimpleWebViewDialog which is different than this one. It has a read only omnibox that doesn't allow entering URLs. Just to clarify, there are two different dialogs: - Non signed-in state dialog uses SimpleWebViewDialog which has a read only URL bar. - Signed-in and guest mode uses NetworkPortalWebDialog which doesn't have a URL bar (this bug).
,
Mar 8 2017
I think we are always using Ephemeral user for captive portal authorization to bypass system proxy. But we have to make sure this cannot be used for anything other than signing in to Captive Portal.
,
Mar 8 2017
alemate: Do you mean browsing with the proxy bypass shouldn't be allowed? Or do you mean browsing in general? (I think you mean the former, but just wanted to confirm, since browsing is already possible using existing browser windows) Just exploring alternatives here: Would it be possible to do something similar by creating an extension that uses the chrome.proxy API, and loading an ephemeral browser window that runs that extension?
,
Mar 8 2017
> alemate: Do you mean browsing with the proxy bypass shouldn't be allowed? > Or do you mean browsing in general? (I think you mean the former, but just > wanted to confirm, since browsing is already possible using existing browser > windows) This is usually the case with enterprise devices when device-level proxy is configured by policy. It means the legitimate user cannot ever reach the captive portal interface, because proxy is not accessible. So we implemented a poped-up dialog associated with ephemeral profile so that we can do captive portal authorization. Enabling extensions for ephemeral profiles is tricky. So I'd vote against it. But I am fine with replacing existing dialog with SimpleWebViewDialog provided that it doesn't need a real user profile to run.
,
Mar 8 2017
Also a tricky point is that this dialog should be runnable when Browser object doesn't exist. But "not requiring regular user profile" usually means the same ;)
,
Mar 8 2017
Thanks for the clarification. SimpleWebViewDialog doesn't have a Browser object either, so I think it should work. Using SimpleWebViewDialog will solve the omnibox part of this bug, but we'll need to handle each of the remaining problems separately (alert dialogs, form-not-secure warnings, translation, zoom, favicons etc). Basically, any TabHelper that's created by TabHelpers class is not available to SimpleWebViewDialog, and that's a very large number of features. I started fixing these in bug 699197, but it's a rabbit hole and I feel like using a proper browser window would to be easier than doing these one by one :) (Then again, we might be able to simply call TabHelpers::AttachTabHelpers from SimpleWebViewDialog)
,
Jun 30 2017
We should track this as a security bug: As it stands, an active network attacker can display arbitrary content without an omnibox in a system modal dialog box. I briefly looked into using SimpleWebViewDialog for this purpose but so for haven't succeeded in doing so.
,
Nov 10 2017
,
Feb 18 2018
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by mea...@chromium.org
, Mar 7 201744.3 KB
44.3 KB View Download
29.5 KB
29.5 KB View Download