Issue metadata
Sign in to add a comment
|
Security: Execution of Flash despite setting set to "Ask first"
Reported by
anongt...@gmail.com,
Mar 7 2017
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS When opening a website with a native Flash embed (example: http://floccinaucinihilipilification.com/), the Flash content is run automatically, even when the browser preferences set the Flash execution setting to "Ask first," and the website is not listed among the exceptions. VERSION Chrome Version: Version 56.0.2924.87 (64-bit) + stable Operating System: macOS 10.12.3 (16D32) REPRODUCTION CASE Set the Flash execution setting to the preference mentioned above, and then visit "http://floccinaucinihilipilification.com/". It will run Flash automatically rather than asking for user confirmation.
,
Mar 10 2017
I haven't been able to reproduce this on either Windows or Mac, using either Stable or Canary. Can you please try updating to the current stable build (Chrome 57) and see whether or not you can still reproduce the issue? If you use a Guest profile, does the issue continue to occur? Can you attach a screenshot of your chrome://settings/contentExceptions#plugins window? Thanks!
,
Mar 10 2017
Hi, I have been able to reproduce the issue with the current build. It appears to only work on the current version of macOS Sierra, though, because coworkers on Sierra have the same issue, but those on Yosemite do not. New Chrome version: 57.0.2987.98 (64-bit) macOS Version: 10.12.3 (16D32) Attached are screenshots of my Flash content settings and the exceptions. I have Guest profiles disabled, but the issue persists across all profiles and incognito mode.
,
Mar 10 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 10 2017
dominickn@: Do you know who might have better suggestions for debugging this? I can't get a repro locally.
,
Mar 10 2017
+cc other Flash folks. I also can't get a local repro, but it might be the corp profile interfering.
,
Mar 10 2017
I should note that I am only experiencing this issue on the website mentioned above, where it's directly embedded. On other websites, where it's not a top-level embed, I do get a Flash execution prompt. On the website mentioned above, though, as you will notice in the attached screenshot, there is no indication whatsoever of Flash being run.
,
Mar 10 2017
no repro on chrome M56.0.2924.87 (64bit, no corp policy - clean win10 install). I wonder what the site-engagement score is though for that site. if it is high enough (chrome://site-engagement will tell you) - Flash will be allowed even if set to ASK. NOTE: at this time "high enough" is site-engagement > 4.
,
Mar 10 2017
The site engagement score is 12.49.
,
Mar 11 2017
This appears to be working as intended (i.e. when the site engagement score exceeds the minimum threshold the content will be allowed to run).
,
Jun 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by anongt...@gmail.com
, Mar 7 2017