New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: WontFix
Owner: ----
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security
Team-Security-UX



Sign in to add a comment
Security: Execution of Flash despite setting set to "Ask first"
Reported by anongt...@gmail.com, Mar 7 2017 Back to list
VULNERABILITY DETAILS
When opening a website with a native Flash embed (example: http://floccinaucinihilipilification.com/), the Flash content is run automatically, even when the browser preferences set the Flash execution setting to "Ask first," and the website is not listed among the exceptions.

VERSION
Chrome Version: Version 56.0.2924.87 (64-bit) + stable
Operating System: macOS 10.12.3 (16D32)

REPRODUCTION CASE
Set the Flash execution setting to the preference mentioned above, and then visit "http://floccinaucinihilipilification.com/". It will run Flash automatically rather than asking for user confirmation.

 
I should note that the browser does not even signal in any way that the website contains Flash content.
Components: Internals>Permissions
Labels: Needs-Feedback
I haven't been able to reproduce this on either Windows or Mac, using either Stable or Canary.

Can you please try updating to the current stable build (Chrome 57) and see whether or not you can still reproduce the issue? If you use a Guest profile, does the issue continue to occur? Can you attach a screenshot of your chrome://settings/contentExceptions#plugins window?

Thanks!
Comment 3 by anongt...@gmail.com, Mar 10 2017
Hi, I have been able to reproduce the issue with the current build. It appears to only work on the current version of macOS Sierra, though, because coworkers on Sierra have the same issue, but those on Yosemite do not.

New Chrome version: 57.0.2987.98 (64-bit)
macOS Version: 10.12.3 (16D32)

Attached are screenshots of my Flash content settings and the exceptions.

I have Guest profiles disabled, but the issue persists across all profiles and incognito mode.
Screen Shot 2017-03-10 at 2.09.03 PM.png
145 KB View Download
Screen Shot 2017-03-10 at 2.09.16 PM.png
63.8 KB View Download
Project Member Comment 4 by sheriffbot@chromium.org, Mar 10 2017
Cc: elawre...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Owner: dominickn@chromium.org
dominickn@: Do you know who might have better suggestions for debugging this? I can't get a repro locally.
Cc: dominickn@chromium.org ericde@chromium.org lafo...@chromium.org tommycli@chromium.org raymes@chromium.org
Components: Internals>Plugins>Flash
Owner: ----
+cc other Flash folks. I also can't get a local repro, but it might be the corp profile interfering.
Comment 7 by anongt...@gmail.com, Mar 10 2017
I should note that I am only experiencing this issue on the website mentioned above, where it's directly embedded. On other websites, where it's not a top-level embed, I do get a Flash execution prompt.

On the website mentioned above, though, as you will notice in the attached screenshot, there is no indication whatsoever of Flash being run.
Screen Shot 2017-03-10 at 3.49.56 PM.png
62.2 KB View Download
Comment 8 by ericde@google.com, Mar 10 2017
no repro on chrome M56.0.2924.87 (64bit, no corp policy - clean win10 install).

I wonder what the site-engagement score is though for that site. if it is high enough (chrome://site-engagement will tell you) - Flash will be allowed even if set to ASK.

NOTE: at this time "high enough" is site-engagement > 4.
Comment 9 by anongt...@gmail.com, Mar 10 2017
The site engagement score is 12.49.
Status: WontFix
This appears to be working as intended (i.e. when the site engagement score exceeds the minimum threshold the content will be allowed to run).
Project Member Comment 11 by sheriffbot@chromium.org, Jun 17
Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment