Issue 701261 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Mar 2017
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	2
Type:	Bug-Security
Arch-x86_64 allpublic Via-Wizard-Security

Webconsole should not offer Javascript evaluation

Reported by mishra.d...@gmail.com, Mar 14 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0

Steps to reproduce the problem:
This WFM me in every version of Chrome in Windows.

What is the expected behavior?

What went wrong?
1. Open Console 
2. Try running JS, it will let you evaluate arbitrary JS.
I belive this is not a good idea.

Did this work before? N/A 

Chrome version: 59.0.3040.0 (Official Build) canary (64-bit)  Channel: canary
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 24.0 r0

	PoC.PNG 121 KB View Download

Comment 1 by elawrence@chromium.org, Mar 14 2017

Labels: -Restrict-View-SecurityTeam allpublic
Status: WontFix (was: Unconfirmed)

JavaScript evaluation is a core part of the functionality of the Developer Tools.

It does not represent a security vulnerability; see https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- and the following question.

►

Issue 701261 link

Issue metadata

Webconsole should not offer Javascript evaluation

Issue description

Comment 1 by elawrence@chromium.org, Mar 14 2017

Comment 1 Deleted

Sign in to add a comment