The issue being reported seems to be only that you can show an alert dialog while the URL of the uncommitted navigation remains in the location bar?

Yeah.

Actually I'm not sure if is it a security issue.

Seems familiar, but I couldn't find a duplicate entry for this issue.

This requires some unusual user action, so I will call it WF.  The same thing happens when you go one site and then type in a different URL w/o committing it.

Agreed.  This is one of the reasons the dialog includes "localhost says:", which provides an additional signal of which pages showed it.  (The URL is also something the user just typed, so it's not really under attacker control.)

> This requires some unusual user action, so I will call it WF. 

I don't think this is necessarily true. If your site is indexed by google, you can change your main page to display an alert/confirm/prompt dialog on load, and any person coming from google will see the dialog on google.com.

A very shortlived POC because Google reindexes and downgrades the site in about 15 minutes: Search google for "mustafaacer.com" and click on the link. The prompt shows up on google.com.

Comment 7: When I try that, both the URL bar and the dialog say www.mustafaacer.com.  It is unfortunate that the Google search results stay visible underneath the dialog, but that's kind of the reverse of a URL spoof (i.e., attacker's URL over victim page contents, with correctly labeled dialog).

Okay, I thought this was similar to the HTTP auth spoof in  bug 149871  but the omnibox showed incorrect origin in that bug in addition to the dialog. I was about to suggest displaying a blank interstitial here too, but that doesn't seem necessary.

 Issue 730638  has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot