Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner:
Ooo until EOY 2017. Assign no bugs.
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows, Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Form field validation bubbles can appear over the wrong tab
Reported by chromium...@gmail.com, Mar 23 2017 Back to list
Chrome Version: 59.0.3049.0 Canary + stable
Operating System: Windows 7

REPRODUCTION CASE
1. Open the testcase
2. Click on the button and observe
 
testcase.html
988 bytes View Download
Comment 1 Deleted
Spoofing.
screenshot.png
144 KB View Download
Comment 3 by rsesek@chromium.org, Mar 23 2017
Components: Blink>Forms>Validation
Labels: Security_Severity-Low Security_Impact-Stable M-58 OS-Mac OS-Windows Pri-1
Owner: tkent@chromium.org
Status: Assigned
Confirmed. Labeling as Low, since I don't quite see how an attacker would be able to make this too useful.
Comment 4 Deleted
From  issue 673163 .
Kent - shouldn't be higher than low severity as  issue 673163 ?
Comment 7 by rsesek@chromium.org, Mar 23 2017
Labels: -Security_Severity-Low Security_Severity-Medium
Prior art says yes. Thanks.
Comment 8 by tkent@chromium.org, Mar 24 2017
Status: Started
Comment 9 by tkent@chromium.org, Mar 24 2017
Cc: keishi@chromium.org
Project Member Comment 10 by bugdroid1@chromium.org, Mar 27 2017
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a896ff44a395a50ab18f5120f20b7eb5a9550247

commit a896ff44a395a50ab18f5120f20b7eb5a9550247
Author: tkent <tkent@chromium.org>
Date: Mon Mar 27 03:47:21 2017

Form validation: Validation bubble should be closed on document unload process.

This CL fixes a bug that a validation bubble is not closed by page navigation in
some cases.

We close a validation message on Page::documentDetached(). However it seems it was
too late to communicate with the browser process in some cases. So, this CL moves
it to Document unload timing.

 * Add ValidationMessage::willUnloadDocument(), which closes a validation bubble,
  and Document::dispatchUnloadEvents() calls it indirectly through Page.

 * HTMLFormControlElement prevents from showing a validation message after the
  unload processing.

BUG= 704560 

Review-Url: https://codereview.chromium.org/2771193002
Cr-Commit-Position: refs/heads/master@{#459701}

[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/dom/DocumentTest.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/page/Page.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/page/Page.h
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/page/ValidationMessageClient.h
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/web/ValidationMessageClientImpl.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/web/ValidationMessageClientImpl.h

Fixed on 59.0.3053.0 Canary.
Comment 12 by tkent@chromium.org, Mar 27 2017
Labels: -M-58 Merge-Request-57 Merge-Request-58
Status: Fixed
Cc: awhalley@chromium.org
+awhalley@ for M57/M58 merge review.

Please note we already cut M57 Stable RC for release this week. 
Labels: -Merge-Request-57 Merge-Rejected-57 M-59 M-58
Not taking this for M57, but good for M58 once it's been out on canary for 48 hours+
Project Member Comment 15 by sheriffbot@chromium.org, Mar 28 2017
Labels: -Merge-Request-58 Hotlist-Merge-Approved Merge-Approved-58
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 16 by sheriffbot@chromium.org, Mar 28 2017
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Project Member Comment 18 by bugdroid1@chromium.org, Mar 29 2017
Labels: -merge-approved-58 merge-merged-3029
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0

commit 2bf11fe64e121ef8c9603d1b56e972b4800cc3c0
Author: Kent Tamura <tkent@chromium.org>
Date: Wed Mar 29 07:54:14 2017

Merge "Form validation: Validation bubble should be closed on document unload process." to M58

This CL fixes a bug that a validation bubble is not closed by page navigation in
some cases.

We close a validation message on Page::documentDetached(). However it seems it was
too late to communicate with the browser process in some cases. So, this CL moves
it to Document unload timing.

 * Add ValidationMessage::willUnloadDocument(), which closes a validation bubble,
  and Document::dispatchUnloadEvents() calls it indirectly through Page.

 * HTMLFormControlElement prevents from showing a validation message after the
  unload processing.

BUG= 704560 

Review-Url: https://codereview.chromium.org/2771193002
Cr-Commit-Position: refs/heads/master@{#459701}
(cherry picked from commit a896ff44a395a50ab18f5120f20b7eb5a9550247)

Review-Url: https://codereview.chromium.org/2782093003 .
Cr-Commit-Position: refs/branch-heads/3029@{#472}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/dom/DocumentTest.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/page/Page.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/page/Page.h
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/page/ValidationMessageClient.h
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/web/ValidationMessageClientImpl.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/web/ValidationMessageClientImpl.h

Labels: -Hotlist-Merge-Approved
Labels: -reward-topanel reward-unpaid reward-500
Nice one! The panel has decided to award $500 for this bug.
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M58
Labels: CVE-2017-5065
Project Member Comment 25 by sheriffbot@chromium.org, Jul 4
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment