New issue
Advanced search Search tips

Issue 704560 link

Starred by 3 users
Status: Fixed
Owner:
tkent@chromium.org
Closed: Mar 2017
Cc:
keishi@chromium.org
awhalley@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Form field validation bubbles can appear over the wrong tab

Reported by chromium...@gmail.com, Mar 23 2017 
Chrome Version: 59.0.3049.0 Canary + stable
Operating System: Windows 7

REPRODUCTION CASE
1. Open the testcase
2. Click on the button and observe
testcase.html
988 bytes View Download

Comment 1 Deleted

Comment 2 by chromium...@gmail.com, Mar 23 2017 

Spoofing.
screenshot.png
144 KB View Download

Comment 3 by rsesek@chromium.org, Mar 23 2017

Components: Blink>Forms>Validation
Labels: Security_Severity-Low Security_Impact-Stable M-58 OS-Mac OS-Windows Pri-1
Owner: tkent@chromium.org
Status: Assigned (was: Unconfirmed)
Confirmed. Labeling as Low, since I don't quite see how an attacker would be able to make this too useful.

Comment 4 Deleted

Comment 5 by chromium...@gmail.com, Mar 23 2017 

From  issue 673163 .

Comment 6 by chromium...@gmail.com, Mar 23 2017 

Kent - shouldn't be higher than low severity as  issue 673163 ?

Comment 7 by rsesek@chromium.org, Mar 23 2017

Labels: -Security_Severity-Low Security_Severity-Medium
Prior art says yes. Thanks.

Comment 8 by tkent@chromium.org, Mar 24 2017

Status: Started (was: Assigned)

Comment 9 by tkent@chromium.org, Mar 24 2017

Cc: keishi@chromium.org
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 27 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a896ff44a395a50ab18f5120f20b7eb5a9550247

commit a896ff44a395a50ab18f5120f20b7eb5a9550247
Author: tkent <tkent@chromium.org>
Date: Mon Mar 27 03:47:21 2017

Form validation: Validation bubble should be closed on document unload process.

This CL fixes a bug that a validation bubble is not closed by page navigation in
some cases.

We close a validation message on Page::documentDetached(). However it seems it was
too late to communicate with the browser process in some cases. So, this CL moves
it to Document unload timing.

 * Add ValidationMessage::willUnloadDocument(), which closes a validation bubble,
  and Document::dispatchUnloadEvents() calls it indirectly through Page.

 * HTMLFormControlElement prevents from showing a validation message after the
  unload processing.

BUG= 704560 

Review-Url: https://codereview.chromium.org/2771193002
Cr-Commit-Position: refs/heads/master@{#459701}

[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/dom/DocumentTest.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/page/Page.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/page/Page.h
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/core/page/ValidationMessageClient.h
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/web/ValidationMessageClientImpl.cpp
[modify] https://crrev.com/a896ff44a395a50ab18f5120f20b7eb5a9550247/third_party/WebKit/Source/web/ValidationMessageClientImpl.h

Comment 11 by chromium...@gmail.com, Mar 27 2017 

Fixed on 59.0.3053.0 Canary.

Comment 12 by tkent@chromium.org, Mar 27 2017

Labels: -M-58 Merge-Request-57 Merge-Request-58
Status: Fixed (was: Started)

Comment 13 by gov...@chromium.org, Mar 27 2017

Cc: awhalley@chromium.org
+awhalley@ for M57/M58 merge review.

Please note we already cut M57 Stable RC for release this week.

Comment 14 by awhalley@google.com, Mar 28 2017

Labels: -Merge-Request-57 Merge-Rejected-57 M-59 M-58
Not taking this for M57, but good for M58 once it's been out on canary for 48 hours+
Project Member

Comment 15 by sheriffbot@chromium.org, Mar 28 2017

Labels: -Merge-Request-58 Hotlist-Merge-Approved Merge-Approved-58
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by sheriffbot@chromium.org, Mar 28 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 17 by awhalley@google.com, Mar 28 2017

Labels: reward-topanel
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 29 2017

Labels: -merge-approved-58 merge-merged-3029
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0

commit 2bf11fe64e121ef8c9603d1b56e972b4800cc3c0
Author: Kent Tamura <tkent@chromium.org>
Date: Wed Mar 29 07:54:14 2017

Merge "Form validation: Validation bubble should be closed on document unload process." to M58

This CL fixes a bug that a validation bubble is not closed by page navigation in
some cases.

We close a validation message on Page::documentDetached(). However it seems it was
too late to communicate with the browser process in some cases. So, this CL moves
it to Document unload timing.

 * Add ValidationMessage::willUnloadDocument(), which closes a validation bubble,
  and Document::dispatchUnloadEvents() calls it indirectly through Page.

 * HTMLFormControlElement prevents from showing a validation message after the
  unload processing.

BUG= 704560 

Review-Url: https://codereview.chromium.org/2771193002
Cr-Commit-Position: refs/heads/master@{#459701}
(cherry picked from commit a896ff44a395a50ab18f5120f20b7eb5a9550247)

Review-Url: https://codereview.chromium.org/2782093003 .
Cr-Commit-Position: refs/branch-heads/3029@{#472}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/dom/DocumentTest.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/page/Page.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/page/Page.h
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/core/page/ValidationMessageClient.h
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/web/ValidationMessageClientImpl.cpp
[modify] https://crrev.com/2bf11fe64e121ef8c9603d1b56e972b4800cc3c0/third_party/WebKit/Source/web/ValidationMessageClientImpl.h

Comment 19 by awhalley@google.com, Mar 31 2017

Labels: -Hotlist-Merge-Approved

Comment 20 by awhalley@chromium.org, Mar 31 2017

Labels: -reward-topanel reward-unpaid reward-500

Comment 21 by awhalley@google.com, Mar 31 2017 

Nice one! The panel has decided to award $500 for this bug.

Comment 22 by awhalley@chromium.org, Mar 31 2017

Labels: -reward-unpaid reward-inprocess

Comment 23 by awhalley@google.com, Apr 18 2017

Labels: Release-0-M58

Comment 24 by awhalley@chromium.org, Apr 19 2017

Labels: CVE-2017-5065
Project Member

Comment 25 by sheriffbot@chromium.org, Jul 4 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 26 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment