New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 707247 link

Starred by 2 users
Status: Assigned
Owner:
arthurso...@chromium.org
Cc:
mkwst@chromium.org
jam@chromium.org
clamy@chromium.org
arthurso...@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , All , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug



Sign in to add a comment

Loading a CSP error page inside a web ui one triggers a CHECK.

Project Member Reported by arthurso...@chromium.org, Mar 31 2017 
Chrome Version: (copy from chrome://version)
OS: (e.g. Win7, OSX 10.9.5, etc...)

What steps will reproduce the problem?
(1) Navigate to chrome://settings
(2) Right click > Inspect
(3) Execute: "var iframe = document.createElement("iframe"); iframe.src="data:,"; document.body.appendChild(iframe);"

What is the expected result?
The iframe should be blocked by CSP.

What happens instead?
The iframe is blocked by CSP, but then a CSP error page is loaded, and an error page is not a webui page...
A CHECK is triggered.

[69879:69879:0331/163924.422495:FATAL:navigator_impl.cc(156)] Check failed: 0. 
#0 0x2b897fc5b047 base::debug::StackTrace::StackTrace()
#1 0x2b897fc6e7ab logging::LogMessage::~LogMessage()
#2 0x2b897ea73771 content::NavigatorImpl::CheckWebUIRendererDoesNotDisplayNormalURL()
#3 0x2b897ea730f1 content::NavigationRequest::OnRequestFailed()
#4 0x2b897fcdd3c0 base::debug::TaskAnnotator::RunTask()
#5 0x2b897fc7388d base::MessageLoop::RunTask()
...
out-17.ogv
2.5 MB View Download

Comment 1 by nasko@chromium.org, Apr 24 2017 

Arthur, does this happen in practice or is it just a correctness issue we need to fix in general? If no WebUI page exhibits this behavior, then I don't think it should be blocking PlzNavigate shipping, but should be something we can fix in parallel.

Comment 2 by nasko@chromium.org, May 2 2017

Labels: -Proj-PlzNavigate-Blocking Proj-PlzNavigate

Comment 3 by arthursonzogni@google.com, May 3 2017 

There is no WebUI page that exhibit this behavior.
I agree that it should no block PlzNavigate shipping.

Comment 4 by elawrence@chromium.org, Oct 4 2017 

See  Issue 770313  for a scenario where this unexpectedly happens.

Comment 5 by och...@chromium.org, Oct 4 2017 

Issue 771382 has been merged into this issue.

Comment 6 by alex...@chromium.org, Oct 17 2017 

Issue 741651 also shows that this can happen in practice.

Comment 7 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 8 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 9 by gogeshvi...@gmail.com, Mar 27 2018 

I was about to submit a new bug, but found this one. My case was different though.

1) open incognito window, stay at the same page of it (new tab page).
2) attach iframe like that (it also triggered on HTTPS:// followed by anything you want)
3) it crashed.

I tested on every OS (Linux, Windows, Mac) and even major or older versions are still affected with this.

Comment 10 by arthurso...@chromium.org, Mar 27 2018

Labels: -Proj-PlzNavigate OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Summary: Loading a CSP error page inside a web ui one triggers a CHECK. (was: PlzNavigate. Loading a CSP error page inside a web ui one triggers a CHECK.)
Thanks (comment #9)!
Yes the incognito new tab page is a WebUI one. Indeed this is the correct bug.
It happens only when the user uses DevTools to modify a WebUI page. WebUI page should not uses iframe, especially with arbitrary content. So this should not happens in practice.
This is not an high priority bug, but it should be fixed at some point. Probably by not loading the error page and keeping the empty document, or ignoring the navigation.

Comment 11 by nasko@chromium.org, Mar 27 2018 

I have also a CL that will block loading web documents in WebUI pages, but it is blocked by one more team converting their code over. Once that is done and I submit the change, no iframes pointing to documents coming from the web will be allowed.

Sign in to add a comment