New issue
Advanced search Search tips

Issue 709006 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Security: Google Chrome 'JavaScript Prompt' Origin Spoofing With Drop+Drag

Reported by jm.acun...@gmail.com, Apr 6 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce the problem:
I can also play the bug with id 138390 in Google Chrome (Version 57.0.2987.133)

https://bugs.chromium.org/p/chromium/issues/detail?id=138390

1- Access the url and press return

data:text/html,<div draggable="true" ondragstart="var x = event; x.dataTransfer.setData('text', 'http://www.google.com');window.setTimeout(function(){top.alert('Google')},0);"><a href=https://google.com>drop me</a></div>

2- Drag the text to the next tab

3- The alert stays in the domain of google.com

(demo video attachment)

What is the expected behavior?

What went wrong?
Google Chrome 'javaScript prompt' origin spoofing with drop+drag

Did this work before? N/A 

Chrome version: 57.0.2987.133  Channel: stable
OS Version: 6.3
Flash Version: Shockwave Flash 25.0 r0
 
origin_spoofing_with_drop_drag.webm
4.3 MB View Download
Cc: a...@chromium.org
Components: Blink>WindowDialog
 Issue 138390  was "Won't Fixed" due to lack of repro and some question as to whether this would be considered a security vulnerability. 

Given the steps in the repro video, it's difficult to see how this would be interesting from a security point-of-view (drag/drop of URLs is an uncommon user interaction), but it may be worth tracking this as a functional bug in the non-modal alert()'s parenting logic.
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Available (was: Unconfirmed)
Since this needs a pretty heavy user interaction (drag + drop), I'm going to drop the security restrictions. But this definitely seems like a functional bug in dialogs. avi@, do you have any thoughts?

Comment 3 by a...@chromium.org, Apr 13 2017

Owner: a...@chromium.org
FYI, this is fixed with auto-dismissing dialogs. The change to a new tab and navigation causes the dialog dismissal, which is what we want.

Comment 4 by a...@chromium.org, May 31 2017

Status: Fixed (was: Available)
Given auto-dismissing dialogs are implemented in  bug 629964  and enabled permanently now, I'm calling this fixed.

Sign in to add a comment