XSS Auditor behavior seems non-deterministic when Out-of-Process IFrames are enabled |
|||||||||||
Issue descriptionChrome Version: 59.3069 What steps will reproduce the problem? (0) Enable chrome://flags/#enable-site-per-process and chrome://flags/#enable-top-document-isolation and restart Chrome (1) Visit https://www.bayden.com/test/xss/auditor.asp (2) Click Okay on the alert (3) Click the last button at the bottom of the page. OBSERVE: Perceived XSS blocked. Click the last button on the page again. OBSERVE: Perceived XSS is executed. Expect: XSS Auditor blocks
,
Apr 12 2017
I have trouble reproing this at ToT (at r464162, running with --site-per-process and --top-document-isolation on Linux and building chrome with args.gn: dcheck_always_on = true; is_component_build = true; is_debug = false; use_goma = true; enable_nacl = false). I see an alert ("defaultscript!") in step (2) of the repro steps, but no matter how many times I click on the last button on the page ("POST+QS") in step (3), I don't get another alert and the target frame still displays "Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).".
,
Apr 12 2017
I also couldn't repro on Chrome Canary on Windows: 59.0.3069.0 (Official Build) canary (64-bit) (cohort: 64-Bit).
,
Apr 13 2017
,
Apr 13 2017
Yesterday, I reproduced this on both Mac and Windows. Today, after restarting Chrome on Windows and updating to 59.3070, I don't have a stable repro. Rechecking with Chrome on Mac 59.3069, it still repro'd (video attached in Comment #4) *until* I ran chrome://restart, at which point the problem stopped reproducing. Is it possible that this is somehow related to what frames end up in what process? E.g. if I had some background frame for the target site already open?
,
Apr 13 2017
That's possible, but I'd probably check whether PlzNavigate is enabled first. (It's on at 50% for Canary, IIUC.) You can try --force-fieldtrials to set BrowserSideNavigation to either Control_50 or Enabled_50.
,
Apr 14 2017
I could repro after restarting my Windows Canary today to 59.0.3071.1 I see that I am in the BrowserSideNavigation-Enabled_50 finch trial. Tenatively reassigning to clamy@ based on this.
,
Apr 19 2017
+tsepez@, FYI.
,
Apr 20 2017
,
May 9 2017
Confirmed that the repro is only working with PlzNavigate and OOPIFs at the same time. If only PlzNavigate is enabled, but there are no OOPIFs, the repro does not work.
,
May 10 2017
First thing I would check is in the code path at: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp?rcl=725e93cb9c9bc68ec4589a34cc4209625c72ae1b&l=348 There are a bunch of reasons why the auditor may choose to disable itself. Tracing the flow through here would give a strong clue.
,
May 11 2017
I can reproduce it. Thanks tsepez@ for the hint! Unfortunately, it looks like |is_enabled_| is always true when I click on the button. I will take a look while clamy@ is OOO.
,
May 11 2017
Please forgot what I said about |is_enabled_|. Is is set to false latter in XSSAuditor::SetEncoding() when PlzNavigate and OOPIF are enabled.
,
May 12 2017
I found the issue. When the form target a remote frame, it calls OpenURL. Unfortunately, it looks like form submission for this case is not implemented with PlzNavigate. * RenderFrameProxyHost::OnOpenURL * RenderFrameHostManager::OnCrossSiteResponse * NavigatorImpl::RequestTransferURL * NavigatorImpl::NavigateToEntry <-- post_body present * NavigatorImpl::RequestNavigation <-- post_body absent I am writing the fix.
,
May 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bc5732b54102e0c89f3098e03ddb865636d5a8bd commit bc5732b54102e0c89f3098e03ddb865636d5a8bd Author: arthursonzogni <arthursonzogni@chromium.org> Date: Wed May 17 03:37:28 2017 PlzNavigate: Fix form submission to OOPIF frame. When a renderer-initiated form-submission targets an OOPIF iframe, the navigation uses the OpenURL path. Renderer-initiated form-submission was not implemented here with PlzNavigate. This CL makes it work. As a consequence, it fixes the XSS Auditor issue ( https://crbug.com/710937 ). BUG= 710937 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_site_isolation,linux_chromium_browser_side_navigation_rel Review-Url: https://codereview.chromium.org/2879853002 Cr-Commit-Position: refs/heads/master@{#472306} [modify] https://crrev.com/bc5732b54102e0c89f3098e03ddb865636d5a8bd/content/browser/frame_host/navigation_request.cc [modify] https://crrev.com/bc5732b54102e0c89f3098e03ddb865636d5a8bd/content/browser/frame_host/navigation_request.h [modify] https://crrev.com/bc5732b54102e0c89f3098e03ddb865636d5a8bd/content/browser/frame_host/navigator_impl.cc [modify] https://crrev.com/bc5732b54102e0c89f3098e03ddb865636d5a8bd/content/browser/frame_host/navigator_impl.h [modify] https://crrev.com/bc5732b54102e0c89f3098e03ddb865636d5a8bd/content/browser/frame_host/render_frame_host_manager_unittest.cc [modify] https://crrev.com/bc5732b54102e0c89f3098e03ddb865636d5a8bd/content/browser/site_per_process_browsertest.cc [modify] https://crrev.com/bc5732b54102e0c89f3098e03ddb865636d5a8bd/content/test/data/frame_tree/page_with_one_frame.html
,
May 17 2017
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by creis@chromium.org
, Apr 12 2017