Issue metadata
Sign in to add a comment
|
URL Bar Spoofing via SELECT
Reported by
jm.acun...@gmail.com,
Apr 19 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce the problem: 1. Go to http://createcharts.esy.es/spoof-option.html 2. Press the button What is the expected behavior? What went wrong? The spoof is not perfect (the secure protocol lock is missing) but I do not understand why Google Chrome allows this type of positioning in the select element and other browsers do not. Did this work before? N/A Chrome version: 57.0.2987.133 Channel: stable OS Version: 6.3 Flash Version:
,
Apr 19 2017
,
Apr 19 2017
Exactly, it is identical to Issue 670265 . 1) I agree with "tkent@chromium.org": I don't think this behavior has security risk. - It's impossible for SELECT popups to emulate the appearance of the URL bar. - It's impossible to remove SELECT popup border. - It's impossible to change delimiter style in SELECT popups. - Even if a user trusts the spoofed URL, a malicious site can do almost nothing while a SELECT popup is opening. For example, if a malicious site shows amazon.com in the URL bar, the site can't show amazon.com-like content because it makes SELECT popup more visible. Also, a SELECT popup is closed when a user interacts with the site. 2) But I also think the same as "habte.yi...@gmail.com": This does NOT work in other browsers. 3) I agree that it is not a security bug but this behavior in chrome is a bit confusing. Thanks!
,
Apr 20 2017
,
Jul 28 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Apr 19 2017