Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Apr 23
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Field validation bubbles can appear over the wrong tab
Reported by chromium...@gmail.com, Apr 20 Back to list
VERSION
Chrome Version: Canary 60.0.3076.0
Operating System: Windows 7

REPRODUCTION CASE
1. Open testcase.html.
2. Click on the button and observe.

From  bug 673163  and  bug 704560 .
 
screenshot.png
154 KB View Download
testcase.html
3.4 KB View Download
Components: Blink>Forms>Validation
Status: Untriaged
Confirmed.
 Issue 713477  has been merged into this issue.
Labels: Security_Severity-Medium Security_Impact-Head OS-All
Owner: tkent@chromium.org
Status: Assigned
tkent: Can you please take a look?
Cc: keishi@chromium.org
Status: Started
Oh, print()! interesting.


Project Member Comment 5 by bugdroid1@chromium.org, Apr 21
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9dbd356b0cc52911caef089b09de63572cd9e39f

commit 9dbd356b0cc52911caef089b09de63572cd9e39f
Author: tkent <tkent@chromium.org>
Date: Fri Apr 21 06:38:15 2017

window.print() should close form validation bubble.

Usually, window.open() deactivates the origin window and validation bubble on the
origin window is closed. However, if window.print() is executed, it suspends message
loop of the window, and deactivation isn't noticed until print dialog is closed.
So, we need to close validation popup explicitly for window.print().

BUG= 713686 

Review-Url: https://codereview.chromium.org/2834783002
Cr-Commit-Position: refs/heads/master@{#466273}

[modify] https://crrev.com/9dbd356b0cc52911caef089b09de63572cd9e39f/third_party/WebKit/Source/web/ChromeClientImpl.cpp
[modify] https://crrev.com/9dbd356b0cc52911caef089b09de63572cd9e39f/third_party/WebKit/Source/web/ChromeClientImpl.h
[modify] https://crrev.com/9dbd356b0cc52911caef089b09de63572cd9e39f/third_party/WebKit/Source/web/ValidationMessageClientImpl.cpp
[modify] https://crrev.com/9dbd356b0cc52911caef089b09de63572cd9e39f/third_party/WebKit/Source/web/ValidationMessageClientImpl.h

Project Member Comment 6 by sheriffbot@chromium.org, Apr 21
Labels: M-59
Project Member Comment 7 by sheriffbot@chromium.org, Apr 21
Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 8 by sheriffbot@chromium.org, Apr 21
Labels: Pri-1
Verified on 60.0.3078.0. Thanks for the quick fix!
Project Member Comment 10 by sheriffbot@chromium.org, Apr 22
Labels: -Security_Impact-Head Security_Impact-Beta
Labels: -ReleaseBlock-Beta -Security_Impact-Beta -M-59 Security_Impact-Stable Merge-Request-58 Merge-Request-59
Status: Fixed
This affects 58 stable.

Project Member Comment 12 by sheriffbot@chromium.org, Apr 23
Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 13 by sheriffbot@chromium.org, Apr 23
Labels: -Merge-Request-58 Merge-Review-58 Hotlist-Merge-Review
This bug requires manual review: We are only 1 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 14 by sheriffbot@chromium.org, Apr 23
Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Comment 15 Deleted
+awhalley@ for M58 merge review. Please note M58 is already in Stable and bar is VERY high to take any merges in for future stable refresh if any.
Please merge your change to M59 branch #3071 latest before 4:00 PM PT, Monday (04/24) so we can take it for next week last M59 dev release. Thank you.
Project Member Comment 18 by bugdroid1@chromium.org, Apr 24
Labels: -merge-approved-59 merge-merged-3071
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/31455b249cf2737bf96ab751252b84e8c85b3804

commit 31455b249cf2737bf96ab751252b84e8c85b3804
Author: Kent Tamura <tkent@chromium.org>
Date: Mon Apr 24 00:59:15 2017

Merge "window.print() should close form validation bubble." to M59

Usually, window.open() deactivates the origin window and validation bubble on the
origin window is closed. However, if window.print() is executed, it suspends message
loop of the window, and deactivation isn't noticed until print dialog is closed.
So, we need to close validation popup explicitly for window.print().

BUG= 713686 

Review-Url: https://codereview.chromium.org/2834783002
Cr-Commit-Position: refs/heads/master@{#466273}
(cherry picked from commit 9dbd356b0cc52911caef089b09de63572cd9e39f)

Review-Url: https://codereview.chromium.org/2833303002 .
Cr-Commit-Position: refs/branch-heads/3071@{#151}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/31455b249cf2737bf96ab751252b84e8c85b3804/third_party/WebKit/Source/web/ChromeClientImpl.cpp
[modify] https://crrev.com/31455b249cf2737bf96ab751252b84e8c85b3804/third_party/WebKit/Source/web/ChromeClientImpl.h
[modify] https://crrev.com/31455b249cf2737bf96ab751252b84e8c85b3804/third_party/WebKit/Source/web/ValidationMessageClientImpl.cpp
[modify] https://crrev.com/31455b249cf2737bf96ab751252b84e8c85b3804/third_party/WebKit/Source/web/ValidationMessageClientImpl.h

Project Member Comment 19 by sheriffbot@chromium.org, Apr 24
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Merge-Review-58 Merge-Reject-58
No need to rush this into a 58 stable update.
Labels: -Merge-Reject-58 Merge-Rejected-58
Applying "Merge-Rejected-58" label per comment #20.
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-500
The panel decided to award $500 for this bug.  Thanks as ever!
Labels: -reward-unpaid reward-inprocess
Labels: M-59
Labels: -Hotlist-Merge-Review -Hotlist-Merge-Approved
Labels: Release-0-M59
Labels: CVE-2017-5079
Project Member Comment 30 by sheriffbot@chromium.org, Jul 31
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment