I can verify that it works on Stable.

But, what is the supposed security impact? Why was  Issue 713686  rated Medium? +meacer It looks like a functional bug.

I think I assigned medium to  issue 713686  based on  https://crbug.com/673163#c19 

It sounds reasonable to me given it's a variant of "A bug that allows web content to tamper with trusted browser UI (550047)" entry in the severity guidelines (except instead of trusted UI this is another tab). Also, it feels worse than low severity to be able to tamper another tab.

+mbarbella for  https://crbug.com/673163#c19 

While the effect is similar, requiring the potential victim to manually print the page is a significant mitigating factor. I'm not able to repro it to test it out, but is there any way this could still be exploitable using print()?

As-is I'd lean toward low severity here since the scope is fairly limited and it seems heavily mitigated, but I'll let someone else decide.

I don't see how the attacker can tamper with the DOM of another origin, or read information from another origin. Can they? Or is this just an annoyance in that browser chrome (outside the reach of any origin) goes wrong?

They can't tamper with or read the DOM, but they are effectively controlling another tab's view area.

As a hyphothetical attack, evil.com can open an OAuth page and display a "You should click accept" dialog on that tab, which would be bad. Whether it's medium-bad or low-bad is debatable, but I don't think it's simply a functional bug.

As per discussion above, I'm assigning Low severity here. Please feel free to change if you disagree.

Btw, good job on bypassing the fix from  issue 713686 !

Shouldn't be Medium severity here as in  issue 713686 ?

chromium.khalil@, would you mind suggesting a real attack scenario for this bug? I believe that it might help to adjust the severity properly.

As for now, it feels like this requires an interaction from victim + some kind of social engineering. But we are open for discussion if you have anything to add.

Severity Guidelines for Security Issues: https://www.chromium.org/developers/severity-guidelines

Your explanation sounds reasonable. Thanks!

Oh, the fix for  Issue 713686  was incomplete.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/93c0e26115af080b07623c0588c6ba1cfa5a552a

commit 93c0e26115af080b07623c0588c6ba1cfa5a552a
Author: tkent <tkent@chromium.org>
Date: Fri Apr 28 09:18:45 2017

Form validation: Do not show validation bubble during printing.

It was possible to show it in media query listener.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2845273002
Cr-Commit-Position: refs/heads/master@{#467941}

[modify] https://crrev.com/93c0e26115af080b07623c0588c6ba1cfa5a552a/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/93c0e26115af080b07623c0588c6ba1cfa5a552a/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a

commit b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a
Author: Kent Tamura <tkent@chromium.org>
Date: Sun Apr 30 23:42:18 2017

Merge "Form validation: Do not show validation bubble during printing." to M59.

It was possible to show it in media query listener.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2845273002
Cr-Commit-Position: refs/heads/master@{#467941}
(cherry picked from commit 93c0e26115af080b07623c0588c6ba1cfa5a552a)

Review-Url: https://codereview.chromium.org/2851123002 .
Cr-Commit-Position: refs/branch-heads/3071@{#312}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

 Issue 717101  has been merged into this issue.

keishi, can you please investigate in tkent's absence? Thanks. It looks like the fix was incomplete (see  Issue 717101 ). Thank you!

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Security team, can you add me to  Issue 717101 ?

Since I don't repro  issue 717101  with the testcase from above in c#0, I don't think if it worth to be merged into this bug.

tkent@, I added you to  Issue 717101 .

Ok, I realized r467941 was not a right fix.  A fix for  Issue 717101  will revert r467941, and add a different logic.

I also think  Issue 717101  is essentially same as this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c55169a7c2279f0f30e15bbca66678f48e7df106

commit c55169a7c2279f0f30e15bbca66678f48e7df106
Author: tkent <tkent@chromium.org>
Date: Tue May 09 05:09:49 2017

Forms: Validation Message bubble should not open during print().

r467941 was a wrong approach because ShouldUsePrintingLayout() returns false
before closing print-preview dialog. We should check Page::Suspended() instead.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2866193002
Cr-Commit-Position: refs/heads/master@{#470230}

[modify] https://crrev.com/c55169a7c2279f0f30e15bbca66678f48e7df106/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/c55169a7c2279f0f30e15bbca66678f48e7df106/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Fixed on 60.0.3095.0 (Developer Build).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4ed8907fbd46912db1da904b79bf26ccd41ac1e9

commit 4ed8907fbd46912db1da904b79bf26ccd41ac1e9
Author: Kent Tamura <tkent@chromium.org>
Date: Wed May 10 23:53:17 2017

Merge "Forms: Validation Message bubble should not open during print()." to M59.

r467941 was a wrong approach because ShouldUsePrintingLayout() returns false
before closing print-preview dialog. We should check Page::Suspended() instead.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2866193002
Cr-Original-Commit-Position: refs/heads/master@{#470230}
Review-Url: https://codereview.chromium.org/2878463004 .
Cr-Commit-Position: refs/branch-heads/3071@{#504}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/4ed8907fbd46912db1da904b79bf26ccd41ac1e9/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/4ed8907fbd46912db1da904b79bf26ccd41ac1e9/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

I'm afraid the panel decided to award for this report, but thanks as ever!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot