New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 716415 link

Starred by 2 users
Status: WontFix
Owner:
mea...@chromium.org
Closed: May 2017
Cc:
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Redirect to data URL is still allowed using meta refresh

Reported by s.h.h.n....@gmail.com, Apr 28 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36

Steps to reproduce the problem:
1. Go to https://test.shhnjk.com/meta.php?url=data:text/html,<script>alert(1)</script>
2. dialog popups with data URL on top document
3. 

What is the expected behavior?
As below, redirection to data URL on top document was prevented as blelow due to increase of phishing attack using data URL.

https://test.shhnjk.com/location.php?url=data:text/html,<script>alert(1)</script>

What went wrong?
meta refresh was not considered?
https://test.shhnjk.com/meta.php?url=data:text/html,<script>alert(1)</script>

Did this work before? N/A 

Chrome version: 58.0.3029.81  Channel: stable
OS Version: OS X 10.12.4
Flash Version:

Comment 1 by elawrence@chromium.org, Apr 28 2017

Components: UI>Browser>Navigation
Owner: mea...@chromium.org
The change blocking redirection may have landed later. In Chrome 60.3082, the repro above does not navigate and the console contains 

"Not allowed to navigate top frame to data URL: data:text/html,<script>alert(1)</script>"

Comment 2 by s.h.h.n....@gmail.com, Apr 28 2017 

oh, okay. I thought this already landed as https://bugs.chromium.org/p/chromium/issues/detail?id=594215 says FIXED.

But you are right because simple script navigation is not blocked too.

Comment 3 by elawrence@chromium.org, Apr 28 2017 

Yeah, it's a bit tricky.

git find-releases ba52f56207a4b9d70b34880fbff2352e71a06422
commit ba52f56207a4b9d70b34880fbff2352e71a06422 was:
  initially in 60.0.3079.0

Comment 4 by palmer@chromium.org, Apr 28 2017

Labels: -OS-Mac OS-All
Status: Assigned (was: Unconfirmed)
Assigning to meacer to possibly close.

Comment 5 by mea...@chromium.org, Apr 28 2017

Cc: nasko@chromium.org
AFAIR, redirects to data URLs should be blocked even before my change (+nasko to confirm). For example,  bug 471713  explicitly disallows them. It's probably moot now that  bug 594215  disables them once and for all, but there might have been a proper regression of blocking redirects to data URLs before M60.

Comment 6 by palmer@chromium.org, May 1 2017

Labels: Security_Severity-Low Security_Impact-Stable

Comment 7 by palmer@google.com, May 3 2017

Status: WontFix (was: Assigned)
According to meacer, this issue is indeed moot now.
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 10 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment