Chrome allows you to insert html code into windows with about:blank protocol
Reported by
jm.acun...@gmail.com,
May 3 2017
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36 Example URL: Steps to reproduce the problem: 1- go to http://createcharts.esy.es/about-blank.html 2- click button Test What is the expected behavior? What went wrong? Chrome allows you to insert html code into windows with about:blank protocol Does it occur on multiple sites: N/A Is it a problem with a plugin? N/A Did this work before? N/A Does this work in other browsers? N/A Chrome version: 58.0.3029.81 Channel: n/a OS Version: 6.3 Flash Version:
,
May 3 2017
,
May 4 2017
Tested the issue on Windows 7 using M58 #58.0.3029.81 and #58.0.3029.96 and #60.0.3088.3 and followed below steps : 1. Launched chrome and navigated to "http://createcharts.esy.es/about-blank.html" and clicked on test 2. Observed that page redirected to chrome downloads page with about: blank url.. Attached screencast for reference. @jm.acuna73-- COuld you please check attached screencast and confirm us if we have missed out any steps in reproducing the issue and please provide us the expected and actual issue screenshots for better traiging. Thanks!
,
May 4 2017
Standardization: in 2010, and onwards, there are efforts to standardize the about URI scheme, and define the processing requirements for some specific URIs, in the IETF Applications Area Working Group (APPSAWG) URI -> about:blank Purpose -> Returns a blank HTML document with the media type text/html and character encoding UTF-8 (https://en.wikipedia.org/wiki/About_URI_scheme) A more basic example: <script> function go(){ var win = open('about:blank','_blank'); win.document.open(); win.document.write('<h1>test</h1>'); win.document.close(); } </script> <input type="button" onclick="go()" value="test"/> Testing in Mozilla Firefox, I think it has a correct browsing behavior.
,
May 4 2017
Thank you for providing more feedback. Adding requester "hdodda@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 4 2017
Go to http://createcharts.esy.es/about-blank-basic.html (please try Mozilla Firefox and Google Chrome to see the differences)
,
May 5 2017
Able to reproduce this issue on Mac 10.12.4, Win-10 and Ubuntu 14.04 using chrome reported version #58.0.3029.81 and latest canary #60.0.3089.0. This is a non-regression issue as it is observed from M30 old builds. Hence, marking it as untriaged to get more inputs from dev team. Thanks...!!
,
May 5 2017
,
May 18 2017
,
May 18 2017
It's an expected feature of the web platform that a window navigated to about:blank can be written into by the context that opened it. There's discussion about whether or not the omnibox should display something more informative in this case (e.g. "about:blank under the control of whatever.com") but the issue described here is absolutely by design. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by jm.acun...@gmail.com
, May 3 2017