New issue
Advanced search Search tips

Issue 719295 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 718946
Owner: ----
Closed: May 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: Address bar spoofing via window.open()

Reported by chromium...@gmail.com, May 8 2017

Issue description

VERSION
Chrome Version: 60.0.3091.0 canary
Operating System: Windows 7

REPRODUCTION CASE
1. Visit http://jsbin.com/dogakinegi
2. Click on 'Click here' button
3. Observe

 
Note: I don't repro this on stable, only on Dev and Canary (didn't check on beta yet).

Comment 2 Deleted

Minimized testcase:

w = window.open('https://www.google.com/csi');
w.document.write('This is fake!');


Components: UI>Browser>Omnibox UI>Browser>Omnibox>SecurityIndicators
Labels: Security_Severity-Medium Pri-1
Status: Available (was: Unconfirmed)
This is at least severity medium, and possibly high depending on whether we consider the spoof compelling (e.g. no lock, etc).
FakedAddress.png
6.4 KB View Download
Trying the minimized case locally (as in comment #3) seems to show "about:blank" in the omnibox, as expected. 

This may be fallout from PlzNavigate or OOPIF experiments?
Initial attempt to bisect yields no obvious culprits:

You are probably looking for a change made after 465478 (known good), but no later than 465485 (first known bad).
CHANGELOG URL:
  https://chromium.googlesource.com/chromium/src/+log/b1acf5794d7c39d91a104571216213ab5841b93b..b8d842d9a8a6d837901ce9ef4629c6ebdaef5694
Hmm. The internal bisect script points to a V8 roll which seems... surprising.

You are probably looking for a change made after 465483 (known good), but no later than 465484 (first known bad).
  https://chromium.googlesource.com/chromium/src/+log/0f47d06919be1dfd8a307f2dca899612dcb68f9a..8267f48654eb20e9d6453b53f2da310953d244f1
https://chromium.googlesource.com/v8/v8/+/cd76322817760cd1c1d7538f51f1907df7b6cde3 which was only one of two checkins in that v8 roll looks a bit suspicious.
I don't repro this locally, still looks bad. Also, I can spoof with e.g:

w = window.open('http://xn----zmcjivgk7jmdb3e.xn--mgberp4a5d4ar/');
w.document.write('This is fake!');

And also:

w = window.open('https://gmail.com:91');
w.document.write('This is fake!');

Mergedinto: 718946
Status: Duplicate (was: Available)
This looks like  bug 718946 
Project Member

Comment 11 by sheriffbot@chromium.org, Aug 19 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment