New issue
Advanced search Search tips

Issue 721425 link

Starred by 2 users
Status: Fixed
Owner:
a...@chromium.org
Closed: Jun 2018
Cc:
tapted@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Malicious sites can prevent tab-switching using alert()

Reported by bradford...@gmail.com, May 11 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce the problem:
1. Open a fresh browser, disable extensions, etc. 
2. Go to a site with aggressive pop-ups (spam, malware, etc) like http://urlyoutube.com (may take several refreshes)  or "http://syscleandeferror.com/windows-alert-error123r321345676543213456432133454665/"  (Careful, these are very aggressive sites) 

What is the expected behavior?
Since https://bugs.chromium.org/p/chromium/issues/detail?id=456 was "fixed" in M-57, I would expect to be able to click away to other tabs, close the window, etc. Also the "prevent further popups" option is gone.

What went wrong?
I loaded the site, and pop-ups which were not close-able aggressively took over my browser, eventually forcing a kill -9.  I was not able to prevent more pop-ups. 

Did this work before? Yes M57

Chrome version: 60.0.3096.0  Channel: canary
OS Version: OS X 10.11.5
Flash Version:
Screen Shot 2017-05-11 at 1.11.46 PM.png
666 KB View Download

Comment 1 by meh...@chromium.org, May 11 2017

Cc: tapted@chromium.org
Is this a Views issue?

Comment 2 by tapted@chromium.org, May 12 2017

Components: Blink>WindowDialog
Labels: -Type-Bug-Regression M-60 Type-Bug
Owner: a...@chromium.org
Status: Assigned (was: Unconfirmed)
Summary: Malicious sites can prevent tab-switching using alert() (was: Pop-ups Still Modal, No "Prevent Further Pop-ups" dialog)
That's the Cocoa version of the dialog. The views version is used when chrome://flags/#secondary-ui-md is Enabled. But it fares no better wrt the "prevent further popups" - there are ways a site can trick Chrome into not showing that checkbox. (e.g., stuff like triggering in a new iframe each time).

I had no trouble closing the tab by clicking the tab's close button in 60.0.3096.0. This is thanks to avi's work in  Issue 629964 .

Cmd+w doesn't work for the Cocoa dialog, but it does work when using Views dialogs on Mac. (so does the tab close button).

So, I think these are easy to get rid of by closing the tab.

However the approach here does break the "dismiss dialog on switch away". Whatever http://syscleandeferror.com/windows-alert-error123r321345676543213456432133454665/ is doing, it's effectively making it impossible to switch away from the tab, requiring it to be closed.
index.html
12.5 KB View Download

Comment 3 by a...@chromium.org, May 12 2017 

The official answer at this point is to close the tab; any page obnoxious enough to do this should be closed.

This needs to be better, yes. Pages shouldn't be able to activate themselves with dialogs.

I'm working on removing that.

Comment 4 by bradford...@gmail.com, May 12 2017 

Thanks, we're doing a lot of anti-malware work and stuff like this really helps.

Comment 5 Deleted

Comment 6 by bradford...@gmail.com, May 15 2017 

Also, windows with malicious pop-ups cannot be closed, through Alt-F4 or Right-clicking the taskbar and clicking "Close".

Comment 7 by a...@chromium.org, Jun 27 2017

Labels: alert-activation

Comment 8 by a...@chromium.org, Jun 8 2018

Status: Fixed (was: Assigned)
This should be fixed.

Sign in to add a comment