New issue
Advanced search Search tips

Issue 730638 link

Starred by 3 users
Status: Duplicate
Merged: issue 702945
Owner: ----
Closed: Jun 2017
Cc:
kenrb@chromium.org
creis@chromium.org
lukasza@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Spoofing: alert dialog during load is shown before prior markup is hidden

Reported by jm.acun...@gmail.com, Jun 7 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36

Steps to reproduce the problem:
It occurs on websites that execute a native modal dialog (alert, prompt, confirm) on page load.

1. Go to: http://createcharts.esy.es/spoof-content-domain.html
2. Click on the button.

Tested on Google Chrome Version 59.0.3071.86 (Official Build) (64-bit)

What is the expected behavior?

What went wrong?
Navigation should be direct to destination domain

Did this work before? N/A 

Chrome version: 59.0.3071.86  Channel: stable
OS Version: 6.3
Flash Version:
spoof-content-domain.webm
4.6 MB View Download

Comment 1 by elawrence@chromium.org, Jun 7 2017

Components: UI>Browser>Navigation Blink>WindowDialog
So the issue here is that the page content is not refreshed until four seconds after the address box URL changes and the alert dialog box is shown, is that right?

Comment 2 by elawrence@chromium.org, Jun 7 2017 

I think this issue is what is described in passing in https://bugs.chromium.org/p/chromium/issues/detail?id=702945#c8

Comment 3 by jm.acun...@gmail.com, Jun 7 2017 

It's true that it redirects to the landing page after 4 or 5 seconds

Comment 4 by jm.acun...@gmail.com, Jun 7 2017 

But it does not happen in Mozilla Firefox or Google Chrome canary

Comment 5 by jm.acun...@gmail.com, Jun 7 2017 

Not particularly serious but a little confusing

Comment 6 by elawrence@chromium.org, Jun 7 2017

Status: Untriaged (was: Unconfirmed)
Summary: Spoofing: alert dialog during load is shown before prior markup is hidden (was: It is possible to display false content in another domain.)

Comment 7 by creis@chromium.org, Jun 7 2017

Cc: kenrb@chromium.org lukasza@chromium.org creis@chromium.org
Mergedinto: 702945
Status: Duplicate (was: Untriaged)
Comment 2: Yes, this is a duplicate of  issue 702945 .

A few other observations:

1) The fact that it blanks after 4 seconds is related to kenrb's paint timer which resets the last painted image if the committed page hasn't shown anything yet.  This is a compromise between showing as few white flashes as possible when navigating and avoiding a spoof where an old page's content shows under an unresponsive new URL.

2) This does repro on Canary (Windows, 61.0.3122.0), but only if the TopDocumentIsolation field trial is disabled.  That's currently on for 50% of users.  (I imagine there might be some out-of-process iframe bug related to the hidden Google Docs Drawing iframe on the repro page.

3) As written, the repro requires you to be signed into Google.

I've attached the repro in case the original URL stops working at some point.
spoof-content-domain.html
634 bytes View Download

Comment 8 by jm.acun...@gmail.com, Jun 8 2017 

@creis Thanks for the clarifications.

Comment 9 by tsepez@chromium.org, Aug 10 2017 

 Issue 754235  has been merged into this issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 14 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment