New issue
Advanced search Search tips

Issue 747505 link

Starred by 1 user
Status: WontFix
Owner:
a...@chromium.org
Closed: Jul 2017
Cc:
kerrnel@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Unable to dismiss continuous sequence of alerts by normal means

Reported by nathan.o...@gmail.com, Jul 21 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
1. Open http://www.microsoft-alert-system.cf/call-microsoft-support-at-1-855-633-1666/ (yes, it is a phishing site)

2. Run the following in the developer console:

    document.oncontextmenu = null;
    document.onmousedown = null;
    document.onmouseup = null;

3. Right-click the question mark in the upper-right corner of the alert that is displayed and click "open in new tab"

4. Click the newly opened tab and an alert appears

What is the expected behavior?
A checkbox to "prevent this page from creating additional dialogues".

What went wrong?
No such checkbox is displayed and there is no way to dismiss the sequence of alerts by normal means.

Here is a GIF demonstrating the issue: https://i.stack.imgur.com/a3Iab.gif

Did this work before? N/A 

Chrome version: 59.0.3071.115  Channel: stable
OS Version: 10.0
Flash Version:
example.html
89.3 KB View Download

Comment 1 by kerrnel@chromium.org, Jul 21 2017

Labels: Needs-Feedback
A bug that requires local interaction is not a security bug under our threat model. Does this problem manifest without entering anything into the developer console?

Comment 2 by nathan.o...@gmail.com, Jul 21 2017 

If you load the example.html file that I attached and then click the new tab button, it also appears to trigger this behavior.
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 21 2017

Cc: kerrnel@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "kerrnel@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by kerrnel@chromium.org, Jul 21 2017

Owner: a...@chromium.org
Status: Assigned (was: Unconfirmed)
I see, thank you, I reproduced this. Over to avi@, as I believe there are already plans to fix this type of problem.

avi@, this is a case where the "hostile page" keeps displaying a dialog over and over so that the focus is constantly stuck on that tab.

Comment 5 by elawrence@chromium.org, Jul 21 2017

Components: Blink>WindowDialog
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
"Annoyance" issues are not tracked as security bugs.

I believe the checkbox in question was removed as a part of the recent changes that allow the user to simply close the tab using the "X". Closing this page in Chrome 60 and 61 does not require any great effort.

Comment 6 by a...@chromium.org, Jul 21 2017

Labels: alert-activation
Status: WontFix (was: Assigned)
Yes. The intention is for the user to close such an abusive tab.

Sign in to add a comment