New issue
Advanced search Search tips

Issue 750054 link

Starred by 2 users
Status: WontFix
Owner:
mea...@chromium.org
Closed: Aug 2017
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Loading data on top (actually download)

Reported by s.h.h.n....@gmail.com, Jul 28 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
1. Go to https://test.shhnjk.com/open.php?url=data:image/svg%252Bxml,test
2. Click any link and file gets downloaded

What is the expected behavior?
Loading data on top is not allowed like https://test.shhnjk.com/open.php?url=data:image/svg%2Bxml,test

What went wrong?
Percent encoding + worked. But not detected as SVG.

Did this work before? N/A 

Chrome version: 61  Channel: dev
OS Version: 10.0
Flash Version:

Comment 1 by elawrence@chromium.org, Jul 28 2017

Owner: mea...@chromium.org
I believe this is working as intended. We explicitly want to allow download of resources from Data URI, we attempt to prevent only their display in the omnibox.

Meacer@, please confirm?
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 29 2017

Status: Assigned (was: Unconfirmed)

Comment 3 by mea...@chromium.org, Aug 1 2017

Status: WontFix (was: Assigned)
Correct, we explicitly allow downloads. You can find some tests here: https://cs.chromium.org/chromium/src/content/browser/frame_host/data_url_navigation_browsertest.cc?rcl=b8825972c08dad9c2df0bdb0d124b2b5e4b3cb1b&l=662

Please let us know if you can display a data URL in the top frame.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 8 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment