Issue metadata
Sign in to add a comment
|
embed tag download certain files without consent
Reported by
edward.b...@gmail.com,
Aug 15 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Steps to reproduce the problem: 1. Create html page with <embed src="whatever" /> 2. Open in chrome 3. File downloads without consent What is the expected behavior? File not to download without consent What went wrong? File downloaded without consent. Works with .mid, .docx, .pfx, haven't tested with many others. I'd imagine there's a list of file ext's to mime-types that are exploitable... Did this work before? N/A Chrome version: 60.0.3112.90 Channel: n/a OS Version: 10.0 Flash Version:
,
Aug 15 2017
Similar to #527173 which is nearly 2 years old
,
Aug 15 2017
May be worth noting that Firefox, Edge and IE do not download the file
,
Aug 15 2017
I believe this is working-as-intended, and just one of several mechanisms for triggering a file download; Chrome doesn't prompt for most file downloads, although the behavior depends on heuristics including the file type and the user's interaction with the website. By default, the setting of "Ask where to save each file before downloading" is off (see chrome://settings/?search=download)
,
Aug 17 2017
qinmin: Can you please evaluate this (see #4). Thanks!
,
Aug 21 2017
,
Feb 7 2018
Working as intended. If we want to revisit the decision feel free to reopen!
,
May 17 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by edward.b...@gmail.com
, Aug 15 2017