New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 756797 link

Starred by 3 users
Status: Untriaged
Owner: ----
Cc:
hdodda@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Feature



Sign in to add a comment

New API to control document.location & manage internal popup component

Reported by labobol...@gmail.com, Aug 18 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36

Steps to reproduce the problem:
1. Go to a site with nasty ads & popups.
It detects that you are running Chrome and goes straight to document.location and popunder, etc.

document.location abuse:
First it opens the current url in a new tab then it use document.location to change the current tab to some even more nasty site that tries to trick you into installing a chrome extension, etc, etc.

Extension developers need control over document.location to better secure and prevent this since honestly, from my perspective, you don't seem to do anything about it at all.

Popups not blocked by chrome and extension devs are powerless.

----

Managed to find some mild NSFW examples. (The easiest way to find examples of the above).

document.location abuse example: https://www.redtube.com/
1. Click on a video.

Popup example: http://celebgate.ws/2017/08/05/asmr-is-awesome-nude/
1. Click one of the play buttons to get popups. (Want more popups? Wait a little while and click on the site and another popup shows up).

What is the expected behavior?
That chrome prevents such behavior or gives the user the option to have a whitelist/black list to prevent redirects or enable extension devs to do the mentioned stuff.

What went wrong?
Chrome doesn't block it, not even the nasty popups from popunder and such. User have no options. Extension devs can't do anything because the API doesn't exist.

Did this work before? No 

Chrome version: 60.0.3112.101  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 

Firefox got:
1. NoRedirect to control redirects of all kinds.
2. Adblock Plus can actually prevent popups in Firefox because Firefox doesn't hinder in any way.

Add-on devs have full power. Connect the computer to the kitchen stove and I'm sure add-on devs could write something that could even boil an egg for you through Firefox.

I'm sure you get my point.

Apologies for choosing "Security". That was the closest one that matched this issue.

Comment 1 by elawrence@chromium.org, Aug 18 2017

Components: Platform>Extensions>API
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Feature
The ability of JavaScript to direct tabs to arbitrary locations is a fundamental part of the web platform. Providing a whitelist or blacklist of sites to which redirects are allowed isn't likely to be of any value as it would be trivially circumvented and impossible for normal users to understand. Websites can use features like HTML5 Sandboxing and link rel=noopener to help control what ads/links may do in terms of navigation.

Are you an extension developer? If you have a concrete proposal for an extension API you'd like to see that is not presently available in Chrome, we can track that via this issue.

Comment 2 by hdodda@chromium.org, Aug 21 2017

Cc: hdodda@chromium.org
Labels: Needs-Triage-M60 M-62
Status: Untriaged (was: Unconfirmed)
As this is a feature request , marking it as untraiged , so that it would get addressed  by respective team.

Thanks!

Comment 3 by karandeepb@chromium.org, Aug 25 2017 

labobolink@: Do you have any ideas on how to make the existing APIs like webrequest better to support the use case to point out.

Sign in to add a comment