Bypass of blocking of alert() in onbeforeunload and prevent user from navigating away
Reported by
s...@netsparker.com,
Aug 18 2017
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36 Steps to reproduce the problem: 1. Download the HTML page in the attachment 2. Open the page in chrome 3. Type https://google.com/ into the address bar and press enter What is the expected behavior? The browser should navigate to https://google.com/ and not redirect to another page. What went wrong? The browser navigates to http://attacker.com/ If your website is localhost/trap and you use the code window.onbeforeunload = function(){ setInterval('document.location = `trap?x=2`') } and then type in example.com into your address bar and press enter, chrome will redirect to trap?x=2 for a short amount of time before it redirects you to example.com However, if trap?x=2 contains the following code history.back() you will get redirected back to localhost/trap and no redirect to example.com happens. Optionally you can then go on and redirect to a page of your choosing, in this case attacker.com So I think the real problem here is that chrome allows "setInterval" together with "document.location = " in onbeforeunload which lets you redirect to another page before chrome can redirect to the intended one. Did this work before? N/A Chrome version: 60.0.3112.101 Channel: stable OS Version: 10.0 Flash Version: Despite the fact that I chose attacker.com as destination, I'm not sure if this is in any way a security issue. You could achieve the same (redirecting to a phishing page) with window.opener.location. I still feel like it should not be possible to redirect to other pages in onbeforeunload. As a matter of fact you can also redirect to javascript:alert(1), effectively bypassing the block of alert() in onbeforeunload. However, this will only last shortly as the browser immediately redirects to the user supplied destination and therefore closes the popup. But in jsfiddle the page didn't redirect until I clicked "Ok" in the alert popup, I suppose it's because it's inside an iframe or maybe because of the meta refresh I used. https://jsfiddle.net/1kcac5gg/
,
Aug 21 2017
Able to reproduce the issue on windows 10 , ubuntu 14.04 and Mac os 10.12.6 using chrome M60 #60.0.3112.101 and M62 #62.0.3192.0 with the given jsfiddle in original comment #0. This is a Non-regression issue seen from M45 #45.0.2404.0 . Hence , Marking it as untraiged for further inputs on this. Thanks!
,
Aug 21 2017
Adding in more nav folks.
,
Aug 22 2017
We've known about this for some time. One idea is to just ignore all subsequent navigations on the window that come after beforeunload is acknowledged. However, this is also tricky: if someone clicks another link after beforeunload but before the new document commits, we do still want to respect that navigation... so we could say navigations without a user gesture... but then you could imagine a case where a page tries to trick a user into giving it a user gesture.
,
Aug 1
dcheng@: Loading triager here. Would you help me triage this bug?
,
Aug 2
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by tkent@chromium.org
, Aug 21 2017Components: -Blink Blink>Loader Blink>WindowDialog