Thanks for the report!

While videos are often helpful in reproducing vulnerabilities, they should accompany a text description of how to reproduce the report.

What's pictured here has nothing to do with clickjacking (a "UI redress vulnerability") in which the user is tricked into clicking something unexpected.

This also isn't a crash in Chrome; Chrome is simply showing the HTML source code of a page instead of rendering it as HTML as expected.

While the blurriness of the video makes it hard to tell, it appears that what's happening here is that a prior chunked response on the socket is terminated incorrectly, leading to the chunk terminator (0\r\n) appearing before the next HTTP response, corrupting its headers and resulting in it being treated as a HTTP/0.9 response without headers. Thus the response renders as plaintext.

If you can reproduce this at will (I cannot reproduce it at all), please include the version information from chrome://version and attach a network log (see https://dev.chromium.org/for-testers/providing-network-details).

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot