Issue metadata
Sign in to add a comment
|
hijack cross-domain window title
Reported by
ma7h1a...@gmail.com,
Sep 15 2017
|
||||||||||||||||||||||||
Issue descriptionAFFECTED PRODUCTS -------------------- chrome 61.0.3163.91 DESCRIPTION -------------------- chrome did not refresh its window title if target do not have a title. but other browsers like firefox,IE would simply clean it. it could "hijack" a cross-domain window's title which may case potential spoofing problem for example,I find a page on *.google.com to show this problem. online demo http://xsser.math1as.com/exp.html
,
Sep 15 2017
yes,but since with a scanner i found so many pages without set a title in google,apple,etc. so it's easy to get a victim website.
,
Sep 15 2017
I can still repro in 63.0.3216 on Linux. This might be a navigation issue since there is a redirect involved. Navigation folks, can you please take a look?
,
Sep 15 2017
Works on Android too.
,
Sep 15 2017
Perhaps related to Issue 96041 ?
,
Sep 15 2017
Old bug is old! Avi, wdyt?
,
Sep 15 2017
I reverted a bad fix for issue 96041 , but that would not have affected this. There was a fix that I was working on for 96041 that would handle this. Taking, as it's in my area.
,
Sep 16 2017
,
Nov 10 2017
,
Feb 16 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 15 2017