Popunder restriction bypass with payment request API
Reported by
masatoki...@gmail.com,
Sep 24 2017
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3222.0 Safari/537.36 Steps to reproduce the problem: 1. Go to https://vulnerabledoma.in/popunder/pr_api.html. 2. Click "Create PopUnder" button. 3. The popunder window is opened. What is the expected behavior? The popunder window should not be opened. What went wrong? The popunder window is opened. Did this work before? N/A Chrome version: 63.0.3222.0 Channel: canary OS Version: 10.0 Flash Version:
,
Sep 25 2017
,
Sep 25 2017
,
Sep 25 2017
Payments team, please remove window activation.
,
Sep 25 2017
,
Sep 25 2017
,
Sep 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e commit 5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e Author: Rouslan Solomakhin <rouslan@chromium.org> Date: Tue Sep 26 16:59:32 2017 [Payments] Prohibit opening payments UI in background tab. Before this patch, calling PaymentRequest.show() would bring the background window to the foreground, which allows a page to open a pop-under. This patch adds a check for the browser window being active (in foreground) in PaymentRequest.show(). If the window is not active (in background), then PaymentRequest.show() promise is rejected with "AbortError: User cancelled request." No UI is shown in that case. After this patch, calling PaymentRequest.show() does not bring the background window to the foreground, thus preventing opening a pop-under. Bug: 768230 Change-Id: I2b90f9086ceca5ed7b7bdf8045e44d7e99d566d0 Reviewed-on: https://chromium-review.googlesource.com/681843 Reviewed-by: anthonyvd <anthonyvd@chromium.org> Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org> Cr-Commit-Position: refs/heads/master@{#504406} [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/chrome/browser/payments/chrome_payment_request_delegate.cc [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/chrome/browser/payments/chrome_payment_request_delegate.h [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/chrome/browser/ui/views/payments/payment_request_browsertest.cc [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/chrome/browser/ui/views/payments/payment_request_browsertest_base.cc [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/chrome/browser/ui/views/payments/payment_request_browsertest_base.h [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/chrome/browser/ui/views/payments/test_chrome_payment_request_delegate.cc [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/chrome/browser/ui/views/payments/test_chrome_payment_request_delegate.h [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/components/payments/content/payment_request.cc [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/components/payments/core/payment_request_delegate.h [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/components/payments/core/test_payment_request_delegate.cc [modify] https://crrev.com/5b51043c7c8e7e6b86e68e6d93d95ad24e11cf0e/components/payments/core/test_payment_request_delegate.h
,
Sep 26 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by masatoki...@gmail.com
, Sep 24 2017