Cool, thanks for the report!

I can't reproduce this on Windows. Can you try this in the current stable version of Chrome (e.g. 61)?

Your video seems to show the attack working for JavaScript strings other than just the last one? 

Well, this looks mighty suspicious:

https://cs.chromium.org/chromium/src/chrome/browser/ui/views/omnibox/omnibox_view_views.cc?l=1101&rcl=c3119ad1a6b260ed81e74cd0f3308939ca102b21

If the dropped item doesn't have a "URL" type object, then the plaintext is pasted without the required call to StripJavascriptSchemas. I suspect this is a problem on Linux and not Windows because in the windows codepath, the clipboard provider parses the string into a URL but the linux clipboard provider does not.

Confirmed in Chrome 62 on Linux. It only reproduces when dropping on the Omnibox; the drop is rejected when dropping onto the tabstrip.

Given the degree of user-interaction required, this should be Sev-Low.

I couldn't reproduce a problem on Mac, Windows, or ChromeOS.

yup...i chacked in latest version Version 62.0.3202.29 and Drag and drop of JavaScript to the URL bar incompletely blocked

https://chromium-review.googlesource.com/c/chromium/src/+/685638

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/16c719e0e275d2ee5d5c69e4962b744bcaf0fe40

commit 16c719e0e275d2ee5d5c69e4962b744bcaf0fe40
Author: Eric Lawrence <elawrence@chromium.org>
Date: Wed Sep 27 16:17:12 2017

Strip JavaScript schemas on Linux text drop

When dropping text onto the Omnibox, any leading JavaScript schemes
should be stripped to avoid a "self-XSS" attack. This stripping already
occurs in all cases except when plaintext is dropped on Linux. This CL
corrects that oversight.

Bug:  768910 
Change-Id: I43af24ace4a13cf61d15a32eb9382dcdd498a062
Reviewed-on: https://chromium-review.googlesource.com/685638
Reviewed-by: Justin Donnelly <jdonnelly@chromium.org>
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504695}
[modify] https://crrev.com/16c719e0e275d2ee5d5c69e4962b744bcaf0fe40/chrome/browser/ui/views/omnibox/omnibox_view_views.cc

Is it fixed ??

The fix for this issue landed in Chrome 63.0.3226.0 which has not yet released to the Linux Dev channel.

Will I get any bounty for that?

Generally, Severity-Low issues are not awarded bounties, due to the level of user-interaction required to exploit them. 

https://www.google.com/about/appsecurity/chrome-rewards/index.html

If the panel decides this bug is especially interesting, that may change.

Thanks for helping keep our Linux users safe!

Any update??

Re #15: It's not clear what you're asking. Updates on this issue will be mentioned in this issue. 

The fix for this issue landed in Chrome 63.0.3226.0 which has not yet released to the Linux Dev channel.

Ok.I wanted to ask about bug bounty update..will I get bounty or not??
When will top panel decide about bounty ?

The VRP panel meets on a regular schedule and will update this issue with information after a decision is made.

Hello farhankhan5260@ - I'm sorry to say that the VRP panel declined to award for this, as we don't define limiting javascript pasting to be a hard security boundary. Still, many thanks for the report, and this will be assigned a CVE when M63 goes stable.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot