New issue
Advanced search Search tips

Issue 768910 link

Starred by 2 users

Issue metadata

Status: Fixed
Closed: Sep 2017
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security

Sign in to add a comment

Security: Drag and drop of JavaScript to the URL bar incompletely blocked

Reported by, Sep 26 2017

Issue description

while working on google Chrome i found that dragging anything on URL bar will take to You to google search result.But 1 payloads Is executing a Popup alert box vulnerability 

Payloads which i have used during test

Steps to reproduce:
1.go to
2 drag payload javascript:alert(/;// in url bar (instead of going for search.browser popup a alert box)
3. i have tried dragging technique with several payloads but all are going for search result But only( javascript:alert(/;//  ) is showing popup box 
i have Uploaded POC of This Vulnerability
Chrome Version: Version 59.0.3071.115 (Official Build) (64-bit)
Operating System: [Kali Linux Os 64 Bit]

1.6 MB View Download
Components: UI>Browser>Navigation UI>Browser>Omnibox
Labels: OS-Linux
Summary: Security: Drag and drop of JavaScript to the URL bar incompletely blocked (was: Security:)
Cool, thanks for the report!

I can't reproduce this on Windows. Can you try this in the current stable version of Chrome (e.g. 61)?

Your video seems to show the attack working for JavaScript strings other than just the last one? 
Well, this looks mighty suspicious:

If the dropped item doesn't have a "URL" type object, then the plaintext is pasted without the required call to StripJavascriptSchemas. I suspect this is a problem on Linux and not Windows because in the windows codepath, the clipboard provider parses the string into a URL but the linux clipboard provider does not.
Labels: Security_Severity-Low Security_Impact-Stable
Status: Untriaged (was: Unconfirmed)
Confirmed in Chrome 62 on Linux. It only reproduces when dropping on the Omnibox; the drop is rejected when dropping onto the tabstrip.

Given the degree of user-interaction required, this should be Sev-Low.

I couldn't reproduce a problem on Mac, Windows, or ChromeOS.
yup...i chacked in latest version Version 62.0.3202.29 and Drag and drop of JavaScript to the URL bar incompletely blocked
Status: Started (was: Untriaged)
Project Member

Comment 6 by, Sep 27 2017

Labels: Pri-2
Project Member

Comment 7 by, Sep 27 2017

The following revision refers to this bug:

commit 16c719e0e275d2ee5d5c69e4962b744bcaf0fe40
Author: Eric Lawrence <>
Date: Wed Sep 27 16:17:12 2017

Strip JavaScript schemas on Linux text drop

When dropping text onto the Omnibox, any leading JavaScript schemes
should be stripped to avoid a "self-XSS" attack. This stripping already
occurs in all cases except when plaintext is dropped on Linux. This CL
corrects that oversight.

Bug:  768910 
Change-Id: I43af24ace4a13cf61d15a32eb9382dcdd498a062
Reviewed-by: Justin Donnelly <>
Commit-Queue: Eric Lawrence <>
Cr-Commit-Position: refs/heads/master@{#504695}

Is it fixed ??
Status: Fixed (was: Started)
The fix for this issue landed in Chrome 63.0.3226.0 which has not yet released to the Linux Dev channel.
Will I get any bounty for that?
Labels: reward-topanel
Generally, Severity-Low issues are not awarded bounties, due to the level of user-interaction required to exploit them.

If the panel decides this bug is especially interesting, that may change.

Thanks for helping keep our Linux users safe!

Comment 12 Deleted

Comment 13 Deleted

Project Member

Comment 14 by, Sep 29 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Any update??
Re #15: It's not clear what you're asking. Updates on this issue will be mentioned in this issue. 

The fix for this issue landed in Chrome 63.0.3226.0 which has not yet released to the Linux Dev channel.

Comment 17 Deleted

Ok.I wanted to ask about bug bounty update..will I get bounty or not??
When will top panel decide about bounty ?
The VRP panel meets on a regular schedule and will update this issue with information after a decision is made.
Labels: -reward-topanel M-63 reward-0
Hello farhankhan5260@ - I'm sorry to say that the VRP panel declined to award for this, as we don't define limiting javascript pasting to be a hard security boundary. Still, many thanks for the report, and this will be assigned a CVE when M63 goes stable.
Labels: Release-0-M63
Labels: CVE-2017-15427
Project Member

Comment 23 by, Jan 5 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 24 by, Mar 27 2018

Labels: -M-63 M-65
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment