New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 776113 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: geolocation permission checks being done in renderer

Project Member Reported by wfh@chromium.org, Oct 18 2017

Issue description

I was reading CCS 2016 paper:

https://www.microsoft.com/en-us/research/wp-content/uploads/2016/09/chrome_ccs.pdf

and at the end it mentions that geolocation permission checks are being done in the renderer:

"HTML5 provides JavaScript APIs to enable sites to obtain the
browser’s geolocation, which requires the user’s explicit approval.
Chrome pops up with a permission prompt (controlled by the browser
kernel) for the user to determine whether to allow the site to ac-
cess the GPS sensor or not. We find that though the prompt is
controlled by the browser kernel, the attacker’s script can mod-
ify m_geolocationPermission as PermissionAllowed in the
Geolocation object to bypass the check of Geolocation::-
isAllowed in the renderer. Then the attacker can obtain the
user’s geolocation using JavaScript."

I wanted to confirm if this was still true, if so I think we should probably consider moving these to the browser, especially as we already have a browser prompt.
 

Comment 1 by wfh@chromium.org, Oct 18 2017

Cc: raymes@chromium.org tzik@chromium.org
It seems like this might have been fixed/removed. Not sure which CL though.
Maybe https://chromium.googlesource.com/chromium/src/+/47f4fbf1f6cbe4d7b42581f0bc5a5f5545582bfd

"Perform browser-side geolocation permission checks

Currently, there are no browser-side geolocation permission checks.
This change adds a GeolocationService, which performs this check in
the browser.

BUG= 426384 "

Comment 3 by raymes@chromium.org, Oct 18 2017

Cc: sa...@chromium.org noel@chromium.org
Status: WontFix (was: Unconfirmed)
This is fixed for geolocation (as per #2), but not for all permissions. These are longstanding issues that we're trying to fix. noel, sammc and the site isolation folks have been thinking about and working on this more broadly.

I'm going to close this because the geolocation issue is fixed, the more broad issue is tracked in issue 698985

Comment 4 by wfh@chromium.org, Oct 18 2017

Thanks to both of you for the updates, that CL and issue 698985 do look like the right things... glad this is fixed for geolocation.
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 27 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment