Security: Clearing Chrome's History resets Flash Player's Global Privacy and Security Setttings to default |
||||
Issue descriptionVULNERABILITY DETAILS: Deleting Cookies in Chrome reseats all of Flash Player's privacy settings, including restrictions on Camera/Mic access, Local Shared Object storage, etc. VERSION: Results on bisect-builds: You are probably looking for a change made after 394935 (known good), but no later than 394942 (first known bad). CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/a71fbc30b977cf95aaaef70e68d794510648198b..fb92f3e718335521cf454e53651235fbf30c10e2 FAIL: Windows 10, FP 27.0.0.168, Chrome 62.0.2302.52 (stable) FAIL: Windows 10, FP 25.0.0.171, Chrome 61.0.3163.100 (stable) FAIL: Windows 7, FP 27.0.0.174, Chrome 62.0.2302.62 (stable) FAIL: Windows 7, FP 14.0.0.183, Chrome 62.0.2302.52 (stable) FAIL: Mac 10.11, FP 27.0.0.170, Chrome 62.0.2302.52 (stable) REPRODUCTION CASE # Open the Flash Player's web-based control panel: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html # Change various global privacy settings to non-default values (Storage, Camera/Mic, etc.) # In Chrome, choose Menu > History > Clear Recent History > Everything # Check all of the boxes # Click Clear Now # Reopen the web-based control panel as in step #1 # Observe that all of the settings are default again Result: All of the settings are reset to default Expected: Global privacy and security settings persist
,
Oct 28 2017
The presence of DATA_TYPE_PLUGIN_DATA in the DATA_TYPE_SITE_DATA enumeration[1] implies that Chrome asks plugins to delete their own data when you choose the "Cookies and other site data" option.
// "Site data" includes storage backend accessible to websites and some
// additional metadata kept by the browser (e.g. site usage data).
DATA_TYPE_SITE_DATA = content::BrowsingDataRemover::DATA_TYPE_COOKIES |
content::BrowsingDataRemover::DATA_TYPE_CHANNEL_IDS |
content::BrowsingDataRemover::DATA_TYPE_DOM_STORAGE |
DATA_TYPE_PLUGIN_DATA |
[1] https://cs.chromium.org/chromium/src/chrome/browser/browsing_data/chrome_browsing_data_remover_delegate.h?l=83&rcl=ac22b6c4cd333ee04e750a8152bb62a7fa585937
,
Oct 31 2017
Could you please take a look, msramek? Thanks! Also, I'm not sure what the severity should be. It might be that this is purely a privacy bug, but not a security vulnerability. If so, we should set the labels accordingly.
,
Oct 31 2017
Re #2: specifically, Chrome calls the ClearSiteData PPAPI method on the Flash plugin (https://cs.chromium.org/chromium/src/ppapi/c/private/ppp_flash_browser_operations.h?type=cs&sq=package:chromium&l=109) when that flag is set. From that point on it's all Flash.
,
Oct 31 2017
Thanks for the feedback. I'll ask our dev to go back and review the implementation on the Flash side again.
,
Nov 1 2017
Per #4, from a Chrome POV, this is "Won't Fix" unless something comes back from Adobe suggesting that Chrome is doing something wrong here. If it turns out that there's a problem on the Chrome side, please reactivate.
,
Nov 29 2017
Yeah, this is our bug. If you're interested, the issue is fixed in: CL#84488 in Mainline; CL#84489 in Atka; It should be verifiable in dev/canary at this point (Flash Player 29.0.0.36 and higher), and will land in the next public Flash Player update.
,
Feb 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by elawrence@chromium.org
, Oct 28 2017