New issue
Advanced search Search tips

Issue 780250 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Popunder restriction bypass with PDF confirm dialog

Reported by masatoki...@gmail.com, Oct 31 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3254.0 Safari/537.36

Steps to reproduce the problem:
1. Go to https://vulnerabledoma.in/popunder/pdf_confirm.html .
2. Click "Create PopUnder" button.
3. The popunder window is opened.

What is the expected behavior?
The popunder window should not be opened.

What went wrong?
The popunder window is opened.

Did this work before? N/A 

Chrome version: 64.0.3254.0  Channel: canary
OS Version: 10.0
Flash Version: 

I confirmed this works on Windows. I couldn't reproduce on Mac.
 

Comment 1 by a...@chromium.org, Oct 31 2017

Owner: a...@chromium.org
Status: Assigned (was: Unconfirmed)
This one makes me sad, because this is not new. We have explicit code to fix this exact case. It seems to not be working. :(

Comment 2 by a...@chromium.org, Nov 1 2017

This also uses the "mouseup in a new tab" trick, but we should *also* already be handling this.

Comment 3 by a...@chromium.org, Nov 1 2017

It is not at all obvious what's going on here, so let me lay it out. The repro is:

button=document.getElementById('button');
button.onmousedown=function(){
    w=window.open("about:blank","_blank");
    w.addEventListener('mouseup',function(){
        window.open("https://example.com/","_blank","resizable=1,menubar=0,status=1"); 	**𝗹𝗶𝗻𝗲 𝟭**
    });
    setTimeout(function(){
        w.document.write('<iframe src="𝘱𝘥𝘧 𝘴𝘩𝘰𝘸𝘪𝘯𝘨 𝘤𝘰𝘯𝘧𝘪𝘳𝘮 𝘥𝘪𝘢𝘭𝘰𝘨"></iframe>');
    },100);
    setTimeout(function(){
        w.close();
    },1500);

The main window ① opens a new tab, window ②. That window watches for a mouseup. However, *it* does not spawn the popup. If you look at the marked "line 1" above, it calls back to window ①, and has *it* spawn the popup, window ③.

At this point both windows ② and ③ have window ① as their owners, which defeats the popunder blocker. The popunder blocker asks if the same window that spawned the popup is doing the activation, which it's not.

Comment 4 by a...@chromium.org, Nov 1 2017

And this gets around the user gesture requirement. Window ② burns its user gesture to open a popup that is attributed to window ①.

Comment 5 by a...@chromium.org, Nov 1 2017

Even better, active user gestures are tracked per render process, so pages ① and ② share them.
Blockedon: 769796
Cc: mustaq@chromium.org
Labels: UserActivation
An alternate fix would be to exclude mousedown from being a user gesture.  It's technically not-very-hard to fix, but we need to assess the perspective of Edge (& Safari) first.  Currently FF is the only browser to exclude mousedown.

Remove the blocker Issue 769796 if you prefer a quick solution here.

Comment 7 by a...@chromium.org, Nov 2 2017

Blockedon: -769796
We already have a popunder blocker that triggers based on opener relationships across tabs, and the fix to nail this within that system is simple. That would also fix it even if the popup blocker was turned off, which removing mousedown as a gesture would not do.

I support your change to mousedown as a user gesture, but don't want to block this on your work there.
Makes sense, thanks.

Project Member

Comment 9 by bugdroid1@chromium.org, Nov 3 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/abbb9841b5358a5c2e8be0454f573a8e79d78d51

commit abbb9841b5358a5c2e8be0454f573a8e79d78d51
Author: Avi Drissman <avi@chromium.org>
Date: Fri Nov 03 04:36:49 2017

Increase the paranoia of the PopunderPreventer.

If there are *any* common WebContents in the shared
opener history of the popup and the alerter,
consider it a popunder attempt.

BUG= 780250 

Change-Id: I4b95153e24d2d5649792097340ae1b5ee3df6917
Reviewed-on: https://chromium-review.googlesource.com/749735
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#513681}
[modify] https://crrev.com/abbb9841b5358a5c2e8be0454f573a8e79d78d51/chrome/browser/ui/blocked_content/popunder_preventer.cc
[modify] https://crrev.com/abbb9841b5358a5c2e8be0454f573a8e79d78d51/chrome/browser/ui/blocked_content/popup_blocker_browsertest.cc
[add] https://crrev.com/abbb9841b5358a5c2e8be0454f573a8e79d78d51/chrome/test/data/popup_blocker/popup-window-spawner-open.html

Comment 10 by a...@chromium.org, Nov 3 2017

Status: Fixed (was: Assigned)

Sign in to add a comment