Popunder restriction bypass with PDF confirm dialog
Reported by
masatoki...@gmail.com,
Oct 31 2017
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3254.0 Safari/537.36 Steps to reproduce the problem: 1. Go to https://vulnerabledoma.in/popunder/pdf_confirm.html . 2. Click "Create PopUnder" button. 3. The popunder window is opened. What is the expected behavior? The popunder window should not be opened. What went wrong? The popunder window is opened. Did this work before? N/A Chrome version: 64.0.3254.0 Channel: canary OS Version: 10.0 Flash Version: I confirmed this works on Windows. I couldn't reproduce on Mac.
,
Nov 1 2017
This also uses the "mouseup in a new tab" trick, but we should *also* already be handling this.
,
Nov 1 2017
It is not at all obvious what's going on here, so let me lay it out. The repro is:
button=document.getElementById('button');
button.onmousedown=function(){
w=window.open("about:blank","_blank");
w.addEventListener('mouseup',function(){
window.open("https://example.com/","_blank","resizable=1,menubar=0,status=1"); **𝗹𝗶𝗻𝗲 𝟭**
});
setTimeout(function(){
w.document.write('<iframe src="𝘱𝘥𝘧 𝘴𝘩𝘰𝘸𝘪𝘯𝘨 𝘤𝘰𝘯𝘧𝘪𝘳𝘮 𝘥𝘪𝘢𝘭𝘰𝘨"></iframe>');
},100);
setTimeout(function(){
w.close();
},1500);
The main window ① opens a new tab, window ②. That window watches for a mouseup. However, *it* does not spawn the popup. If you look at the marked "line 1" above, it calls back to window ①, and has *it* spawn the popup, window ③.
At this point both windows ② and ③ have window ① as their owners, which defeats the popunder blocker. The popunder blocker asks if the same window that spawned the popup is doing the activation, which it's not.
,
Nov 1 2017
And this gets around the user gesture requirement. Window ② burns its user gesture to open a popup that is attributed to window ①.
,
Nov 1 2017
Even better, active user gestures are tracked per render process, so pages ① and ② share them.
,
Nov 2 2017
An alternate fix would be to exclude mousedown from being a user gesture. It's technically not-very-hard to fix, but we need to assess the perspective of Edge (& Safari) first. Currently FF is the only browser to exclude mousedown. Remove the blocker Issue 769796 if you prefer a quick solution here.
,
Nov 2 2017
We already have a popunder blocker that triggers based on opener relationships across tabs, and the fix to nail this within that system is simple. That would also fix it even if the popup blocker was turned off, which removing mousedown as a gesture would not do. I support your change to mousedown as a user gesture, but don't want to block this on your work there.
,
Nov 2 2017
Makes sense, thanks.
,
Nov 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/abbb9841b5358a5c2e8be0454f573a8e79d78d51 commit abbb9841b5358a5c2e8be0454f573a8e79d78d51 Author: Avi Drissman <avi@chromium.org> Date: Fri Nov 03 04:36:49 2017 Increase the paranoia of the PopunderPreventer. If there are *any* common WebContents in the shared opener history of the popup and the alerter, consider it a popunder attempt. BUG= 780250 Change-Id: I4b95153e24d2d5649792097340ae1b5ee3df6917 Reviewed-on: https://chromium-review.googlesource.com/749735 Reviewed-by: Charlie Harrison <csharrison@chromium.org> Commit-Queue: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#513681} [modify] https://crrev.com/abbb9841b5358a5c2e8be0454f573a8e79d78d51/chrome/browser/ui/blocked_content/popunder_preventer.cc [modify] https://crrev.com/abbb9841b5358a5c2e8be0454f573a8e79d78d51/chrome/browser/ui/blocked_content/popup_blocker_browsertest.cc [add] https://crrev.com/abbb9841b5358a5c2e8be0454f573a8e79d78d51/chrome/test/data/popup_blocker/popup-window-spawner-open.html
,
Nov 3 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by a...@chromium.org
, Oct 31 2017Status: Assigned (was: Unconfirmed)