New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 780897 link

Starred by 5 users
Status: WontFix
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Nov 2017
Cc:
ajha@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

xss on the browser google chrome

Reported by vers...@gmail.com, Nov 2 2017 
hi am li0n hrB from ksa and i found vuln on browser google chrome
1 search google images
2 open image in new tab 
3 if the image url started by data:text/html
remove the url and write this payload
data:text/html,<script>function y(){x=open('parent-tab://google.com','_top'),x.document.body.innerHTML='};setTimeout(y,100)</script> <script> function Pew(){var doc=open('parent-tab://apple.com');doc.document.body.innerHTML=;}</script><button onclick=Pew();>'"><img src=x onerror=alert(document.domain)></button>

good louk
xss.png
160 KB View Download

Comment 1 by ajha@chromium.org, Nov 3 2017

Cc: ajha@chromium.org
Components: Blink>SecurityFeature
Labels: Needs-Milestone TE-NeedsTriageHelp
Adding proper component for the respective team for help in further triaging.

Note: Upon opening any image from google image results, opens the image in https and entering the above payload from the opened image page, redirects to the above URL and opens the dialog. Screenshots attached.
780897.png
1.1 MB View Download
780897_1.png
45.6 KB View Download

Comment 2 by mkwst@chromium.org, Nov 6 2017

Owner: mkwst@chromium.org
Hi!

Honestly, I don't understand the exploit you're trying to demonstrate. Does the `parent-tab:` scheme have special behavior in Chrome? That would be surprising.

It looks like you're able to navigate to a `data:` URL, and ask that document to alert it's `document.domain`, which is the empty string due to `data:` being an opaque origin. That seems like the expected behavior?

Can you help me understand the bug?

Comment 3 by jochen@chromium.org, Nov 6 2017

Labels: Needs-Feedback
Status: Assigned (was: Unconfirmed)

Comment 4 by vers...@gmail.com, Nov 6 2017 

1

 [image: صورة مضمّنة 1]
2
open image in new tab
[image: صورة مضمّنة 2]
3
remove url
[image: صورة مضمّنة 3]

Comment 5 Deleted

Comment 6 by vers...@gmail.com, Nov 6 2017 

data:text/html,<script>function
y(){x=open('parent-tab://google.com','_top'),x.document.body.innerHTML='<img/src=""onerror="alert(document.cookie)">'};setTimeout(y,100)</script>
<script> function Pew(){var
doc=open('parent-tab://apple.com');doc.document.body.innerHTML=';}</script><button
onclick=Pew();>pwd<img src=x onerror=alert(document.domain)></button>

بتاريخ 6 نوفمبر، 2017 10:21 م، جاء من سعد طلق <versx39@gmail.com>:

Comment 7 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 8 by elawrence@chromium.org, Nov 20 2017

Status: WontFix (was: Assigned)
What I see here is basically the same issue as: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Does-entering-JavaScript_URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there_s-an-XSS-vulnerability. A user running script via the omnibox or the developer tools is not a vulnerability in Chrome.

Instead of running the script via a JavaScript URL, however, this issue instead shows running the script by loading an HTML document contained in a data URL. A HTML document loaded from a data URL is allowed to execute script, and does so as reflected in your screenshot.

This does not represent a security vulnerability in Chrome.

Comment 9 by elawrence@chromium.org, Nov 30 2017 

 Issue 789915  has been merged into this issue.

Comment 10 Deleted

Comment 11 by elawrence@chromium.org, May 4 2018 

 Issue 839864  has been merged into this issue.

Sign in to add a comment