Issue 788545 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 81697
Owner:	----
Closed:	Nov 2017
Components:	UI>Browser>Omnibox
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
Needs-Feedback allpublic

Security: Possible to append javascript before https - Resulting in XSS on all websites

Reported by swapnil...@gmail.com, Nov 26 2017

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.
It is possible to append javascript before https, thus it results in XSS on all websites.
javascripT://https://www.google.co.in

Complete url causing XSS JavascripT://https://www.google.co.in%0aalert(document.domain);//https://www.google.co.in

VERSION
Chrome Version:62.0.3202.94
Operating System: [Windows 8.1, 64 bit]

REPRODUCTION CASE
1. Visit https://www.google.com
2.append javascripT://   before https:// so our url will become JavascripT://https://www.google.co.in
3.Add payload %0aalert(document.domain);//https://www.google.co.in after domain name.

so now our final url will be 
JavascripT://https://www.google.co.in%0aalert(document.domain);//https://www.google.co.in

Suggested Fix:
The validator should check, that url string must strictly start with http[s]://.

Comment 1 by swapnil...@gmail.com, Nov 26 2017

	domain.JPG 81.4 KB View Download

Comment 2 by elawrence@chromium.org, Nov 26 2017

Components: UI>Browser>Omnibox
Labels: Needs-Feedback

How specifically do you "append javascripT: before https?" 

If this issue requires that the end-user manually type that string, then Chrome is Working-As-Intended.

https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Does-entering-JavaScript_URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there_s-an-XSS-vulnerability

Comment 3 by jialiul@chromium.org, Nov 27 2017

I think swapnil755@ means typing the "javascript:// " into address bar. (BTW, copying/pasting won't work as a mitigation used by Chrome. )

swapnil755, could you confirm?

Comment 4 by elawrence@chromium.org, Nov 28 2017

Status: WontFix (was: Unconfirmed)

Closing as "Working as Intended" per #2 and #3. If you can get the "JavaScript:" string in the omnibox via some mechanism other than typing it, please leave a comment here.

Comment 5 by elawrence@chromium.org, Feb 22 2018

Mergedinto: 81697
Status: Duplicate (was: WontFix)

Project Member

Comment 6 by sheriffbot@chromium.org, Mar 7 2018

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 788545 link

Issue metadata

Security: Possible to append javascript before https - Resulting in XSS on all websites

Issue description

Comment 1 by swapnil...@gmail.com, Nov 26 2017

Comment 1 Deleted

Comment 2 by elawrence@chromium.org, Nov 26 2017

Comment 2 Deleted

Comment 3 by jialiul@chromium.org, Nov 27 2017

Comment 3 Deleted

Comment 4 by elawrence@chromium.org, Nov 28 2017

Comment 4 Deleted

Comment 5 by elawrence@chromium.org, Feb 22 2018

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Mar 7 2018

Comment 6 Deleted

Sign in to add a comment