New issue
Advanced search Search tips

Issue 789185 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Nov 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: External script can control browser functions

Reported by slamb...@gmail.com, Nov 28 2017 
VULNERABILITY DETAILS
When we deploy Invisible ReCaptcha as spam protection, it disables all attributes "required" so the form can be send without HTML validation even though those attributes are still present in a code.

VERSION
Chrome Version: 62.0.3202.94 stable
Operating System: Windows 10 16299.64

REPRODUCTION CASE
https://www.go360world.com/#Contact

Comment 1 by elawrence@chromium.org, Nov 28 2017

Labels: Needs-Feedback
I /think/ you're saying that:

1. You have a HTML form
2. On that form you have fields with the HTML5 |required| attribute set
3. Your page includes a SCRIPT from some other origin
4. Code in that SCRIPT is able to remove the |required| attribute from your form fields?

Is that correct?

If so, this is not a security bug. Your web application must not include SCRIPT that contains behavior that you do not want. Including a script in your page via a SCRIPT SRC is an explicit endorsement of the behavior of that script.

Comment 2 by slamb...@gmail.com, Nov 28 2017 

Exactly.
So it is bug in ReCaptcha. But where can I report it?

Comment 3 by elawrence@chromium.org, Nov 28 2017

Status: WontFix (was: Unconfirmed)
Please see https://groups.google.com/forum/#!forum/recaptcha for discussion of the ReCaptcha code, including questions and filing bugs.
Project Member

Comment 4 by sheriffbot@chromium.org, Mar 7 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment