Better said, this appears to be a flaw that allows for specific CSS code to exploit the URL in iOS Chrome. This issue does not occur in Safari.

Interesting. The Omnibox appears to be in a corrupt state whereby the security status doesn't match the displayed URL (e.g. no lock icon).

Any update on this?

Steps to reproduce:
1. Open a new Chrome tab
2. Navigate to a web page
3. Click on any link 
4. Navigate to Facebook
5. Click on a comment so that it causes a pop-up of the feed item with comments (see attached video)
6. Click the time on the top of the iOS screen UI
7. Chrome scrolls to the top of the screen, and the Omnibox corrupts, causes the URL display the same m.facebook.com hostname but the browser actually goes back to the first page in your history
8. Per my sample video, this could be a malicious login page that captures user data.

Deleted: clip.mp4 5.4 MB

	clip.mp4 5.4 MB View Download

eugenebut: Can you help route this?

There are 2 problems:
1.) Chrome goes one extra entry back (will be tracked in crbug.com/797969)
2.) URL is spoofed (will be tracked here)

Danyao, Kurt, crrev.com/c/846020 fixes the bug, and because this is URL spoofing issue I did not explain the root cause in CL description.

The bug happened because URLDidChangeWithoutDocumentChange: was mistakenly called and broke CRWSessionController state. Updating _documentURL right after same document navigations ensures that URLDidChangeWithoutDocumentChange: is not called.

This bug does not exist with WK-based navigation manager.

I'm not fully following the fix... Given that we can't put details in the CL, would you consider documenting the root cause in this bug?

The part that puzzles me is that URLDidChangeWithoutDocumentChange: doesn't interact with CRWSessionController. So I didn't understand how it corrupts CRWSessionController state.

It seems to me that the root cause may be a race condition between push/popState and back-forward navigation using history API. It seems that the comment UI may be implemented using a pushState, and touching the status bar scrolls up and performs a back navigation to dismiss the comment UI. Maybe goBack happened before pushState is completely finished. This may also explain why Chrome goes one extra entry back because the pushState history entry has not been built yet.

URLDidChangeWithoutDocumentChange: calls registerLoadRequestForURL:, which interacts with session controller, that's where navigation state gets corrupted.

LegacyNavigationManagerImpl::FinishGoToIndex changes SessionController's LastCommittedURL for same document navigation, but leaves WebController's _documentURL unchanged. _documentURL should never be out of sync with LastCommittedURL, so the fix puts these 2 URLs in sync. Please note that corruption happens after LegacyNavigationManagerImpl::FinishGoToIndex.

Generally we should remove _documentURL at all, but that's a separate issue, which will be easier to fix after moving to WK-based navigation manager.

Thanks Eugene. I missed the pending URL update in reigsterLoadRequestForURL:. Fix LGTM.

The fix LGTM, thanks for the detailed explanation in this bug.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/601d03f44018fafd845334e1cec17cd01122d164

commit 601d03f44018fafd845334e1cec17cd01122d164
Author: Eugene But <eugenebut@google.com>
Date: Thu Jan 04 20:23:34 2018

Updated _documentURL for same-document navigations.

_documentURL is not needed for WK-based navigation manager
so there is not much value in adding unit tests for this
new code.

Bug:  796777 
Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: Ib4635f6d6d20934ea3fb07793d460ac3c1a786e0
Reviewed-on: https://chromium-review.googlesource.com/846020
Reviewed-by: Kurt Horimoto <kkhorimoto@chromium.org>
Commit-Queue: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#527080}
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/navigation/legacy_navigation_manager_impl.h
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/navigation/legacy_navigation_manager_impl.mm
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/navigation/navigation_manager_delegate.h
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/navigation/navigation_manager_impl.h
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/navigation/navigation_manager_impl.mm
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/navigation/navigation_manager_impl_unittest.mm
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/navigation/wk_based_navigation_manager_impl.h
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/navigation/wk_based_navigation_manager_impl.mm
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/navigation/wk_based_navigation_manager_impl_unittest.mm
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/test/fakes/fake_navigation_manager_delegate.h
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/test/fakes/fake_navigation_manager_delegate.mm
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/web_state/navigation_and_load_callbacks_inttest.mm
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/web_state/ui/crw_web_controller.h
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/web_state/ui/crw_web_controller.mm
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/web_state/web_state_impl.h
[modify] https://crrev.com/601d03f44018fafd845334e1cec17cd01122d164/ios/web/web_state/web_state_impl.mm

Is this issue eligible for the Chrome Rewards Program?  I understand there is a Reward Panel that meets every week but I haven't received any notifications and I'd like to know if this is being considered. 

This bug requires manual review: Less than 15 days to go before AppStore submit on M64
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please confirm the fix has been verified in canary

Srikanth, Please retest with Canary.

Tapping on the status bar redirects to the NTP, or another webpage if the Back History menu has more entries. Omnibox correctly reflects the URL and webpage contents.

Verified in M65.0.3315.0 Canary
Device: iPhoneX, iOS: 11.2.5

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0

commit c19ad7352c4c53ecbf8e0ee1d03894be0803fef0
Author: Eugene But <eugenebut@google.com>
Date: Mon Jan 08 18:04:36 2018

Updated _documentURL for same-document navigations.

_documentURL is not needed for WK-based navigation manager
so there is not much value in adding unit tests for this
new code.

TBR=eugenebut@google.com

(cherry picked from commit 601d03f44018fafd845334e1cec17cd01122d164)

Bug:  796777 
Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: Ib4635f6d6d20934ea3fb07793d460ac3c1a786e0
Reviewed-on: https://chromium-review.googlesource.com/846020
Reviewed-by: Kurt Horimoto <kkhorimoto@chromium.org>
Commit-Queue: Eugene But <eugenebut@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#527080}
Reviewed-on: https://chromium-review.googlesource.com/854398
Reviewed-by: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/branch-heads/3282@{#445}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/navigation/legacy_navigation_manager_impl.h
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/navigation/legacy_navigation_manager_impl.mm
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/navigation/navigation_manager_delegate.h
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/navigation/navigation_manager_impl.h
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/navigation/navigation_manager_impl.mm
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/navigation/navigation_manager_impl_unittest.mm
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/navigation/wk_based_navigation_manager_impl.h
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/navigation/wk_based_navigation_manager_impl.mm
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/navigation/wk_based_navigation_manager_impl_unittest.mm
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/test/fakes/fake_navigation_manager_delegate.h
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/test/fakes/fake_navigation_manager_delegate.mm
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/web_state/navigation_and_load_callbacks_inttest.mm
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/web_state/ui/crw_web_controller.h
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/web_state/ui/crw_web_controller.mm
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/web_state/web_state_impl.h
[modify] https://crrev.com/c19ad7352c4c53ecbf8e0ee1d03894be0803fef0/ios/web/web_state/web_state_impl.mm

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Thanks! The VRP Panel decided to reward $500 for this report, due to the amount of user interaction required. A member of our finance team will be in touch to arrange payment. Also, how would you like to be credited in our release notes?

That's great, thank you! I'm glad this will be resolved in the upcoming release.  To answer your question on credit, you may use my name, Frank Goytisolo.  If you need anything else, please let me know.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot