Issue metadata
Sign in to add a comment
|
Security: Blocked URLs can send notification.
Reported by
omidthek...@gmail.com,
Dec 28 2017
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Notification can still be received if website is in both Allowed and Blocked list. Blocked list should have a priority over allowed or do some checking to make sure that blocked website cannot be added in allowed (or vice versa) VERSION Chrome Version: 63.0.3239.108 + Official Operating System: Windows 10 Enterprise REPRODUCTION CASE Add a URL to allowed section of Notification and After that add it to Blocked section of notifications. Notifications will still be received by Chrome, while the URL is blocked.
,
Jan 2 2018
from the attached screenshot it's not clear which URLs you mean, the arrows point to two different hosts. There are also no duplicate URLs in your list
,
Jan 2 2018
My bad, I just realized I am pointing to wrong URLs. Please refer to the second URL on the allowed list and the last URL in the blocked list (myfave.com). The only difference in two URL is the leading www, which in my opinion should be added to the checkings.
,
Jan 2 2018
Thank you for providing more feedback. Adding requester "jochen@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 2 2018
> The only difference in two URL is the leading www, which in my opinion should be added to the checkings. Can you elaborate on what exactly you mean? If you want a rule for "https://myfave.com" to apply to "https://www.myfave.com" the rule needs to be "https://[*.]myfave.com"
,
Jan 2 2018
Yes, I understand that I can just use a regex to cover that. However, the solution is not obvious for the average user. In my opinion is a exploit that websites can use to trick the average user to make a mistake. A good solution would be giving user the option to block all the notification from website when the allow/block pop up is shown.
,
Jan 3 2018
we should probably wait for somebody from the permissions team to chime in, however, in the past, the permission bubbles would create patterns, and this was changed already a while ago to create exact matching content settings, so I suspect this issue is WontFix. Also note that while the UI now makes it look like there are two lists, it's only one list, and the best matching rule will apply.
,
Jan 3 2018
,
Jan 7 2018
Raymes, could you take a look and see if there's anything you think we should do here? Thanks!
,
Jan 7 2018
Permissions are intentionally origin scoped, so this is expected since www.x.com and x.com are different origins. It's not ideal, and somewhat confusing that things like www. and m. subdomains are treated as separate origins since in most cases these are conceptually the same as the unprefixed origin. But we can't guarantee that. There's room for exploration/experimentation here and we're thinking through a lot of these issues (+cc dominickn owencm emilyschechter benwells). But for now I'm closing as WontFix.
,
Jan 8 2018
Just as a suggestion, A good solution would be giving user the option to block all the notification from the website or to be able to modify the blocking rule when the allow/block pop up is shown. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Dec 28 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug