New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 797858 link

Starred by 5 users

Issue metadata

Status: WontFix
Owner:
OOO until 4th Feb
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug
Team-Security-UX



Sign in to add a comment

Security: Blocked URLs can send notification.

Reported by omidthek...@gmail.com, Dec 28 2017

Issue description

VULNERABILITY DETAILS
Notification can still be received if website is in both Allowed and Blocked list. Blocked list should have a priority over allowed or do some checking to make sure that blocked website cannot be added in allowed (or vice versa) 

VERSION
Chrome Version: 63.0.3239.108 + Official
Operating System: Windows 10 Enterprise

REPRODUCTION CASE
Add a URL to allowed section of Notification and After that add it to Blocked section of notifications. 
Notifications will still be received by Chrome, while the URL is blocked.




 
notification.jpg
71.1 KB View Download
Components: UI>Browser>Permissions
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Reclassifying as a functional issue.
Labels: Needs-Feedback
from the attached screenshot it's not clear which URLs you mean, the arrows point to two different hosts.

There are also no duplicate URLs in your list
My bad, I just realized I am pointing to wrong URLs. Please refer to the second URL on the allowed list and the last URL in the blocked list (myfave.com).
The only difference in two URL is the leading www, which in my opinion should be added to the checkings.
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 2 2018

Cc: jochen@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "jochen@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
> The only difference in two URL is the leading www, which in my opinion should be added to the checkings.

Can you elaborate on what exactly you mean? If you want a rule for "https://myfave.com" to apply to "https://www.myfave.com" the rule needs to be "https://[*.]myfave.com"
Yes, I understand that I can just use a regex to cover that. However, the solution is not obvious for the average user. 
In my opinion is a exploit that websites can use to trick the average user to make a mistake. 

A good solution would be giving user the option to block all the notification from website when the allow/block pop up is shown.
Device running slow
notification.jpg
71.1 KB View Download
we should probably wait for somebody from the permissions team to chime in, however, in the past, the permission bubbles would create patterns, and this was changed already a while ago to create exact matching content settings, so I suspect this issue is WontFix.

Also note that while the UI now makes it look like there are two lists, it's only one list, and the best matching rule will apply.
Components: Internals>Permissions>Model
Owner: raymes@chromium.org
Status: Assigned (was: Unconfirmed)
Raymes, could you take a look and see if there's anything you think we should do here? Thanks!
Cc: dominickn@chromium.org emilyschechter@chromium.org benwells@chromium.org owe...@chromium.org
Status: WontFix (was: Assigned)
Permissions are intentionally origin scoped, so this is expected since www.x.com and x.com are different origins. It's not ideal, and somewhat confusing that things like www. and m. subdomains are treated as separate origins since in most cases these are conceptually the same as the unprefixed origin. But we can't guarantee that.

There's room for exploration/experimentation here and we're thinking through a lot of these issues (+cc dominickn owencm emilyschechter benwells). But for now I'm closing as WontFix.
Just as a suggestion, A good solution would be giving user the option to block all the notification from the website or to be able to modify the blocking rule when the allow/block pop up is shown.

Sign in to add a comment