Popup Blocker Bypass - Possible to open new tabs without user action using JS.
Reported by
helloe...@gmail.com,
Jan 20 2018
|
||||||
Issue description
Chrome Version (from "Settings > About Google Chrome"): 63.0.3239.73
iOS Version: 11.2.2
Device Type: iPhones
Description: Using (googlechrome://url) scheme with location.href in JS results in opening new tabs with specified url. Possible to DoS Chrome and crash it completely.
Steps to reproduce:
(1) Open Chrome
(2) Enter url to load popitup.html(file attached)
Expected result:
Should load only one tab with popitup.html(the url) in it.
Actual result:
popitup.html triggers arbitrary number of new tabs to open with specified urls. No popup warnings will be shown.
Number of times you were able to reproduce: 5/5
Bug reproducible after clean install: Yes
Bug reproducible after clearing cache and cookies: Yes
Bug reproducible on Chrome Mobile on Android: No (even with android specific chrome
custom url scheme).
Bug reproducible on Dolphin/Safari/Firefox: NA
Bug reproducible on current stable build (App Version, iOS Version): Yes
Bug reproducible on the current beta channel build (App Version, iOS Version): NA
Type-bug-regression? No
Link to Video : https://drive.google.com/open?id=1IuGsFvFDpboCvApIZKiok2AInUB5dCVW
,
Jan 22 2018
Here is a temporary jsbin testpage. https://output.jsbin.com/pomewegece I can repro it, popup blocker is not blocking these URLs. But iOS is showing a prompt "This website is repeatedly trying to open another application" Block/Allow. Let me know if you need more info.
,
Jan 22 2018
Similar reported issue from the past: http://crbug/327219
,
Jan 22 2018
was this reproducible on safari/firefox - i see NA there does that mean it wasn't tested or it was tested and not reproduced.
,
Jan 22 2018
not sure how to launch firefox/safari intent urls are. Do you know how to launch Safari/Firefox using the intent urls
,
Jan 22 2018
The suggested behavior here (what firefox does) is to open urls with googlechrome://scheme on a new tab if there is user gesture, if there is not one we should treat this as a popup url not external application and block it.
,
Jan 26 2018
,
Aug 3
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f5eb6a74e7e3e9483044c1f35b45c01c8cd566ec commit f5eb6a74e7e3e9483044c1f35b45c01c8cd566ec Author: mrefaat <mrefaat@chromium.org> Date: Fri Aug 03 03:39:54 2018 Prompt users for app launching if there is no direct link transition. The current behavior is that apps can launch without user gestures. This is a source of abusive experience for users. Bug: 850760, 804054 Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:ios-simulator-full-configs;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:ios-simulator-cronet Change-Id: If47224bf27018a4b9d5a1cdbc39891849de05eb4 Reviewed-on: https://chromium-review.googlesource.com/1152692 Commit-Queue: Mohammad Refaat <mrefaat@chromium.org> Reviewed-by: Peter Lee <pkl@chromium.org> Cr-Commit-Position: refs/heads/master@{#580443} [modify] https://crrev.com/f5eb6a74e7e3e9483044c1f35b45c01c8cd566ec/ios/chrome/browser/app_launcher/app_launcher_tab_helper.h [modify] https://crrev.com/f5eb6a74e7e3e9483044c1f35b45c01c8cd566ec/ios/chrome/browser/app_launcher/app_launcher_tab_helper.mm [modify] https://crrev.com/f5eb6a74e7e3e9483044c1f35b45c01c8cd566ec/ios/chrome/browser/app_launcher/app_launcher_tab_helper_delegate.h [modify] https://crrev.com/f5eb6a74e7e3e9483044c1f35b45c01c8cd566ec/ios/chrome/browser/app_launcher/app_launcher_tab_helper_unittest.mm [modify] https://crrev.com/f5eb6a74e7e3e9483044c1f35b45c01c8cd566ec/ios/chrome/browser/ui/app_launcher/app_launcher_coordinator.mm [modify] https://crrev.com/f5eb6a74e7e3e9483044c1f35b45c01c8cd566ec/ios/chrome/browser/ui/app_launcher/app_launcher_coordinator_unittest.mm
,
Oct 26
,
Oct 26
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by pkl@chromium.org
, Jan 22 2018Labels: Needs-Feedback Type-Bug