New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 804401 link

Starred by 2 users
Status: WontFix
Owner:
dvadym@chromium.org
Closed: Jan 2018
Cc:
elawrence@chromium.org
viswatej...@techmahindra.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Username value revealed to JavaScript on back navigation

Project Member Reported by elawrence@chromium.org, Jan 22 2018 
Chrome Version: 65.0.3325.0
OS Version: Windows 10.0, Android 8.1

What steps will reproduce the problem?
1. Visit https://bayden.com/test/password/gatekeeper.asp and submit a username/password combination. Elect to store the password.
2. Revisit https://bayden.com/test/password/gatekeeper.asp
3. Observe: Username and Password fill but are not shown in the green bar (which polls the input fields for their value via JavaScript)
4. Click the "Goto example.com" link. Observe: Username and password appear in the green bar before navigation, due to the link click being a user gesture.
5. Click Back.

OBSERVE: Username value remains exposed to JavaScript but Password value does not.

What is the expected result? Neither username or password value exposed until a user-gesture.

Comment 1 by elawrence@chromium.org, Jan 22 2018

Description: Show this description

Comment 2 by elawrence@chromium.org, Jan 22 2018

UsernameLeak.png
12.3 KB View Download

Comment 3 by ajha@chromium.org, Jan 23 2018

Labels: Needs-Triage-M65

Comment 4 by viswatej...@techmahindra.com, Jan 23 2018 

Able to reproduce the issue on reported chrome version 65.0.3325.0 and on the latest chrome version 66.0.3329.0 using Windows 10, Ubuntu 14.04 and Mac 10.12.6. As the issue is seen from M60(60.0.3072.0) considering it as non-regression and marking it as Untriaged.

Thanks!

Comment 5 by sc00335...@techmahindra.com, Jan 23 2018

Cc: viswatej...@techmahindra.com
Labels: Triaged-ET M-66 FoundIn-66 Target-66 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)

Comment 6 by battre@chromium.org, Jan 23 2018

Status: Assigned (was: Untriaged)

Comment 7 by elawrence@chromium.org, Jan 23 2018 

Re #4: It's true that this repros in prior versions, but the feature that masks the username value didn't land until M65 in Issue 798492.

Comment 8 by dvadym@chromium.org, Jan 24 2018

Cc: elawrence@chromium.org
Labels: OS-Chrome
I found why it works it this way.

1.When the user clicks on a link, then username/password are revealed for to JS (because of user action).
2.On back navigation the DOM that was before the link clicked is restored, including input elements values, excluding <input type=password> fields. So usernames are restored. So it has nothing to do with Password Manager.

On other hand, if there was no user gesture, username is not revealed to JS after navigation back, since it had not been part of DOM.

Anyway showing username after back navigation doesn't make things worse, since the username was revealed after link clicked, so JS can save username before navigation. So I'm inclined to close this bug as WontFix. 

elawrence@ WDYT?

Comment 9 by elawrence@chromium.org, Jan 25 2018 

RE #8: Interesting. I confirmed that the password isn't revealed after programmatic navigation (e.g. navigate the user forward, then user clicks back) so this shouldn't be useful as an automatic unmasking measure. 

While it's certainly /possible/ that the "evil" script only gets to run the second time the page loads and thus this issue /could/ matter, this seems pretty unlikely.

So yeah, this can probably be WONTFIX.

Comment 10 by dvadym@chromium.org, Jan 26 2018

Status: WontFix (was: Assigned)
Closing as WontFix according to explanation in #8

Sign in to add a comment