Working on getting the right permissions on the context bug, will ping this thread soon once permissions have been adjusted.

I don't have access to see https://bugs.chromium.org/p/chromium/issues/detail?id=776896

But this bug sounds like a dupe of crbug.com/788270, which is already being worked on.

Added you asvitkine@.

bug 788270 feels more generic bug, in that case, this security issue should still be tracked on its own (it can be marked as blocked on that bug).

asvitkine: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

asvitkine: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Friendly ping from the security sheriff. Can we get any update on this?

Can I have access to the context as well?

I'm a bit confused what the security/stability impact of this is if is a dupe of 
https://bugs.chromium.org/p/chromium/issues/detail?id=788270 (as per #7) which is a feature request and not a stability/security issue.

> Can I have access to the context as well?

Should have access now. Please try again.

Are there any updates on this issue?

Re: #15: The issue may be resolved with the work tracked by issue 788270, but the security implications are because of what is discussed in issue 776896.

No updates. This isn't on our teams OKRs this quarter, so no one is working on it.

I was hoping the prototype mathp@ and sebsg@ have built could be landed and would solve this. But haven't heard back from them.

I think this bug, and also issue 776896 should be Type=Bug with security component, rather than Type=Bug-Security. This is because they are not vulnerabilities directly affecting user security but are defence-in-depth mitigations and new security features:

"Type-Bug-Security: Designates a security vulnerability that impacts users. This label should not be used for new features that relate to security, or general remediation/refactoring ideas. (Use the Security component for that.)" [1] 

Unless there are objections I'll switch both bugs.

[1] - https://chromium.googlesource.com/chromium/src/+/master/docs/security/security-labels.md

I'm sorry we haven't been able to get to it. Let me try to break up the prototype change into smaller chunks.

Mathieu sent out a CL for review!

https://chromium-review.googlesource.com/c/chromium/src/+/890627

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/18170a49b39546ea32d21dc7d61bc82d61529fd0

commit 18170a49b39546ea32d21dc7d61bc82d61529fd0
Author: Mathieu Perreault <mathp@chromium.org>
Date: Thu May 17 12:48:15 2018

[Histograms] Revamp of the chrome://histograms page

Now a WebUI message handler. Still keeps the same UI
for now, but has potential to be more (see earlier patchsets)

Bug: 809820, 788270
Change-Id: I9e2de72540f152ad367098d8255492378bbb28a3
Reviewed-on: https://chromium-review.googlesource.com/890627
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: Bernhard Bauer <bauerb@chromium.org>
Reviewed-by: Alexei Svitkine <asvitkine@chromium.org>
Commit-Queue: Mathieu Perreault <mathp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559504}
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/chrome/browser/policy/policy_browsertest.cc
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/BUILD.gn
[delete] https://crrev.com/c70cdb314e37ae58980dd993433748d9c09e64dc/content/browser/histogram_internals_request_job.cc
[delete] https://crrev.com/c70cdb314e37ae58980dd993433748d9c09e64dc/content/browser/histogram_internals_request_job.h
[delete] https://crrev.com/c70cdb314e37ae58980dd993433748d9c09e64dc/content/browser/histogram_internals_url_loader.cc
[delete] https://crrev.com/c70cdb314e37ae58980dd993433748d9c09e64dc/content/browser/histogram_internals_url_loader.h
[add] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/histograms_internals_ui.cc
[add] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/histograms_internals_ui.h
[add] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/resources/histograms/histograms_internals.html
[add] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/resources/histograms/histograms_internals.js
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/webui/content_web_ui_controller_factory.cc
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/webui/url_data_manager_backend.cc
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/browser/webui/web_ui_url_loader_factory.cc
[modify] https://crrev.com/18170a49b39546ea32d21dc7d61bc82d61529fd0/content/content_resources.grd

This isn't a security bug that is a risk to users, it's security feature work.

https://chromium.googlesource.com/chromium/src/+/master/docs/security/security-labels.md

Marking as Fixed for M68 since this is now live on Canary. Thanks Mathieu!

Thanks a lot for fixing this!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b

commit f38ba52d12bfbbff75397033b1a140b4ee3e7c4b
Author: Mathieu Perreault <mathp@chromium.org>
Date: Wed May 23 19:30:08 2018

[Histograms page] Create a build target for histograms internals JS

As well, address comments from
https://chromium-review.googlesource.com/c/chromium/src/+/890627

Bug: 809820, 788270
Change-Id: Idb11e6045ad79993792da08245485c3e64259f85
Reviewed-on: https://chromium-review.googlesource.com/1065576
Reviewed-by: calamity <calamity@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Demetrios Papadopoulos <dpapad@chromium.org>
Commit-Queue: Mathieu Perreault <mathp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561202}
[modify] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/BUILD.gn
[add] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/BUILD.gn
[add] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/histograms/BUILD.gn
[add] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/histograms/OWNERS
[modify] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/histograms/histograms_internals.html
[modify] https://crrev.com/f38ba52d12bfbbff75397033b1a140b4ee3e7c4b/content/browser/resources/histograms/histograms_internals.js

Reopening for iOS and assigning to Moe