Working on getting the right permissions on the context bug, will ping this thread soon once permissions have been adjusted.

dmurph: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

dmurph: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Friendly ping from the security sheriff. Can we get any update on this?

Want to fix this, don't have the cycles right now. We have lots of things on fire in owp storage land. Can this wait? It's not accessible through hyperlinks, it's an internals page.

Do you have an estimate as to when this could be done?

While it is considered an internal page and cannot be navigated to directly, the page could still be leveraged as part of an attack chain of bugs. Issue 776896 explains some of the protections that get afforded to true WebUI page (e.g. not being placed in a non-WebUI process).

I can start poking at this now. Are there resources about how to migrate / create a webui page?

There are some docs at https://chromium.googlesource.com/chromium/src/+/master/docs/webui_explainer.md.

Besides that, I think the best way is to use another page as an example,
UI code lives in chrome/browser/resources/, C++ code lives in chrome/browser/ui/webui/.

@dmurph: Are there any updates here? Were you able to get started based on examples and documentation?

I took a look at some examples and the doc, I think it makes sense. I'll probably have this done in the next couple weeks.

Question - even though we don't do any javascript / interactivity work, does that still mean we're making the browser vulnerable? We're just a static html page.

dmurph: Have you had a chance to work on this bug? Even if the page is a static HTML, we would still want to reduce the attack surface on chrome:// pages since they are treated specially in many parts of the code.

On second look, we removed Type=Bug_Security from the similar bug 809820 since it's essentially feature work.

rsesek, mmoroz: Should we do the same here and track this as Type=Bug with Component=Security?

Sounds reasonable given the precedent.

Thanks, changing to Type=Bug.

Sorry for the delayed response, +1 to rsesek@'s c#25.

Unfortunately I have not. I don't have the cycles to do this right now.