New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 811558 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: May 4
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug

Blocking:
issue 696446
issue 809062



Sign in to add a comment

Block renderer initiated top-frame navigations to filesystem URLs

Project Member Reported by mea...@chromium.org, Feb 13 2018

Issue description

filesystem: URLs are only supported by Chrome. They contain an inner URL which consists of the origin that created the filesystem URL. For example, a filesystem URL created by http://example.com looks like filesystem:http://www.example.com/temporary/file0. The appearance in the omnibox is confusing for users, and there is currently an undisclosed security bug for this.

Following the data URL navigation blocking, do the same for filesystem URLs: https://groups.google.com/a/chromium.org/d/msg/blink-dev/GbVcuwg_QjM/GsIAQlemBQAJ
 

Comment 1 by mea...@chromium.org, Feb 13 2018

Labels: Team-Security-UX

Comment 2 by mea...@chromium.org, Feb 14 2018

Blocking: 809062

Comment 3 by cthomp@chromium.org, Feb 14 2018

Would this also fix the concerns in  issue 650369 ?

Comment 4 by mea...@chromium.org, Feb 15 2018

Cc: nick@chromium.org
Not sure, but I admit I don't fully understand that bug. I'm not aware of a previous blocking of filesystem URLs, so I'm not sure where the incompleteness of that comes from.

nick: Any thoughts? I'll use DataUrlNavigationThrottle to fix this bug.
Blocking: 696446
Status: Started (was: Assigned)
Happening at https://chromium-review.googlesource.com/c/chromium/src/+/907528
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 30

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5440020025c6e2de35db1bd5450bce9b69406e31

commit 5440020025c6e2de35db1bd5450bce9b69406e31
Author: Mustafa Emre Acer <meacer@chromium.org>
Date: Mon Apr 30 19:38:11 2018

Block redirects and renderer-initiated top-frame navigations to filesystem: URLs

Intent to deprecate and remove for renderer-initiated top frame navigations:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/X7rZeU93vjw

This CL additionally blocks redirects to filesystem URLs. This matches the redirect
behavior of data URLs.

Bug:  811558 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I22201825063432ab95872a44aa1925a233e693f5
Reviewed-on: https://chromium-review.googlesource.com/907528
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Taiju Tsuiki <tzik@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#554850}
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/chrome/browser/extensions/process_manager_browsertest.cc
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/BUILD.gn
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/child_process_security_policy_impl.cc
[add] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/frame_host/blocked_scheme_navigation_browsertest.cc
[rename] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/frame_host/blocked_scheme_navigation_throttle.cc
[add] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/frame_host/blocked_scheme_navigation_throttle.h
[delete] https://crrev.com/f634aa2d0ca1cb9c08c46e4266d43c46a7c34147/content/browser/frame_host/data_url_navigation_browsertest.cc
[delete] https://crrev.com/f634aa2d0ca1cb9c08c46e4266d43c46a7c34147/content/browser/frame_host/data_url_navigation_throttle.h
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/frame_host/navigation_handle_impl.cc
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/test/BUILD.gn
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/test/data/data_url_navigations.html
[add] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/test/data/filesystem_url_navigations.html
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/storage/browser/fileapi/file_system_url_request_job_factory.cc
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/testing/buildbot/filters/mojo.fyi.network_content_browsertests.filter
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/same-origin-window-open.html
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/same-origin-with-own-policy-window-open.html
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/third_party/blink/renderer/core/loader/frame_loader.cc

Status: Fixed (was: Started)
Looks like this did stick, marking fixed.
 Issue 650369  has been merged into this issue.
Cc: q...@chromium.org
Issue 845950 is a side effect of this.

Sign in to add a comment