New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 811558 link

Starred by 4 users
Status: Fixed
Owner:
mea...@chromium.org
Closed: May 2018
Cc:
nick@chromium.org
q...@chromium.org
rbyers@chromium.org
emilyschechter@chromium.org
jsb...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug

Blocking:
issue 696446
issue 809062



Sign in to add a comment

Block renderer initiated top-frame navigations to filesystem URLs

Project Member Reported by mea...@chromium.org, Feb 13 2018 
filesystem: URLs are only supported by Chrome. They contain an inner URL which consists of the origin that created the filesystem URL. For example, a filesystem URL created by http://example.com looks like filesystem:http://www.example.com/temporary/file0. The appearance in the omnibox is confusing for users, and there is currently an undisclosed security bug for this.

Following the data URL navigation blocking, do the same for filesystem URLs: https://groups.google.com/a/chromium.org/d/msg/blink-dev/GbVcuwg_QjM/GsIAQlemBQAJ

Comment 1 by mea...@chromium.org, Feb 13 2018

Labels: Team-Security-UX

Comment 2 by mea...@chromium.org, Feb 14 2018

Blocking: 809062

Comment 3 by cthomp@chromium.org, Feb 14 2018 

Would this also fix the concerns in  issue 650369 ?

Comment 4 by mea...@chromium.org, Feb 15 2018

Cc: nick@chromium.org
Not sure, but I admit I don't fully understand that bug. I'm not aware of a previous blocking of filesystem URLs, so I'm not sure where the incompleteness of that comes from.

nick: Any thoughts? I'll use DataUrlNavigationThrottle to fix this bug.

Comment 5 by mea...@chromium.org, Apr 27 2018

Blocking: 696446

Comment 6 by mea...@chromium.org, Apr 27 2018

Status: Started (was: Assigned)
Happening at https://chromium-review.googlesource.com/c/chromium/src/+/907528
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 30 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5440020025c6e2de35db1bd5450bce9b69406e31

commit 5440020025c6e2de35db1bd5450bce9b69406e31
Author: Mustafa Emre Acer <meacer@chromium.org>
Date: Mon Apr 30 19:38:11 2018

Block redirects and renderer-initiated top-frame navigations to filesystem: URLs

Intent to deprecate and remove for renderer-initiated top frame navigations:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/X7rZeU93vjw

This CL additionally blocks redirects to filesystem URLs. This matches the redirect
behavior of data URLs.

Bug:  811558 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I22201825063432ab95872a44aa1925a233e693f5
Reviewed-on: https://chromium-review.googlesource.com/907528
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Taiju Tsuiki <tzik@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#554850}
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/chrome/browser/extensions/process_manager_browsertest.cc
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/BUILD.gn
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/child_process_security_policy_impl.cc
[add] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/frame_host/blocked_scheme_navigation_browsertest.cc
[rename] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/frame_host/blocked_scheme_navigation_throttle.cc
[add] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/frame_host/blocked_scheme_navigation_throttle.h
[delete] https://crrev.com/f634aa2d0ca1cb9c08c46e4266d43c46a7c34147/content/browser/frame_host/data_url_navigation_browsertest.cc
[delete] https://crrev.com/f634aa2d0ca1cb9c08c46e4266d43c46a7c34147/content/browser/frame_host/data_url_navigation_throttle.h
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/browser/frame_host/navigation_handle_impl.cc
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/test/BUILD.gn
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/test/data/data_url_navigations.html
[add] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/content/test/data/filesystem_url_navigations.html
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/storage/browser/fileapi/file_system_url_request_job_factory.cc
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/testing/buildbot/filters/mojo.fyi.network_content_browsertests.filter
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/same-origin-window-open.html
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/same-origin-with-own-policy-window-open.html
[modify] https://crrev.com/5440020025c6e2de35db1bd5450bce9b69406e31/third_party/blink/renderer/core/loader/frame_loader.cc

Comment 8 by mea...@chromium.org, May 4 2018

Status: Fixed (was: Started)
Looks like this did stick, marking fixed.

Comment 9 by mea...@chromium.org, May 15 2018 

 Issue 650369  has been merged into this issue.

Comment 10 by q...@chromium.org, May 23 2018

Cc: q...@chromium.org
Issue 845950 is a side effect of this.

Sign in to add a comment