This does not represent a security vulnerability in the browser.

https://chromium.googlesource.com/chromium/src/+/lkcr/docs/security/faq.md#Does-entering-JavaScript_URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there_s-an-XSS-vulnerability

Hi Team,

Can i know why this not a security vulnerability, when i got got same issue on android mobile chrome application and found cookie with APISID ,SAPISID information.

Thanks

A user's ability to run the JavaScript of their choosing on a loaded web page is not a security vulnerability, as noted in the FAQ in comment #1. 

"XSS" stands for "cross-site scripting" and refers to a case where one site is able to read or write information from another site, typically by causing JavaScript code to execute in the victim site's context. In the scenario described in this issue, there's only one site, and the *user* themselves executes script against that site. As the browser is the user's agent, this is expected behavior.

Hello ,

What I am doing here is that i am able to bypass the xss auditor as it should block such pop up's from coming up , you are considering it as an xss attack on a website but i m just using javascript scheme in the url to execute xss on the browser and the main point here is that i am bypassing xss auditor. can you please have a look at this again ? In browsers like mozilla such attacks are possible because of no usage of xss auditor.

thanks

I'll repeat: You can open Chrome's developer tools console and type the same JavaScript (without the leading "javascript:" prefix and see the same behavior. This is working as expected.

In contrast, the XSS Auditor combats "Reflected XSS" attacks; you can learn more about how it works here: https://sites.google.com/a/chromium.org/dev/developers/design-documents/xss-auditor

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot