New issue
Advanced search Search tips

Issue 814564 link

Starred by 1 user
Status: Duplicate
Merged: issue 81697
Owner: ----
Closed: Feb 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: XSS Vulnerability (Typing JavaScript url into the omnibox)

Reported by lurisj...@gmail.com, Feb 22 2018 
I found a XSS vulnerability on this browser.Ok i will explain all.
0x01: i search on something eg.test 
When browser accept, they search test.
Ok.it's working search option.
0x02: i try xss simple payload [<script>alert(1)</script>] ...
Not alert,but browser search payload.
0x03:Lastet i try this payload [javascript:prompt()] ,boom javascript is work and it make alert() when i search in google it's script make domain google.before i think it's google search vulnerability,It's not why i call facebook, yahoo, youtube, ask,twitter put url in this payload. Browser is popup domain name in all.surely it's vulnerability in chrome browser.
Why i can ask chrome browser. This payload is not work in firefox browser and other browser.Only work chrome browser and chrome base browser.
S80222-07054310.mp4
11.6 MB View Download

Comment 1 by elawrence@chromium.org, Feb 22 2018

Mergedinto: 81697
Status: Duplicate (was: Unconfirmed)
Summary: Security: XSS Vulnerability (Typing JavaScript url into the omnibox) (was: Security: XSS Vulnerability )
Running JavaScript in the omnibox or the Developer Tools is not a security vulnerability. https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Does-entering-JavaScript_URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there_s-an-XSS-vulnerability
Project Member

Comment 2 by sheriffbot@chromium.org, May 31 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment