New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 24 users

Issue metadata

Status: WontFix
Owner: ----
Closed: May 2011
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
link

Issue 81697: Disable the javascript: pseudo-protocol for the address bar

Reported by cos...@gmail.com, May 5 2011 Project Member

Issue description

VULNERABILITY DETAILS
When a URL using the javascript: pseudo-protocol is typed in the address bar, Chrome runs the script in the context of the current page. 

This behavior has been used for many spam attacks on Gmail and Facebook, and is not really useful for regular users. Therefore, please consider disabling the behavior by default, and adding a command-line flag so that developers can get it back.

Bookmarks have a similar issue, but there are legitimate javascript: bookmarklets, so that should be addressed in a separate bug.

VERSION
Chrome Version: 12.0.742.16 dev
Operating System: all

REPRODUCTION CASE
Go to a Web site, and type javascript:alert("ohnoes"); in the omnibar, and press enter. If the modal dialog box shows up, Chrome's doing it wrong.
 

Comment 1 by chromium...@gmail.com, May 5 2011

Labels: -Restrict-View-SecurityTeam
Status: WontFix
There have been discussions recently about modifying javascript URLs which are pasted or dropped into the omnibox. I don't think this is warranted when the javascript: url is typed however.

Comment 2 by cos...@gmail.com, May 5 2011

I agree with the potential distinction, but not with the bug resolution.

First off, javascript: URLs aren't that useful nowadays, given the console in the Developer Tools. Second, adding a flag would allow developers to go around the restrictions, if they have a good reason for it. People who can flip flags are more likely to understand the dangers of pasting javascript: URLs.

Last, this won't fix all the XSS issues, but it will make it harder for attackers to put together instructions that are believable, so it should reduce the number of people who spam unwillingly.

Comment 3 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 4 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security Type-Bug-Security

Comment 5 by bugdroid1@chromium.org, Mar 11 2013

Project Member
Labels: -Area-Undefined

Comment 6 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 7 by elawrence@chromium.org, Feb 22 2018

 Issue 814564  has been merged into this issue.

Comment 8 by elawrence@chromium.org, Feb 22 2018

 Issue 814320  has been merged into this issue.

Comment 9 by elawrence@chromium.org, Feb 22 2018

 Issue 86182  has been merged into this issue.

Comment 10 by elawrence@chromium.org, Feb 22 2018

 Issue 235856  has been merged into this issue.

Comment 11 by elawrence@chromium.org, Feb 22 2018

Cc: caseq@chromium.org cdn@chromium.org yu...@chromium.org
 Issue 105295  has been merged into this issue.

Comment 12 by elawrence@chromium.org, Feb 22 2018

 Issue 656749  has been merged into this issue.

Comment 13 by elawrence@chromium.org, Feb 22 2018

 Issue 659019  has been merged into this issue.

Comment 14 by elawrence@chromium.org, Feb 22 2018

 Issue 772821  has been merged into this issue.

Comment 15 by elawrence@chromium.org, Feb 22 2018

 Issue 716434  has been merged into this issue.

Comment 16 by elawrence@chromium.org, Feb 22 2018

 Issue 774767  has been merged into this issue.

Comment 17 by elawrence@chromium.org, Feb 22 2018

 Issue 788545  has been merged into this issue.

Comment 18 by elawrence@chromium.org, Feb 22 2018

 Issue 789874  has been merged into this issue.

Comment 19 by elawrence@chromium.org, Feb 22 2018

 Issue 793037  has been merged into this issue.

Comment 20 by est...@chromium.org, Mar 13 2018

 Issue 821336  has been merged into this issue.

Comment 21 by rsesek@chromium.org, Jan 11

Issue 920959 has been merged into this issue.

Sign in to add a comment