Issue 822523 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Mar 2018
Components:	Blink>SecurityFeature
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	2
Type:	Bug-Security
Via-Wizard-Security

Cross-origin frame can change turn address bar to insecure

Reported by s.h.h.n....@gmail.com, Mar 16 2018

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36

Steps to reproduce the problem:
1. Go to https://vuln.shhnjk.com/super_secure.html

What is the expected behavior?
Nothing happens.

What went wrong?
Secure lock on address bar turns into insecure. Not sure why this is happening.

Did this work before? N/A 

Chrome version: 65.0.3325.162  Channel: stable
OS Version: OS X 10.13.3
Flash Version: 

PoC
<iframe src="data:text/html,<iframe sandbox='allow-scripts' src='data:text/html,<a href=googlechrome://test.shhnjk.com/alert.html>test</a><script>document.querySelector`a`.click()</script>'></iframe>"></iframe>

Comment 1 by s.h.h.n....@gmail.com, Mar 16 2018

Okay, this is shitty issue. I didn't know much about lock. Please close it.

Comment 2 by est...@chromium.org, Mar 16 2018

Components: Blink>SecurityFeature
Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)

The lock icon goes away because the page loads mixed content (an iframe with a non-https scheme). Closing per #1.

►

Issue 822523 link

Issue metadata

Cross-origin frame can change turn address bar to insecure

Issue description

Comment 1 by s.h.h.n....@gmail.com, Mar 16 2018

Comment 1 Deleted

Comment 2 by est...@chromium.org, Mar 16 2018

Comment 2 Deleted

Sign in to add a comment