New issue
Advanced search Search tips

Issue 824413 link

Starred by 2 users

Issue metadata

Status: Untriaged
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Feature



Sign in to add a comment

mailto links open mail application without prompt

Reported by yigityil...@gmail.com, Mar 21 2018

Issue description

Summary:
A Website can open the application without user permission with Google Chrome and A website can command the any application with Google Chrome

Steps to reproduce:
1- Open "proofofconcept.html" with Google Chrome

Actual results:
A Website can open the application without user permission with Google Chrome and A website can command the any application with Google Chrome

Expected Results:
Question function should be add(for example: "Do you want open it in Mail ?")

Notes:
Chrome asks questions to start other apps but does not ask for mail. 

Attack Senario:
Website can do it consistently for some ads or malafide(+18 App Store app redirecting or +18 Personnel Phone Numbers can open in Messages. Website can create a erotic or spam content mail.)People may encounter things they do not want to see

Version:
65.0.3325.181

Platform:
Windows 10 x64 Home Single Language


 
proofofconcept.mp4
538 KB View Download
proofof.html
208 bytes View Download
Components: Internals>PlatformIntegration
Summary: mailto links open mail application without prompt (was: Google Chrome Authorization Bypass)
I believe this is basically working as intended (a prompt would be annoying), although perhaps we should have some sort of throttle and/or user-gesture requirement to prevent abuse.

Given that this is unlikely to do more than annoy a user, it's probably better considered a DoS issue and thus out of scope for the security queue.
Essentially the same as  Issue 329188 ; Issue 78592 is related in that it proposes a gesture requirement for protocol invocation.
Hello,
Google chrome ask question for start skype or 3rd party application and system application. But Google Chrome not asking for “mailto://“ . If you test with other schemes (see: https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-default-app), Google Chrome ask question for start app
Correct, Chrome prompts before invocation of launching external handlers for Application Protocols. Mailto is a special case that does not trigger such a prompt.
this can lead to the situation I mentioned above. Microsoft Edge and similar browsers has taken precautions about this issue
By way of comparison: Firefox, Safari, and Internet Explorer also do not show prompts in this scenario. It's correct to note that Edge does show a "Switching apps" prompt; that is related to how code running in Windows 10 AppContainer sandboxes invokes protocols through the shell.

Comment 7 by cthomp@chromium.org, Mar 22 2018

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Feature
Status: Untriaged (was: Unconfirmed)
This seems to be working-as-intended, but we can discuss further whether we may want to change this behavior in the future to align with other protocol handlers. Changing this to a feature request issue and dropping the security restriction.

Also worth noting in regards to the "Attack Scenario": Anything a malicious page or advertisement could display in the Mail application they could also display in the tab they are currently running in.
If you look at what they say, this feature should be removed for other application(question). Because what you're talking about is true for other applications. Please review the precautions Apple and Microsoft have taken in this regard.
Please look for example (for Microsoft Edge) .If you open mail application with linklabel,Edge does not ask question to start the app. But when the site wants to start mail application automatically(iframe or similar method), Edge ask questions. Safari is no different than Edge. Chrome should be add like this question feature on Edge
video.mp4
772 KB View Download

Sign in to add a comment