New issue
Advanced search Search tips

Issue 832180 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
jam@chromium.org
clamy@chromium.org
mustaq@chromium.org
dcheng@chromium.org
wfh@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocked on:
issue 575305
issue 683402
issue 689549
Blocking:
issue 786673


Show other hotlists

Hotlists containing this issue:
Hotlist-3


Sign in to add a comment

Verify HasUserGesture flag in NavigationHandle which comes from renderer

Project Member Reported by kbr@chromium.org, Apr 12 2018 
The flag NavigationHandle::HasUserGesture is transmitted from the renderer process here:
https://cs.chromium.org/chromium/src/content/renderer/render_frame_impl.cc?rcl=19a69a1389844f51c474efa446e3f22dd1fb36a8&l=5516

Currently it isn't validated, which means that a compromised renderer could spoof this flag. One idea for validating it would be to test whether a mouse event has been dispatched to that renderer process recently, and if not, clear the flag.

Comment 1 by dcheng@chromium.org, Apr 12 2018 

mustaq and I have been working on making this signal reliable. https://docs.google.com/document/d/1SuuaGe-d64FEz0ZMGu5FAEEJtMSvL77YGz4V9J1NUwo/edit was the initial attempt at a writeup assuming the current user gesture-based world; I need to update it to account for how user activation v2 works.

In the meantime, I'm working on landing https://chromium-review.googlesource.com/c/chromium/src/+/1005019 which might be something we can take advantage of here.

Comment 2 by creis@chromium.org, Apr 12 2018

Components: Internals>Sandbox>SiteIsolation

Comment 3 by creis@chromium.org, Apr 12 2018

Blocking: 786673
Listing this as one of the enforcements for Site Isolation.

Comment 4 by mustaq@chromium.org, Apr 12 2018

Labels: UserActivation
Yes, we are planning for a browser-side user activation detection that would *replace* the ones scattered in renderer side today.  This is almost orthogonal to User Activation v2 but fixing it for v1 is not easy so better focus on v2 for this.

Part of the problem is defining the set of events that should be treated as user activation (Issue 826293)---this is surprisingly vague today.

Sign in to add a comment