Issue metadata
Sign in to add a comment
|
Security: Permission request UI spoof (repro issue 816033)
Reported by
chromium...@gmail.com,
Apr 20 2018
|
||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 68.0.3401.0 (Official Build) canary (64-bit) (cohort: Clang-64) Operating System: Windows REPRODUCTION CASE - Microphone permission shouldn't be allowed or blocked on chrome://settings/content/microphone 1. Set up a local webserver to host poc.html 2. Click on "Click here" button 3. Observe the permission request stays open after navigation to another origin (with http://localhost wants to...)
,
Apr 21 2018
Similar to issue 822957 , I am unable to reproduce this.
,
Apr 21 2018
,
Apr 21 2018
Yes, but the problem with Issue 822957 is that microphone permission should not be allowed or blocked to display the permission request bubble.
,
Apr 21 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 23 2018
guidou@ -- please take a look and triage as appropriate. I am unable to repro it but you might be able to. Thanks.
,
Apr 23 2018
OP -- the poc for this issue and issue 822957 is exactly the same. Can you please describe how the two are different?
,
Apr 23 2018
Yeah is the same PoC in issue 822957 and issue 816033 as well. the problem in issue 822957 was I didn't provide that microphone permission shouldn't be allowed or blocked on chrome://settings/content/microphone, and that's why you weren't able to repro it.
,
Apr 23 2018
,
Apr 23 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 23 2018
,
Apr 23 2018
OP -- did I miss anything in #c9? Is there a more reliable way to reproduce the bug? If not, I'm afraid I'll have to mark this one also as WontFix.
,
Apr 23 2018
Wired, I don't know why the first permission request bubble doesn't show on http://localhost.
,
Apr 23 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 23 2018
I forgot to add: Thanks for the bug report and for persevering.
,
Apr 24 2018
I just noticed that the notification bubble popup did not appear at all in the video in #c18. To be clear, the bubble did pop up when I was on localhost but went away when the page navigated to google.com
,
Apr 24 2018
Hmm... but in #c18 you were trying to repro this on macOS, and this is doesn't repro on macOS, only Windows and Linux. I have another way to make this clear. 1. Open Chrome on Linux. 3. Load google.com 4. Open devtools and enter: var recognition = new webkitSpeechRecognition(); recognition.start(); navigator.webkitGetUserMedia({audio: true}, function(){}, function(){}); 5. Now you can see the notification bubble popup is appears on google.com 6. Go to the Omnibox and type example.com >> Enter
,
Apr 24 2018
,
Apr 24 2018
I don't have access to a Linux machine at the moment so marking this back as Untriaged.
,
Apr 24 2018
You can also try it on Windows, please in #c21 in step-6 use mixed.badssl.com instead of example.com :-)
,
Apr 25 2018
RE #24: Sorry, I can't reproduce a problem here using the repro steps in #17 or #21+ #24. The permissions prompt disappears immediately upon navigation to the new site.
68.0.3405.0 {"arch":"x86-64","nacl_arch":"x86-64","os":"win"}
,
Aug 2
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by vakh@chromium.org
, Apr 21 2018