Popunder restriction bypass with keydown and keypress event
Reported by
masatoki...@gmail.com,
Apr 25 2018
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3406.0 Safari/537.36 Steps to reproduce the problem: 1. Navigate to https://vulnerabledoma.in/popunder/keyevent.html . In this page, two key event listeners are set: onkeydown=function(){ window.open('//example.com/','_blank','a'); } onkeypress=function(){ window.open('about:blank','_blank').close(); } 2. Press any key. 3. A popunder window is opened. What is the expected behavior? The popunder window should not be opened. What went wrong? The popunder window is opened. Did this work before? N/A Chrome version: 68.0.3406.0 Channel: canary OS Version: 10.0 Flash Version: I confirmed it works on Mac Canary(68.0.3406.0 64bit) also.
,
Apr 25 2018
Nice find. Reproduces on ChromeOS at least, probably elsewhere. From reading the description this seems really similar to issue 834598, where the second call to open() triggers activation.
,
Apr 26 2018
I noticed that WebUSB dialog also triggers activation: Here is the PoC: https://vulnerabledoma.in/popunder/webusb.html onkeydown=function(){ window.open('//example.com/','_blank','a'); } onkeypress=function(){ navigator.usb.requestDevice({filters:[]}); location.href="//l0.cm/h_back.html"//do history.back() }
,
Apr 27 2018
Able to reproduce the issue on chrome reported version 68.0.3406.0 and on latest chrome 68.0.3409.2 using Mac 10.13.1, Win-10 and Ubuntu 14.04, as the same issue is seen from M-60(60.0.3112.0), hence considering this issue as non-regression and marking it as untriaged. Thanks!
,
Apr 30 2018
I split comment 3 into bug 838314 . Please report one issue per bug entry.
,
Apr 30 2018
The issue here is that closing a tab in a window activates the window. AppKit`-[NSWindow makeKeyAndOrderFront:] libcontent.dylib`content::WebContentsViewMac::Focus(this=0x0000000172309330) + 201 at web_contents_view_mac.mm:203 libcontent.dylib`content::WebContentsViewMac::SetInitialFocus(this=0x0000000172309330) + 134 at web_contents_view_mac.mm:213 libcontent.dylib`content::WebContentsViewMac::RestoreFocus(this=0x0000000172309330) + 92 at web_contents_view_mac.mm:230 libcontent.dylib`content::WebContentsImpl::RestoreFocus(this=0x0000000100894400) + 56 at web_contents_impl.cc:3320 libchrome_dll.dylib`::-[TabStripController activateTabWithContents:previousContents:atIndex:reason:](self=0x000000016581a460, _cmd="activateTabWithContents:previousContents:atIndex:reason:", newContents=0x0000000100894400, oldContents=0x00000001678b0000, modelIndex=1, reason=0) + 550 at tab_strip_controller.mm:1387 libchrome_dll.dylib`TabStripModelObserverBridge::ActiveTabChanged(this=0x0000000165803a30, old_contents=0x00000001678b0000, new_contents=0x0000000100894400, index=1, reason=0) + 118 at tab_strip_model_observer_bridge.mm:65 libchrome_dll.dylib`TabStripModel::NotifyIfActiveTabChanged(this=0x000000011c686800, old_contents=0x00000001678b0000, notify_types=kDefault) + 518 at tab_strip_model.cc:1205 libchrome_dll.dylib`TabStripModel::DetachWebContentsAt(this=0x000000011c686800, index=2) + 3976 at tab_strip_model.cc:332 libchrome_dll.dylib`TabStripModel::WebContentsData::WebContentsDestroyed(this=0x00000001723390b0) + 440 at tab_strip_model.cc:157 libcontent.dylib`content::WebContentsImpl::~WebContentsImpl(this=0x00000001678b0000) + 4583 at web_contents_impl.cc:635 libcontent.dylib`content::WebContentsImpl::~WebContentsImpl(this=0x00000001678b0000) + 21 at web_contents_impl.cc:547 libcontent.dylib`content::WebContentsImpl::~WebContentsImpl(this=0x00000001678b0000) + 25 at web_contents_impl.cc:547 libchrome_dll.dylib`CloseWebContentses(delegate=0x000000011c686800, items=span<content::WebContents *const> @ 0x00007fff5fbfa948, close_types=2) + 914 at web_contents_closer.cc:152 libchrome_dll.dylib`TabStripModel::InternalCloseTabs(this=0x000000011c686800, items=span<content::WebContents *const> @ 0x00007fff5fbfaa98, close_types=2) + 407 at tab_strip_model.cc:1170 libchrome_dll.dylib`TabStripModel::CloseWebContentsAt(this=0x000000011c686800, index=2, close_types=2) + 288 at tab_strip_model.cc:460 libchrome_dll.dylib`chrome::CloseWebContents(browser=0x000000011c686500, contents=0x00000001678b0000, add_to_history=true) + 247 at browser_tabstrip.cc:81 libchrome_dll.dylib`Browser::CloseContents(this=0x000000011c686500, source=0x00000001678b0000) + 177 at browser.cc:1551 libcontent.dylib`content::WebContentsImpl::Close(this=0x00000001678b0000, rvh=0x0000000163bf7fa0) + 215 at web_contents_impl.cc:5195
,
Apr 30 2018
And on Views we have the trace
* frame #0: 0x00007fff82577f5c AppKit`-[NSWindow makeKeyAndOrderFront:]
frame #1: 0x000000012262ad49 libcontent.dylib`content::WebContentsViewMac::Focus(this=0x000000015a4285b0) + 201 at web_contents_view_mac.mm:203
frame #2: 0x00000001222150b8 libcontent.dylib`content::WebContentsImpl::Focus(this=0x0000000100811400) + 56 at web_contents_impl.cc:3308
frame #3: 0x0000000139efdd63 libwebview.dylib`views::WebView::OnFocus(this=0x000000015a361010) + 131 at webview.cc:237
frame #4: 0x000000013852728d libviews.dylib`views::View::Focus(this=0x000000015a361010) + 29 at view.cc:1801
frame #5: 0x00000001384a9a27 libviews.dylib`views::FocusManager::SetFocusedViewWithReason(this=0x0000000162f7a090, view=0x000000015a361010, reason=kReasonDirectFocusChange) + 583 at focus_manager.cc:348
frame #6: 0x0000000138389082 libviews.dylib`views::FocusManager::SetFocusedView(this=0x0000000162f7a090, view=0x000000015a361010) + 34 at focus_manager.h:175
frame #7: 0x0000000138522d5e libviews.dylib`views::View::RequestFocus(this=0x000000015a361010) + 126 at view.cc:1313
frame #8: 0x0000000139efe5f0 libwebview.dylib`views::WebView::OnWebContentsFocused(this=0x000000015a361010, render_widget_host=0x000000016583e200) + 32 at webview.cc:321
frame #9: 0x0000000122208d1e libcontent.dylib`content::WebContentsImpl::NotifyWebContentsFocused(this=0x0000000100811400, render_widget_host=0x000000016583e200) + 158 at web_contents_impl.cc:3544
frame #10: 0x000000012262b081 libcontent.dylib`content::WebContentsViewMac::GotFocus(this=0x000000015a4285b0, render_widget_host=0x000000016583e200) + 33 at web_contents_view_mac.mm:259
frame #11: 0x0000000121ceeb84 libcontent.dylib`content::RenderViewHostImpl::RenderWidgetGotFocus(this=0x00000001639a3300) + 84 at render_view_host_impl.cc:697
frame #12: 0x0000000121d034fa libcontent.dylib`content::RenderWidgetHostImpl::GotFocus(this=0x000000016583e200) + 58 at render_widget_host_impl.cc:903
frame #13: 0x000000012261ca0c libcontent.dylib`content::RenderWidgetHostViewMac::OnNSViewIsFirstResponderChanged(this=0x000000016781e800, is_first_responder=true) + 108 at render_widget_host_view_mac.mm:1232
frame #14: 0x00000001226412da libcontent.dylib`::-[RenderWidgetHostViewCocoa becomeFirstResponder](self=0x0000000163a1bde0, _cmd="becomeFirstResponder") + 186 at render_widget_host_view_cocoa.mm:1234
frame #15: 0x00007fff824373fa AppKit`-[NSWindow _realMakeFirstResponder:] + 431
frame #16: 0x00007fff824371f7 AppKit`-[NSWindow makeFirstResponder:] + 123
frame #17: 0x000000012262ad0d libcontent.dylib`content::WebContentsViewMac::Focus(this=0x000000015a4285b0) + 141 at web_contents_view_mac.mm:200
frame #18: 0x00000001222150b8 libcontent.dylib`content::WebContentsImpl::Focus(this=0x0000000100811400) + 56 at web_contents_impl.cc:3308
frame #19: 0x0000000139efdd63 libwebview.dylib`views::WebView::OnFocus(this=0x000000015a361010) + 131 at webview.cc:237
frame #20: 0x000000013852728d libviews.dylib`views::View::Focus(this=0x000000015a361010) + 29 at view.cc:1801
frame #21: 0x00000001384a9a27 libviews.dylib`views::FocusManager::SetFocusedViewWithReason(this=0x0000000162f7a090, view=0x000000015a361010, reason=kReasonDirectFocusChange) + 583 at focus_manager.cc:348
frame #22: 0x0000000138389082 libviews.dylib`views::FocusManager::SetFocusedView(this=0x0000000162f7a090, view=0x000000015a361010) + 34 at focus_manager.h:175
frame #23: 0x0000000138522d5e libviews.dylib`views::View::RequestFocus(this=0x000000015a361010) + 126 at view.cc:1313
frame #24: 0x000000010a3b47f8 libchrome_dll.dylib`ChromeWebContentsViewFocusHelper::RestoreFocus(this=0x000000015a427100) + 72 at chrome_web_contents_view_focus_helper.cc:68
frame #25: 0x000000010a13844d libchrome_dll.dylib`ChromeWebContentsViewDelegateViewsMac::RestoreFocus(this=0x000000015a428460) + 29 at chrome_web_contents_view_delegate_views_mac.mm:38
frame #26: 0x000000012262ae9d libcontent.dylib`content::WebContentsViewMac::RestoreFocus(this=0x000000015a4285b0) + 61 at web_contents_view_mac.mm:222
frame #27: 0x0000000122215178 libcontent.dylib`content::WebContentsImpl::RestoreFocus(this=0x0000000100811400) + 56 at web_contents_impl.cc:3320
frame #28: 0x000000010a328867 libchrome_dll.dylib`BrowserView::OnActiveTabChanged(this=0x0000000163014600, old_contents=0x000000015e0c3800, new_contents=0x0000000100811400, index=0, reason=0) + 1239 at browser_view.cc:821
frame #29: 0x0000000109a8afb7 libchrome_dll.dylib`Browser::ActiveTabChanged(this=0x0000000162f743b0, old_contents=0x000000015e0c3800, new_contents=0x0000000100811400, index=0, reason=0) + 183 at browser.cc:1079
frame #30: 0x0000000109bb2736 libchrome_dll.dylib`TabStripModel::NotifyIfActiveTabChanged(this=0x0000000162f746b0, old_contents=0x000000015e0c3800, notify_types=kDefault) + 518 at tab_strip_model.cc:1205
frame #31: 0x0000000109badde8 libchrome_dll.dylib`TabStripModel::DetachWebContentsAt(this=0x0000000162f746b0, index=1) + 3976 at tab_strip_model.cc:332
frame #32: 0x0000000109bacbe8 libchrome_dll.dylib`TabStripModel::WebContentsData::WebContentsDestroyed(this=0x0000000169f0aa30) + 440 at tab_strip_model.cc:157
frame #33: 0x00000001221f29c7 libcontent.dylib`content::WebContentsImpl::~WebContentsImpl(this=0x000000015e0c3800) + 4583 at web_contents_impl.cc:635
frame #34: 0x00000001221f4635 libcontent.dylib`content::WebContentsImpl::~WebContentsImpl(this=0x000000015e0c3800) + 21 at web_contents_impl.cc:547
frame #35: 0x00000001221f4759 libcontent.dylib`content::WebContentsImpl::~WebContentsImpl(this=0x000000015e0c3800) + 25 at web_contents_impl.cc:547
frame #36: 0x0000000109bcf172 libchrome_dll.dylib`CloseWebContentses(delegate=0x0000000162f746b0, items=span<content::WebContents *const> @ 0x00007fff5fbfa918, close_types=2) + 914 at web_contents_closer.cc:152
frame #37: 0x0000000109bb5097 libchrome_dll.dylib`TabStripModel::InternalCloseTabs(this=0x0000000162f746b0, items=span<content::WebContents *const> @ 0x00007fff5fbfaa68, close_types=2) + 407 at tab_strip_model.cc:1170
frame #38: 0x0000000109bb5380 libchrome_dll.dylib`TabStripModel::CloseWebContentsAt(this=0x0000000162f746b0, index=1, close_types=2) + 288 at tab_strip_model.cc:460
frame #39: 0x0000000109acc2b7 libchrome_dll.dylib`chrome::CloseWebContents(browser=0x0000000162f743b0, contents=0x000000015e0c3800, add_to_history=true) + 247 at browser_tabstrip.cc:81
frame #40: 0x0000000109a906b1 libchrome_dll.dylib`Browser::CloseContents(this=0x0000000162f743b0, source=0x000000015e0c3800) + 177 at browser.cc:1551
,
Nov 13
|
||||
►
Sign in to add a comment |
||||
Comment 1 by viswa.karala@chromium.org
, Apr 25 2018