New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 838905 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Out until 24 Jan
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Loading iframe in 'chrome://newtab/' in incognito mode crashes Chrome

Reported by not...@outlook.com, May 2 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Steps to reproduce the problem:
1. Open an incognito window and stay in the new tab page
2. Open devtools
3. Select any DOM node and select edit as HTML
4. Paste `<iframe src="any-url"></iframe>
5. Focus out of edit view to save changes

What is the expected behavior?
The URL specified on the iframe should be loaded or failed based on the CSP of the page being loaded.

What went wrong?
The browser crashes immediately.

Crashed report ID: e1e8725c-6c01-4d05-9a5c-a40f0d42fb37

How much crashed? Whole browser

Is it a problem with a plugin? No 

Did this work before? N/A 

Chrome version: 66.0.3359.139  Channel: stable
OS Version: 10.0
Flash Version: 

The behavior is also seen even if there exists an empty iframe already on the page and a page is loaded programatically like `$0.src = "url"`.
 
Labels: Needs-Feedback
I cannot reproduce with the same build. Are you able to provide the server crash id from chrome://crashes? (you've provided the local id)

Comment 2 by not...@outlook.com, May 2 2018

Crash ID: 678b7ad715e939e7
Project Member

Comment 3 by sheriffbot@chromium.org, May 2 2018

Cc: dtapu...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 Deleted

Cc: -dtapu...@chromium.org
Components: UI>Browser>Navigation
Owner: clamy@chromium.org
Status: Assigned (was: Unconfirmed)
clamy@

This is a explicit crash of the browser process you added a few years ago:
https://cs.chromium.org/chromium/src/content/browser/frame_host/navigator_impl.cc?sq=package:chromium&l=156

Is it still needed?

Comment 6 by nasko@chromium.org, May 2 2018

Cc: clamy@chromium.org creis@chromium.org
Owner: nasko@chromium.org
Status: WontFix (was: Assigned)
Yes, this check is still needed and I just added enforcement of not allowing any web iframes to be inserted in chrome:// and WebUI pages. This was r554206 to ensure the security model for WebUI is preserved and isolation is guaranteed.

Sign in to add a comment