New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 840124 link

Starred by 6 users

Issue metadata

Status: Assigned
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Disable web security does not work (even using user-data-dir switch) OR user is not able to login

Reported by gilpe...@gmail.com, May 5 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Steps to reproduce the problem:
1. Install a fresh copy of the latest release of chrome in Windows 10 (or other version, I think this happen with any other version)
2. Dont open the browser, try opening it using the command below:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-popup-blocking --allow-running-insecure-content --user-data-dir

OR

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-popup-blocking --allow-running-insecure-content --user-data-dir="C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default"

3. After the browser window opens try to login inside the browser. You will see the login screen will open but nothing happens, it's impossible to type/login.

4) Now if you close the browser and open it normally (without any flags) you can login. So go ahead and login;

5) After you login close the browser and open it again using the same line of code I posted above (any of them). 

6) You will see that you will be already loged in (of course) but "disable-web-security" is not working (despite the warning message). I know it's not working cause if I open a website A and do window.open to website B then I cant access the content of B from the A. Till the version of 3 months ago (That I've been using before updating) this bug never happened.

What is the expected behavior?
The expected behaviour is: the user should be able to login and to use the flag disable-web-security.

What went wrong?
The user cant login and even with the warning saying the disable web security is enabled, it is not working.

Did this work before? N/A 

Chrome version: 66.0.3359.139  Channel: stable
OS Version: 10.0
Flash Version: 

I am not a beginner and this bug didnt happen up to the version of 3 months ago of chrome.
 
Labels: Needs-Triage-M66

Comment 2 by bokan@chromium.org, May 7 2018

Cc: bokan@chromium.org
Components: -Blink Blink>SecurityFeature

Comment 3 by gilpe...@gmail.com, May 7 2018

"Labels: Needs-Triage-M66"

Do you need anything from me?
Cc: sindhu.chelamcherla@chromium.org
Labels: Triaged-ET Needs-Feedback
Unable to reproduce this issue on reported version 66.0.3359.139 using Windows 10 with steps mentioned below.

1. Launched chrome with chrome.exe" --disable-web-security --disable-popup-blocking --allow-running-insecure-content --user-data-dir , tried signing into chrome but sign in overlay keeps on loading -- unable to sign in
2. Closed and opened browser normally and signed in
3. Again launched chrome with above flag, opened web store and in devtools console typed window.open("https://www.amazon.com") and new tab with amazon.com opened successfully. Attaching screencast for reference.

@Reporter: Please check the screencast and let us know if we miss anything. Any further information on reproducing the issue would help in further triaging.

Thanks!


840124.mp4
10.8 MB View Download

Comment 5 by gilpe...@gmail.com, May 10 2018

@sindhu.chelamcherla@chromium.org I sincerally dont understand how you said you "cant reproduce this bug"! I watched your screencast and right at the beginning the BUG HAPPENS! You launched chrome and tried to sign in, and the sign in screen never loads! That's is the bug. I cant sign in on my chrome and you proved that you couldnt too. Put your video at 0:25 and you will see you cant login. I am not even talking about the other bug that I reported related to disable-web-security not working, let's just first clear out this bug related to the sign in, ok? I was ready to record my screen but you did it so nicely and you proved the bug happened.

Sorry if I am saying something wrong but in my understanding your video shows exactly what I reported, right?


Project Member

Comment 6 by sheriffbot@chromium.org, May 10 2018

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Type-Bug -Pri-2 RegressedIn-62 Target-67 M-68 Target-66 hasbisect-per-revision FoundIn-66 FoundIn-67 FoundIn-68 Target-68 OS-Linux OS-Mac Pri-1 Type-Bug-Regression
Owner: pdr@chromium.org
Status: Assigned (was: Unconfirmed)
Able to reproduce the issue on Windows 10, mac 10.13.3 and Ubuntu 17.10 using chrome reported version #66.0.3359.139 and latest canary #68.0.3426.0.

Bisect Information:
=====================
Good build: 62.0.3194.0
Bad Build : 62.0.3196.0

Change Log URL: 
https://chromium.googlesource.com/chromium/src/+log/455d1ae8ef19dc07d06bee90b4552b7d78a8df04..eef5607b471f955590278d5e44762c5206272caa

From the above change log suspecting below change
Change-Id: If0ade80cfd233384f4b74923148b2d79eb4b41d6
Reviewed-on: https://chromium-review.googlesource.com/609317

pdr@ - Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks...!!

Comment 8 by pdr@chromium.org, May 11 2018

Owner: krajshree@chromium.org
Can you try bisecting again? I think this is very unlikely to be my change. The core issue may even be server-side.

Comment 9 by gilpe...@gmail.com, May 11 2018

My friends, is there a "universal" or "standard" test to check wheter "--disable-web-security" is working?

Usually I do this: I open a website that has jQuery loaded and try to open a window with another URL and try to access it. Something like this:

1) acess https://www.sitepor500.com.br (which has jQuery enabled with the latest most uniersal version which is the 1.x.x not the 2.x.x and nor the 3.x.x);
2) then I press F12 (to open dev tools)
3) go to the CONSOLE tab
4) then I execute this code below

janela = window.open("https://www.google.com.br");

5) then I wait the window to be opened and come back to the opener tab (the one with the jquery code available) and try to do this:

$(janela.window.document)

If the browser returns an error it means --disable-web-security is not doing it's job.

Is there any other easier way to do this?
Replaying to OP, this seems to work for me:
1. Go to any fiddle, e.g: https://jsfiddle.net/westonruter/6mSuK/
2. Try to access the frame that runs our code:

  document.getElementsByTagName('iframe')[0].contentWindow.document

3. Get error:

VM944:1 Uncaught DOMException: Blocked a frame with origin "https://jsfiddle.net" from accessing a cross-origin frame.
    at <anonymous>:1:57
(anonymous) @ VM944:1

@asfalt...@gmail.com I didnt understand what you said at the beginning. You say the bug happens for you or the bug is not happening? 
Owner: ----
Has there been any activity on this bug? 

It's causing an issue for us in a legacy in-house application that unfortunately requires us to access cross-origin frames.
The workaround is to download an old version of Chrome as a portable app : https://sourceforge.net/projects/portableapps/files/Google%20Chrome%20Portable/ (version 66.0.3359.181 still works). It's the one I use when I'm developing...

Sign in to add a comment