New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 4
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug-Security

Blocking:
issue 848123



Sign in to add a comment

Security: Simulated Alt + Click event can download a cross origin file

Project Member Reported by mea...@chromium.org, Jun 1

Issue description

Split from bug 848123. The POC is simulate.html in that bug.

This seems to defeat the protections added in  bug 608669 .

jochen: Can you PTAL?
 
Project Member

Comment 1 by sheriffbot@chromium.org, Jun 1

Labels: Pri-2
Project Member

Comment 2 by bugdroid1@chromium.org, Jun 4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4379a7fcff8190aa7ba72307b398161c32102c52

commit 4379a7fcff8190aa7ba72307b398161c32102c52
Author: Jochen Eisinger <jochen@chromium.org>
Date: Mon Jun 04 10:51:32 2018

Only allow downloading in response to real keyboard modifiers

BUG= 848531 

Change-Id: I97554c8d312243b55647f1376945aee32dbd95bf
Reviewed-on: https://chromium-review.googlesource.com/1082216
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#564051}
[add] https://crrev.com/4379a7fcff8190aa7ba72307b398161c32102c52/third_party/WebKit/LayoutTests/fast/events/download-on-alt-click-expected.txt
[add] https://crrev.com/4379a7fcff8190aa7ba72307b398161c32102c52/third_party/WebKit/LayoutTests/fast/events/download-on-alt-click.html
[add] https://crrev.com/4379a7fcff8190aa7ba72307b398161c32102c52/third_party/WebKit/LayoutTests/fast/events/download-on-synthesized-alt-click-expected.txt
[add] https://crrev.com/4379a7fcff8190aa7ba72307b398161c32102c52/third_party/WebKit/LayoutTests/fast/events/download-on-synthesized-alt-click.html
[add] https://crrev.com/4379a7fcff8190aa7ba72307b398161c32102c52/third_party/WebKit/LayoutTests/fast/events/resources/notify-done.html
[modify] https://crrev.com/4379a7fcff8190aa7ba72307b398161c32102c52/third_party/blink/renderer/core/loader/frame_loader.cc
[modify] https://crrev.com/4379a7fcff8190aa7ba72307b398161c32102c52/third_party/blink/renderer/core/page/create_window.cc

Status: Fixed (was: Assigned)
Project Member

Comment 4 by sheriffbot@chromium.org, Jun 4

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Cc: luan.her...@hotmail.com
Labels: CVE-2018-16088 CVE_description-missing
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 10

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment