New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Closed: Jun 2018
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug-Security

issue 848123

Participants' hotlists:

Sign in to add a comment

Issue 848531: Security: Simulated Alt + Click event can download a cross origin file

Reported by, Jun 1 2018 Project Member

Issue description

Split from  bug 848123 . The POC is simulate.html in that bug.

This seems to defeat the protections added in  bug 608669 .

jochen: Can you PTAL?

Comment 1 by, Jun 1 2018

Project Member
Labels: Pri-2

Comment 2 by, Jun 4 2018

Project Member
The following revision refers to this bug:

commit 4379a7fcff8190aa7ba72307b398161c32102c52
Author: Jochen Eisinger <>
Date: Mon Jun 04 10:51:32 2018

Only allow downloading in response to real keyboard modifiers

BUG= 848531 

Change-Id: I97554c8d312243b55647f1376945aee32dbd95bf
Reviewed-by: Mike West <>
Commit-Queue: Jochen Eisinger <>
Cr-Commit-Position: refs/heads/master@{#564051}

Comment 3 by, Jun 4 2018

Status: Fixed (was: Assigned)

Comment 4 by, Jun 4 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 5 by, Jul 30 2018


Comment 6 by, Sep 5

Labels: CVE-2018-16088 CVE_description-missing

Comment 7 by, Sep 10

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 8 by, Jan 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment