Permissions request box requester is ambiguous/ellided
Reported by
ja...@apkudo.com,
Jun 5 2018
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 Steps to reproduce the problem: 1. Visit site that requests permissions that has a long name 2. 3. What is the expected behavior? The complete identifying information should be provided. We need enough information to trace back the originator of the request. For microphone permission, we should get the requester and destination information. What went wrong? The text was ellided which prevents identification of the requester. Did this work before? No Chrome version: 66.0.3359.170 Channel: n/a OS Version: OS X 10.13.4 Flash Version: While the feature does not yet exist, I think having a button of "report suspicious activity" to blacklist sites would be in order. If you visit the url in the screenshot, there is NO REASON why microphone should be requested. ( https://www.extendoffice.com/documents/excel/692-excel-exponential-calculation.html#a2 )
,
Jun 7 2018
Unable to reproduce the issue reported chrome version on 66.0.3359.170 using Mac 10.13.3. Attaching Screencast for reference. Steps -------- 1. Launched Chrome. 2. Navigated to given URL in the comment #0 "( https://www.extendoffice.com/documents/excel/692-excel-exponential-calculation.html#a2 )" We have not seen any popup alerts on the given URL. @Reporter: Could you please review the attached screen-cast and confirm if anything being missed here and can you verify this issue with fresh profile that is not having any extensions and apps or reset all the flags. Let us know whether issue still persists. Thanks!
,
Jun 7 2018
So one thing that I neglected to mention, was that it didn't come up immediately. I am trying to replicate it by leaving it open... I will report back. I fear that it was something to do with an ad being served or some content loaded later. I don't think the site itself is malicious. But without complete identifying information, we can't identify the resource, much less the owner of it, for attribution. The fact that it maps to someone on Amazon S3 is not enough. So this is really two issues: 1. My primary issue is the identifying information is incomplete. (It's clearly elided) It should be reproducible on any quest with a hostname long enough. 2. The UI does not offer sufficient additional information. Hostname is only one of several parameters. The request URL and SLL certificate should be available for inspection. I don't know who is collecting the information, and I don't have enough information to hand over to anyone to identify the requester/recipient of the information for identification. Services like AWS Lambda mean many people are operating on the same host, or the host may be proxied, in which case only the SSL cert will tell me. For #2, it might be a product decision, but I think it's very important, just the SSL Cert mismatch warning. I will continue to monitor the page and see what else I can find.
,
Jun 7 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 12 2018
As per comment #3, adding the Needs-Feedback label. Thanks...!!
,
Jun 18 2018
Assigning to bettes@ for UI evaluation.
,
Nov 21
Update: ***UI Mass Triage*** We were unable to reproduce this bug on Mac (10.13.1, 10.13.6, 10.14.2) as No pop-up is seen bydefault. If this bug still reproduces for you, please reopen or file a new issue. Thanks! |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by vamshi.kommuri@chromium.org
, Jun 5 2018