New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 876100 link

Starred by 1 user
Status: WontFix
Owner:
drubery@chromium.org
Closed: Aug 31
Cc:
kenrb@chromium.org
jialiul@chromium.org
nasko@chromium.org
vakh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Password reuse detection always uses main frame URL, not the frame of reuse

Project Member Reported by drubery@chromium.org, Aug 20 
As a follow up to crbug/869062, the ChromePasswordManagerClient currently checks all password reuse against the domain of the main frame. This creates false positives when a password is used in a cross-origin subframe. We would like to track which frame the password was reused on, and report that alongside the main frame URL.

Comment 1 by drubery@chromium.org, Aug 20

Cc: jialiul@chromium.org nasko@chromium.org
+nasko@, in your comment #12 from crbug/869062, you mention that multiple frames may share a single RenderWidgetHost. When that occurs, is there any way to distinguish which frame had the input event? Or will this bug require changes to the way events are dispatched?

Comment 2 by nasko@chromium.org, Aug 20

Cc: kenrb@chromium.org
kenrb@ is the expert on input events with multiple processes. I think we know which frame it is inside the renderer process, but not sure if this information is available in the browser.

Comment 3 by kenrb@chromium.org, Aug 21 

As Nasko mentioned, there is a one-to-many relationship between RenderWidgetHosts and RenderFrameHosts. In general we route input events through RenderWidgetHosts, and frame-level dispatching is done in the renderer process.

In the case of keyboard events the browser process could hypothetically infer which frame will receive the event, because it does know which frame is currently focused -- e.g. RenderFrameHostImpl::IsFocused(). I don't know if this information is exposed though the content API (it doesn't look like it). Also it could sometimes be wrong because of race conditions, where for instance a keyboard event is being processed in the browser process and the focused frame is simultaneously changing in the renderer process. If you want to know with certainty which frame received a keyboard event then you would have to plumb that information in an acknowledgement from the renderer.

Comment 4 by vakh@chromium.org, Aug 24

Labels: SafeBrowsing-Triaged

Comment 5 by drubery@chromium.org, Aug 31

Status: WontFix (was: Assigned)
After a little more consideration, I don't think this is possible to do with any kind of reliability. My first concern was that focus can be moved around with JS, allowing different frames to each get part of the password and then stitch it back together. This seems to limit us to indicating which SiteInstance used the password.

But this can be extended to cross-origin frames, using postMessage, if the main frame is malicious. Since we have no way of determining which frames have knowledge of the key presses, there's no reasonable definition of "which frame" had the password reuse. I think we'll have to settle for aggregating over the whole WebContents, and reporting the main frame URL.

Comment 6 by jialiul@chromium.org, Aug 31 

Thanks for investigating this Dan!

Sign in to add a comment