Issue metadata
Sign in to add a comment
|
Cannot execute javascript from bookmarks/omnibox on incognito NTP, extension NTPs
Reported by
mr.ber...@gmail.com,
Oct 8
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Steps to reproduce the problem:
1. Open New Tab
2. Enter javascript:window.alert('Hi') in Omnibox
3. Press Enter
What is the expected behavior?
"Hi"
What went wrong?
Nothing happens.
Did this work before? Yes I don't remember - around Chrome 50 I would think?
Chrome version: 69.0.3497.100 Channel: stable
OS Version: 10.0
Flash Version:
Entering JavaScript code in the Omnibox may be a rare thing to do, but I do have some dynamic bookmarks (javascript:location.href="http://www.google.com/search?q=Important dates in " + (new Date()).toLocaleString("en-us", { month: "long" })) and POST-form-submitting custom searches (https://superuser.com/a/305504/253137) configured that only work if the current tab is not a new tab page.
,
Oct 9
Unable to reproduce the issue on chrome reported version# 69.0.3497.100 using Windows-10 with steps mentioned below:
1) Launched chrome reported version and in New Tab Page Omnibox Entered "javascript:Window.alert('Hi')
2) Able to see prompt message as "Hi"
@Reporter: Please find the attached screencast for your reference and provide your feedback on it which help in further triaging the issue.
Thanks!
,
Oct 9
@viswa.karala thanks, you are correct. Indeed, with a blank new tab page javascript is executed. But here are my corrected repro steps:
Variant A
1. Open new *incognito* tab
2. Enter javascript:window.alert('Hi') in Omnibox
3. Press Enter
Variant B
0. Install https://chrome.google.com/webstore/detail/earth-view-from-google-ea/bhloflhklmhfpedakmangadcdofhnnoh
1. Open New Tab
2. Enter javascript:window.alert('Hi') in Omnibox
3. Press Enter
In these two cases, the javascript code is not executed.
,
Oct 9
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 17
,
Oct 19
,
Nov 13
Redirecting primarily to the new tab page team. CCing components of incognito and extension teams in case they have ideas off the top the head as to the cause. Thanks for the report!
,
Nov 13
The origin of the regular mode NTP is the origin of the default search engine (e.g. "https://www.google.com"). The origin of the Incognito NTP is "chrome://ntp", and of extensions pages it's "chrome-extensions://<extension-id>". So it seems the issue is that bookmarklets don't work on some of our custom schemes, only on regular https:// pages. You can see that it's still possible to execute JavaScript on the Incognito NTP via DevTools, so it's not an issue of the JavaScript content setting being blocked. Could be some security hardening against bookmarklets?
,
Nov 13
,
Nov 16
@8 Yep, exactly - this is WAI as we made these changes for security reasons. We disallow javascript: URLs on chrome and chrome-extension pages, due to the increased privileges those pages have and the low general usage of it as an intentional feature. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by susan.boorgula@chromium.org
, Oct 8