New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 893089 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Nov 16
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug-Regression



Sign in to add a comment

Cannot execute javascript from bookmarks/omnibox on incognito NTP, extension NTPs

Reported by mr.ber...@gmail.com, Oct 8

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Steps to reproduce the problem:
1. Open New Tab
2. Enter javascript:window.alert('Hi') in Omnibox
3. Press Enter

What is the expected behavior?
"Hi"

What went wrong?
Nothing happens.

Did this work before? Yes I don't remember - around Chrome 50 I would think?

Chrome version: 69.0.3497.100  Channel: stable
OS Version: 10.0
Flash Version: 

Entering JavaScript code in the Omnibox may be a rare thing to do, but I do have some dynamic bookmarks (javascript:location.href="http://www.google.com/search?q=Important dates in " + (new Date()).toLocaleString("en-us", { month: "long" })) and POST-form-submitting custom searches (https://superuser.com/a/305504/253137) configured that only work if the current tab is not a new tab page.
 
Labels: Needs-Triage-M69
Cc: viswa.karala@chromium.org
Labels: Triaged-ET Needs-Feedback
Unable to reproduce the issue on chrome reported version# 69.0.3497.100 using Windows-10 with steps mentioned below:
1) Launched chrome reported version and in New Tab Page Omnibox Entered "javascript:Window.alert('Hi')
2) Able to see prompt message as "Hi"

@Reporter: Please find the attached screencast for your reference and provide your feedback on it which help in further triaging the issue.

Thanks!
893089.mp4
605 KB View Download
@viswa.karala thanks, you are correct. Indeed, with a blank new tab page javascript is executed. But here are my corrected repro steps:

Variant A
1. Open new *incognito* tab
2. Enter javascript:window.alert('Hi') in Omnibox
3. Press Enter

Variant B
0. Install https://chrome.google.com/webstore/detail/earth-view-from-google-ea/bhloflhklmhfpedakmangadcdofhnnoh
1. Open New Tab
2. Enter javascript:window.alert('Hi') in Omnibox
3. Press Enter

In these two cases, the javascript code is not executed.
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 9

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Summary: Cannot execute javascript from bookmarks/omnibox on incognito NTP, extension NTPs (was: Canno execute javascript on new tab page)
Cc: rhalavati@chromium.org
Components: -UI Platform>Extensions UI>Browser>NewTabPage UI>Browser>Incognito
Labels: -Pri-2 Pri-3
Status: Untriaged (was: Unconfirmed)
Redirecting primarily to the new tab page team.

CCing components of incognito and extension teams in case they have ideas off the top the head as to the cause.

Thanks for the report!
Components: Blink>SecurityFeature
The origin of the regular mode NTP is the origin of the default search engine (e.g. "https://www.google.com"). The origin of the Incognito NTP is "chrome://ntp", and of extensions pages it's "chrome-extensions://<extension-id>".

So it seems the issue is that bookmarklets don't work on some of our custom schemes, only on regular https:// pages.

You can see that it's still possible to execute JavaScript on the Incognito NTP via DevTools, so it's not an issue of the JavaScript content setting being blocked.

Could be some security hardening against bookmarklets?
Labels: zine-triaged
Cc: dbertoni@chromium.org rdevlin....@chromium.org
Status: WontFix (was: Untriaged)
@8 Yep, exactly - this is WAI as we made these changes for security reasons.  We disallow javascript: URLs on chrome and chrome-extension pages, due to the increased privileges those pages have and the low general usage of it as an intentional feature.

Sign in to add a comment