New issue
Advanced search Search tips

Issue 917432 link

Starred by 2 users
Status: Assigned
Owner:
ftirelo@chromium.org
Cc:
vasi...@chromium.org
wfh@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 786673



Sign in to add a comment

Renderer controls the bounding box of AutoFill prompt

Project Member Reported by lukasza@chromium.org, Dec 21 
AFAIU, renderer controls the bounding box of AutoFill prompt - |bounding_box| parameter of ContentAutofillDriver::QueryFormFieldAutofill is not validated against the bounding box of the requesting frame.  This can be potentially abused to trick the user into thinking that the AutoFill prompt came from another frame and trick the user into disclosing sensitive data (credit card info for example) to an attacker.

Comment 1 by lukasza@chromium.org, Dec 21

Owner: vasi...@chromium.org
vasilii@, could you please confirm the issue and/or help triage the bug further?  (I see that you've worked on Site Isolation enforcements for Password Manager in r569331 - Site Isolation enforcements for generic AutoFill feature seem somewhat related).

Comment 2 by vasilii@google.com, Jan 4

Cc: vasi...@chromium.org
Owner: ftirelo@chromium.org
Moving to the autofill team. The scenario is less likely to work for passwords because the credentials are per origin.
I guess we want to implement some clamping solution in the browser? The password code should probably use it as well.

Comment 3 by benhenry@google.com, Jan 11

Status: Assigned (was: Untriaged)
This issue has an owner, a component and a priority, but is still listed as untriaged or unconfirmed. By definition, this bug is triaged. Changing status to "assigned". Please reach out to me if you disagree with how I've done this.

Sign in to add a comment