Renderer controls the bounding box of AutoFill prompt |
|||
Issue descriptionAFAIU, renderer controls the bounding box of AutoFill prompt - |bounding_box| parameter of ContentAutofillDriver::QueryFormFieldAutofill is not validated against the bounding box of the requesting frame. This can be potentially abused to trick the user into thinking that the AutoFill prompt came from another frame and trick the user into disclosing sensitive data (credit card info for example) to an attacker.
,
Jan 4
Moving to the autofill team. The scenario is less likely to work for passwords because the credentials are per origin. I guess we want to implement some clamping solution in the browser? The password code should probably use it as well.
,
Jan 11
This issue has an owner, a component and a priority, but is still listed as untriaged or unconfirmed. By definition, this bug is triaged. Changing status to "assigned". Please reach out to me if you disagree with how I've done this. |
|||
►
Sign in to add a comment |
|||
Comment 1 by lukasza@chromium.org
, Dec 21