New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 918565 link

Starred by 2 users
Status: Assigned
Owner:
nasko@chromium.org
Out until 24 Jan
Cc:
jun.koka...@microsoft.com
wfh@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 786673



Sign in to add a comment

Compromised renderer can spoof Omnibox URL

Project Member Reported by lukasza@chromium.org, Jan 2 
A compromised renderer can spoof the committed URL (e.g. spoof the Omnibox URL, URL shown in permission dialogs, etc.) by sending FrameHostMsg_DidCommitProvisionalLoad_Params with 1) opaque origin and 2) arbitrary URL.


This should be addressed by nasko@'s work on precursor origins, but
1) probably requires some extra checks in the code (i.e. url-VS-origin comparison in addition to the origin-VS-process-lock comparison) and
2) probably requires some extra tests (i.e. injecting spoofed URL in addition to tests that inject a spoofed origin like the already existing SitePerProcessBrowserTest.CommittedOriginIncompatibleWithOriginLock)

Because of the above, I think it should be useful to track this in a separate bug.


Credit for pointing out this Site Isolation enforcement gap: jun.kokatsu@microsoft.com

Sign in to add a comment