Issue 923439 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Jan 18
Components:	UI>Browser>Omnibox
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	3
Type:	Feature

Security: XSS in URL window - chrome version 71.0.3578.98

Reported by johanna....@owasp.org, Jan 18 (4 days ago)

Issue description

VULNERABILITY DETAILS
XSS in URL bar

VERSION
Chrome Version: [71.0.3578.98] + Version 71.0.3578.98 (Official Build) (64-bit)
Operating System: MacOS Mojave 10.14.2

REPRODUCTION CASE
Open Chrome Browser
Insert the following javascript "javascript:alert(1)" in the URL bar.
Once you enter the word "javascript" is deleted, but you can write it directly again and the browser wont delete it
(see screenshot_1_xss)

press ENTER

RESULT
The alert pops out (see screenshot_2)


CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If
this bug is included, how would you like to be credited?
Reporter credit: johanna curiel

	screenshot_1_xss.png 85.3 KB View Download

	screenshot_2.png 183 KB View Download

Comment 1 by jdeblasio@chromium.org, Jan 18 (4 days ago)

Components: UI>Browser>Omnibox
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Mac Pri-3 Type-Feature
Status: WontFix (was: Unconfirmed)

I agree this is somewhat unexpected behavior, but please see our FAQ on the subject: 
https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability-

►

Issue 923439 link

Issue metadata

Security: XSS in URL window - chrome version 71.0.3578.98

Issue description

Comment 1 by jdeblasio@chromium.org, Jan 18 (4 days ago)

Comment 1 Deleted

Sign in to add a comment