My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 79862: Bypass extensions permission app launch web_url should not allow javascript: chrome:
1 person starred this issue and may be notified of changes. Back to list
 
Reported by kuz...@gmail.com, Apr 19, 2011
javascript:alert(document.domain) //chrome://newtab
chrome://appcache-internals/ xss
app access chrome history.crx
529 bytes   Download
app access javascript.crx
543 bytes   Download
Apr 19, 2011
#1 kuz...@gmail.com
Go to chrome://newtab click "test"
Apr 19, 2011
#2 infe...@chromium.org
Thanks Kuzzcc.

Preconditions::
1. Need to install extension. No popups since manifest has nothing except web_url.
2. Open new tab and click on the app icon. executes in context of chrome urls.
Status: Available
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals Feature-Extensions OS-All Mstone-11 SecSeverity-Medium
Apr 19, 2011
#3 infe...@chromium.org
(No comment was entered for this change.)
Status: Assigned
Owner: infe...@chromium.org
Apr 19, 2011
#4 jschuh@chromium.org
Given that this requires a malicious extension it's probably a low-severity issue.
Cc: erikkay%chromium.org@gtempaccount.com a...@chromium.org
Labels: -SecSeverity-Medium SecSeverity-Low
Apr 20, 2011
#5 infe...@chromium.org
Fixed in http://src.chromium.org/viewvc/chrome?view=rev&revision=82297
Status: WillMerge
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Apr 20, 2011
#7 infe...@chromium.org
(No comment was entered for this change.)
Cc: mihaip%chromium.org@gtempaccount.com
May 22, 2011
#8 erik...@chromium.org
Did this one ever get merged?  We got another report of it in  bug 83010 .
Cc: jschuh@chromium.org cev...@chromium.org
May 22, 2011
#9 scarybea...@gmail.com
Did not get merged, and just missed the M12 branch point. Erik, if you think it's safe at this late M12 stage, feel free to merge it (or give us permission to do so). It does seem to have had some bake time.
May 22, 2011
#10 erik...@chromium.org
I believe this is safe to merge.  Please go ahead.
May 23, 2011
#11 cdn@chromium.org
(No comment was entered for this change.)
Labels: ApprovedForMerge
May 23, 2011
#12 cdn@chromium.org
merged to m12 as r86313
May 23, 2011
#13 cdn@chromium.org
(No comment was entered for this change.)
Status: FixUnreleased
May 23, 2011
#14 bugdro...@chromium.org
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=86313

------------------------------------------------------------------------
r86313 | cdn@chromium.org | Mon May 23 11:47:01 PDT 2011

Changed paths:
 A http://src.chromium.org/viewvc/chrome/branches/742/src/chrome/test/data/extensions/manifest_tests/launch_url_invalid_type_2.json?r1=86313&r2=86312&pathrev=86313 (from /trunk/src/chrome/test/data/extensions/manifest_tests/launch_url_invalid_type_2.json revision 82297)
 A http://src.chromium.org/viewvc/chrome/branches/742/src/chrome/test/data/extensions/manifest_tests/launch_url_invalid_type_1.json?r1=86313&r2=86312&pathrev=86313 (from /trunk/src/chrome/test/data/extensions/manifest_tests/launch_url_invalid_type_1.json revision 82297)
 D http://src.chromium.org/viewvc/chrome/branches/742/src/chrome/test/data/extensions/manifest_tests/launch_url_invalid_type.json?r1=86313&r2=86312&pathrev=86313
 M http://src.chromium.org/viewvc/chrome/branches/742/src/chrome/common/extensions/extension_manifests_unittest.cc?r1=86313&r2=86312&pathrev=86313
 M http://src.chromium.org/viewvc/chrome/branches/742/src/chrome/common/extensions/extension.cc?r1=86313&r2=86312&pathrev=86313
 A http://src.chromium.org/viewvc/chrome/branches/742/src/chrome/test/data/extensions/manifest_tests/launch_url_invalid_type_3.json?r1=86313&r2=86312&pathrev=86313 (from /trunk/src/chrome/test/data/extensions/manifest_tests/launch_url_invalid_type_3.json revision 82297)

Merge 82297 - Make sure that extensions can launch web urls with web safe schemes only.
Reviewed in http://codereview.chromium.org/6879047.

BUG=79862
TEST=ExtensionManifestTest.AppLaunchURL
Review URL: http://codereview.chromium.org/6879077
Review URL: http://codereview.chromium.org/6990039
------------------------------------------------------------------------
Oct 4, 2011
#15 jschuh@chromium.org
Batch update.
Labels: SecImpacts-Stable
Apr 18, 2012
#16 jschuh@chromium.org
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Apr 18, 2012
#17 jschuh@chromium.org
(No comment was entered for this change.)
Status: Fixed
Oct 13, 2012
#18 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#19 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Type-Security -Area-Internals -Feature-Extensions -Mstone-11 -SecSeverity-Low -SecImpacts-Stable Cr-Platform-Extensions Security-Impact-Stable Security-Severity-Low Cr-Internals M-11 Type-Bug-Security
Mar 13, 2013
#20 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#21 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-Low Security_Severity-Low
Mar 21, 2013
#22 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Sign in to add a comment

Powered by Google Project Hosting