Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

[HackerOne] issue #175927 #4973

Closed
diracdeltas opened this issue Oct 20, 2016 · 5 comments
Closed

[HackerOne] issue #175927 #4973

diracdeltas opened this issue Oct 20, 2016 · 5 comments
Assignees
@diracdeltas
Labels
QA/checked-Win32 QA/checked-Win64 QA/test-plan-specified release-notes/include security
Milestone
0.13.0

Comments

@diracdeltas
Copy link
Member

https://hackerone.com/reports/175927
@diracdeltas diracdeltas added this to the 0.12.7dev milestone Oct 20, 2016
@diracdeltas diracdeltas self-assigned this Oct 20, 2016
@diracdeltas
Copy link
Member Author

diracdeltas commented Oct 26, 2016
edited
Loading

http://web.mit.edu/zyan/Public/googlespoof.html test

@diracdeltas
Copy link
Member Author

waiting again to test this after the chromium v54 upgrade

diracdeltas added a commit to brave/muon that referenced this issue Oct 28, 2016
@diracdeltas
add isRendererInitiated property on did-navigate event
7296c1d 
This is needed to mitigate brave/browser-laptop#4973,
we should only set the frame title on navigation if it was not renderer-initiated
(ex: by clicking the back/forward buttons)

Auditors: @bbondy
@diracdeltas diracdeltas mentioned this issue Oct 28, 2016
Merged
diracdeltas added a commit that referenced this issue Oct 28, 2016
@diracdeltas
only set frame title when navigation is not renderer initiated
889c627 
partial fix for #4973. this prevents the page-that-is-being-spoofed from displaying the title from the spoofing page.

auditors: @bbondy
@diracdeltas diracdeltas mentioned this issue Oct 28, 2016
Merged
4 tasks
@diracdeltas
Copy link
Member Author

#5211 mitigated this somewhat, so bumping the milestone

@diracdeltas diracdeltas modified the milestones: 0.12.9dev, 0.12.8dev, 1.0.0 Oct 29, 2016
@diracdeltas
Copy link
Member Author

appears to be fixed in the chromium54 branch

@diracdeltas diracdeltas modified the milestones: 0.13.0, 1.0.0 Dec 7, 2016
This was referenced Dec 20, 2016
Closed
Closed
Closed
Closed
Closed
@diracdeltas
Copy link
Member Author

QA steps:

  1. go to http://web.mit.edu/zyan/Public/googlespoof.html
  2. click the Google link
  3. when the new window stops loading https://www.google.com, the page should be blank

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@diracdeltas diracdeltas

Labels
QA/checked-Win32 QA/checked-Win64 QA/test-plan-specified release-notes/include security
Projects
None yet
Milestone
0.13.0
Development

No branches or pull requests
3 participants
@diracdeltas @luixxiul @srirambv