Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

[hackerone] #374969 - permission prompt with window.open #14681

Closed
tildelowengrimm opened this issue Jul 6, 2018 · 4 comments
Closed

[hackerone] #374969 - permission prompt with window.open #14681

tildelowengrimm opened this issue Jul 6, 2018 · 4 comments

Comments

@tildelowengrimm
Copy link

tildelowengrimm commented Jul 6, 2018

Test Case

Case # 1:

Original issue

https://hackerone.com/reports/374969

@diracdeltas
Copy link
Member

need to check if this is fixed by #14887

@diracdeltas
Copy link
Member

diracdeltas commented Aug 2, 2018

Removing sec-high because the prompt doesn't say anything about Google.com asking for permission; I think the only confusing part is that the prompt is visually placed in the area of a tab which contains Google.com whereas the permission being requested is not specific to Google.com.

The simple solution is just to move the notification from the tab area to the global notification area so it cannot be associated with any specific origin.

diracdeltas added a commit that referenced this issue Aug 2, 2018
Since these permissions are not scoped to any tab, it doesn't make sense
to show them in the tab area.

Fix #14681

1. Go to https://jsfiddle.net/yudr4cxe/ and click the link.
2. It should show a notification above the tab bar.
@diracdeltas diracdeltas changed the title [hackerone] #374969 [hackerone] #374969 - permission prompt with window.open Aug 2, 2018
@srirambv
Copy link
Collaborator

srirambv commented Aug 14, 2018

Verified on Ubuntu 18 x64 using

  • 0.23.80 53a429f
  • Muon 8.0.8
  • libchromiumcontent 68.0.3440.84

Verified with macOS (also verified by @kjozwiak )

  • 0.23.80 53a429f
  • Muon 8.0.8
  • libchromiumcontent 68.0.3440.84

Verified on Windows x64 with

  • 0.23.80 53a429f
  • Muon 8.0.8
  • libchromiumcontent 68.0.3440.84

@Metnew
Copy link

Metnew commented Aug 23, 2018

@tomlowenthal @diracdeltas Could you check/resolve this report on H1?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.