Chrome M86 insecure form flag

41 views
Skip to first unread message

Rafael Gawenda

unread,
Oct 2, 2020, 12:17:23 PM10/2/20
to securi...@chromium.org
Hi there.

What can we developers do with an form/input field for a chat window handled in javascript?
Does the new warning mean that javascript is insecure?

Rafael Gawenda

Carlos IL

unread,
Oct 2, 2020, 1:29:43 PM10/2/20
to Rafael Gawenda, securi...@chromium.org
Hi Rafael,

Are you seeing the new warning for a particular case using JS?

In general JS submissions to insecure endpoints (such as using XMLHttpRequest), had been blocked as active mixed content for a while now, so I'm not sure the new warning is expected to change anything for JavaScript. If you are seeing the warning, could you share a sample of the code that is triggering it?

Thanks,
-Carlos

Mike West

unread,
Oct 5, 2020, 6:35:14 AM10/5/20
to Carlos IL, Dominic Battré, Rafael Gawenda, security-dev, EricLaw-MSFT
I suspect Rafael is referring to something like `<form action="javascript:void();">`, which I think we label as non-secure for at least some purposes (see +Eric's https://twitter.com/ericlaw/status/1312625250589446145).

+Dominic Battré for the autofill aspect, in case that differs from the mixed content path.

-mike

Dominic Battre

unread,
Oct 5, 2020, 8:25:36 AM10/5/20
to Rafael Gawenda, Mike West, Carlos IL, security-dev, EricLaw-MSFT
Uh, this is sad. :-(

It would be great to have a reproduction case. I cannot access samsung's employee discount program. Rafael, is your site accessible to the public?

Best regards,
Dominic

On Mon, Oct 5, 2020 at 12:58 PM Rafael Gawenda <raf...@gawenda.es> wrote:
We use neither javascript:; nor javascript:void(), we call real userland functions instead, Some of them fetch content over https from the page's domain, or simply filter out loaded content.

Rafael Gawenda


-- 
Google Germany GmbH - Erika-Mann-Str. 33 - 80636 München - Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado

Rafael Gawenda

unread,
Oct 5, 2020, 8:25:36 AM10/5/20
to Mike West, Carlos IL, Dominic Battré, security-dev, EricLaw-MSFT
We use neither javascript:; nor javascript:void(), we call real userland functions instead, Some of them fetch content over https from the page's domain, or simply filter out loaded content.

Rafael Gawenda


On Mon, 5 Oct 2020 at 12:35, Mike West <mk...@chromium.org> wrote:

Rafael Gawenda

unread,
Oct 5, 2020, 8:25:37 AM10/5/20
to Dominic Battre, Mike West, Carlos IL, security-dev, EricLaw-MSFT
It is. It's a swingers social network, so please ignore explicit content. Clicking any thumb should open a register form, 3rd field (1st input) will show the insecure flag
https://www.parejas.com

Rafael Gawenda

Carlos IL

unread,
Oct 5, 2020, 10:59:19 AM10/5/20
to Eric Lawrence, Rafael Gawenda, Dominic Battre, Mike West, security-dev
Thanks for digging into this, this seems like a bug indeed. Feel free to file one (and assign it to me). 

Thanks,
Carlos

On Mon, Oct 5, 2020, 7:51 AM Eric Lawrence <Eric.L...@microsoft.com> wrote:

Shall I file a bug?

 

JavaScript should be exempted here: https://source.chromium.org/chromium/chromium/src/+/master:components/autofill/core/browser/autofill_browser_util.cc;l=12;drc=6b00afd4ac52963ce04d6f29a0ebe0ca6ddfc9dd

 

The Samsung reduction is https://webdbg.com/test/forms/targetsjavascript.html

 

The adult site does use a JavaScript target too:

 

 

 

 

Rafael— Until the Chrome bug is fixed, the workaround for that site is to remove the ACTION attribute and add an onsubmit handler instead.

 

-E

Eric Lawrence

unread,
Oct 9, 2020, 1:06:34 PM10/9/20
to Rafael Gawenda, Dominic Battre, Mike West, Carlos IL, security-dev

Shall I file a bug?

 

JavaScript should be exempted here: https://source.chromium.org/chromium/chromium/src/+/master:components/autofill/core/browser/autofill_browser_util.cc;l=12;drc=6b00afd4ac52963ce04d6f29a0ebe0ca6ddfc9dd

 

The Samsung reduction is https://webdbg.com/test/forms/targetsjavascript.html

 

The adult site does use a JavaScript target too:

 

 

 

 

Rafael— Until the Chrome bug is fixed, the workaround for that site is to remove the ACTION attribute and add an onsubmit handler instead.

 

-E

 

From: Rafael Gawenda <raf...@gawenda.es>
Sent: Monday, October 5, 2020 6:43 AM
To: Dominic Battre <bat...@chromium.org>
Cc: Mike West <mk...@chromium.org>; Carlos IL <carl...@chromium.org>; security-dev <securi...@chromium.org>; Eric Lawrence <Eric.L...@microsoft.com>
Subject: Re: Chrome M86 insecure form flag

 

It is. It's a swingers social network, so please ignore explicit content. Clicking any thumb should open a register form, 3rd field (1st input) will show the insecure flag

 

Rafael Gawenda

 

Eric Lawrence

unread,
Oct 9, 2020, 1:06:34 PM10/9/20
to Carlos IL, Rafael Gawenda, Dominic Battre, Mike West, security-dev

Carlos IL

unread,
Oct 13, 2020, 3:08:51 PM10/13/20
to Eric Lawrence, Rafael Gawenda, Dominic Battre, Mike West, security-dev
As an update on this, this bug has now been fixed, and the fix will be on M87. We also delayed the warnings launch on stable to 87, so the bug will not make it to stable.

Thanks all,
-Carlos
Reply all
Reply to author
Forward
0 new messages