will-stone
commented
1 year ago Hi, these all seem like non-bugs to me. If you disagree, please open each bug report separately and provide a screencast if you can, this will help me understand the issues in detail.
Also, what's with "Credit Information" 🤷♂️
Is there an existing issue for this?
Current Behaviour
Summary:
The Browserosaurus Application does not sanitize external URLs before passing them to the underlying system. Also, Browserosaurus does not prevent in-app navigation.
Expected Behaviour
The Browserosaurus Application sanitize URLs and prevent navigation in-app, including opening of new windows.
Steps To Reproduce
Open the Browserosaurus Application from the command-line. Add a command-line switch
--remote-debugging-port=8315while running the application.Open a web browser on the same device and visit
localhost:8315. The application can be interacted with via the DevTools protocol.[Open an executable file] Within the console, execute
window.open(‘file:///Applications/Emacs.app’)– a new window opens in-app with its location set to file:///Applications/Emacs.app. Additionally, links set to open with paths to executable files will then open when sent usingshell.openExternalto the system.[Malformed URLs] The app does not sanitize malformed URLs, say
https://google%50.com, before passing it as is to the browser.[Navigation Handlers] The app also does not set event listeners for
.will-navigateorsetWindowOpenHandlerthat would prevent the app window itself being navigated to a third-party site. Ifwindow.location.hrefis updated tohttps://google.com/, the app window itself navigates to the new location.Browserosaurus version
20.5.0
macOS version
12.7
CPU Architecture
Intel
Anything else?
Credit Information
Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago