Google Git
Sign in
chromium / chromium / src / refs/heads/main / . / docs / security / faq.md
blob: 33c3e31fb96487b0bb457e5705b3d133c395aca0 [file] [log] [blame] [view]
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1# Chrome Security FAQ
2
3[TOC]
4
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]5## Process
6
7<a name="TOC-Which-bugs-are-valid-for-rewards-under-the-Chrome-Vulnerability-Rewards-program-"></a>
8### Which bugs are valid for rewards under the Chrome Vulnerability Rewards program?
9
10Please see [the VRP FAQ page](vrp-faq.md).
11
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]12<a name="TOC-Why-are-security-bugs-hidden-in-the-Chromium-issue-tracker-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]13### Why are security bugs hidden in the Chromium issue tracker?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]14
15We must balance a commitment to openness with a commitment to avoiding
Ellycc57b692025-08-04 20:41:23[diff] [blame]16unnecessary risk for users of widely-used open source libraries. All critical,
17high, and medium severity bugs are visible only to the security team and to the
18engineers directly involved in fixing them. Low-severity security bugs may be
19visible to all project contributors after an initial triage phase.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]20
21<a name="TOC-Can-you-please-un-hide-old-security-bugs-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]22### Can you please un-hide old security bugs?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]23
24Our goal is to open security bugs to the public once the bug is fixed and the
25fix has been shipped to a majority of users. However, many vulnerabilities
26affect products besides Chromium, and we don’t want to put users of those
27products unnecessarily at risk by opening the bug before fixes for the other
28affected products have shipped.
29
30Therefore, we make all security bugs public within approximately 14 weeks of the
31fix landing in the Chromium repository. The exception to this is in the event of
32the bug reporter or some other responsible party explicitly requesting anonymity
33or protection against disclosing other particularly sensitive data included in
34the vulnerability report (e.g. username and password pairs).
35
36<a name="TOC-Can-I-get-advance-notice-about-security-bugs-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]37### Can I get advance notice about security bugs?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]38
39Vendors of products based on Chromium, distributors of operating systems that
40bundle Chromium, and individuals and organizations that significantly contribute
41to fixing security bugs can be added to a list for earlier access to these bugs.
42You can email us at security@chromium.org to request to join the list if you
43meet the above criteria. In particular, vendors of anti-malware, IDS/IPS,
44vulnerability risk assessment, and similar products or services do not meet this
45bar.
46
47Please note that the safest version of Chrome/Chromium is always the latest
48stable version — there is no good reason to wait to upgrade, so enterprise
49deployments should always track the latest stable release. When you do this,
50there is no need to further assess the risk of Chromium vulnerabilities: we
51strive to fix vulnerabilities quickly and release often.
52
Alex Goughccfbbb52023-05-16 14:42:19[diff] [blame]53<a name="TOC-How-can-I-know-which-fixes-to-include-in-my-downstream-project-"></a>
Alex Goughc9ab81fd2023-05-15 19:03:14[diff] [blame]54### How can I know which fixes to include in my downstream project?
55
56Chrome is built with mitigations and hardening which aim to prevent or reduce
57the impact of security issues. We classify bugs as security issues if they are
58known to affect a version and configuration of Chrome that we ship to the
59public. Some classes of bug might present as security issues if Chrome was
60compiled with different flags, or linked against a different C++ standard
61library, but do not with the toolchain and configuration that we use to build
62Chrome. We discuss some of these cases elsewhere in this FAQ.
63
Amy Resslerb35f8e5d2024-02-02 23:12:54[diff] [blame]64If we become aware of them, these issues may be triaged as `Type=Vulnerability,
65Security_Impact-None` or as `Type=Bug` because they do not affect the production
Alex Goughc9ab81fd2023-05-15 19:03:14[diff] [blame]66version of Chrome. They may or may not be immediately visible to the public in
67the bug tracker, and may or may not be identified as security issues. If fixes
68are landed, they may or may not be merged from HEAD to a release branch. Chrome
69will only label, fix and merge security issues in Chrome, but attackers can
70still analyze public issues, or commits in the Chromium project to identify bugs
71that might be exploitable in other contexts.
72
73Chromium embedders and other downstream projects may build with different
74compilers, compile options, target operating systems, standard library, or
75additional software components. It is possible that some issues Chrome
76classifies as functional issues will manifest as security issues in a product
77embedding Chromium - it is the responsibility of any such project to understand
78what code they are shipping, and how it is compiled. We recommend using Chrome's
79[configuration](https://source.chromium.org/chromium/chromium/src/+/main:build/config/)
80whenever possible.
81
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]82<a name="TOC-Can-I-see-these-security-bugs-so-that-I-can-back-port-the-fixes-to-my-downstream-project-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]83### Can I see these security bugs so that I can back-port the fixes to my downstream project?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]84
85Many developers of other projects use V8, Chromium, and sub-components of
86Chromium in their own projects. This is great! We are glad that Chromium and V8
87suit your needs.
88
89We want to open up fixed security bugs (as described in the previous answer),
90and will generally give downstream developers access sooner. **However, please
91be aware that backporting security patches from recent versions to old versions
92cannot always work.** (There are several reasons for this: The patch won't apply
93to old versions; the solution was to add or remove a feature or change an API;
94the issue may seem minor until it's too late; and so on.) We believe the latest
95stable versions of Chromium and V8 are the most stable and secure. We also
96believe that tracking the latest stable upstream is usually less work for
97greater benefit in the long run than backporting. We strongly recommend that you
98track the latest stable branches, and we support only the latest stable branch.
99
Eric Lawrence122e86882017-12-07 22:53:05[diff] [blame]100<a name="TOC-Severity-Guidelines"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]101### How does the Chrome team determine severity of security bugs?
Eric Lawrence122e86882017-12-07 22:53:05[diff] [blame]102
103See the [severity guidelines](severity-guidelines.md) for more information.
Tom Sepeze8fb33202018-11-01 19:31:32[diff] [blame]104Only security issues are considered under the security vulnerability rewards
105program. Other types of bugs, which we call "functional bugs", are not.
Eric Lawrence122e86882017-12-07 22:53:05[diff] [blame]106
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]107## Threat Model
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]108
Eric Lawrence15fdea252017-08-09 19:37:41[diff] [blame]109<a name="TOC-Timing-Attacks"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]110### Are timing attacks considered security vulnerabilities?
Eric Lawrence15fdea252017-08-09 19:37:41[diff] [blame]111
112Some timing attacks are considered security vulnerabilities, and some are
113considered privacy vulnerabilities. Timing attacks vary significantly in terms
114of impact, reliability, and exploitability.
115
116Some timing attacks weaken mitigations like ASLR (e.g.
117[Issue 665930](https://crbug.com/665930)). Others attempt to circumvent the same
118origin policy, for instance, by using SVG filters to read pixels
119cross-origin (e.g. [Issue 686253](https://crbug.com/686253) and
120[Issue 615851](https://crbug.com/615851)).
121
122Many timing attacks rely upon the availability of high-resolution timing
123information [Issue 508166](https://crbug.com/508166); such timing data often has
124legitimate usefulness in non-attack scenarios making it unappealing to remove.
125
126Timing attacks against the browser's HTTP Cache (like
127[Issue 74987](https://crbug.com/74987)) can potentially leak information about
128which sites the user has previously loaded. The browser could attempt to protect
129against such attacks (e.g. by bypassing the cache) at the cost of performance
130and thus user-experience. To mitigate against such timing attacks, end-users can
131delete browsing history and/or browse sensitive sites using Chrome's Incognito
132or Guest browsing modes.
133
134Other timing attacks can be mitigated via clever design changes. For instance,
135[Issue 544765](https://crbug.com/544765) describes an attack whereby an attacker
136can probe for the presence of HSTS rules (set by prior site visits) by timing
Eric Lawrence29ca2722018-02-22 19:04:05[diff] [blame]137the load of resources with URLs "fixed-up" by HSTS. Prior to Chrome 64, HSTS
138rules [were shared](https://crbug.com/774643) between regular browsing and
139Incognito mode, making the attack more interesting. The attack was mitigated by
140changing Content-Security-Policy such that secure URLs will match rules
141demanding non-secure HTTP urls, a fix that has also proven useful to help to
142unblock migrations to HTTPS. Similarly, [Issue 707071](https://crbug.com/707071)
143describes a timing attack in which an attacker could determine what Android
144applications are installed; the attack was mitigated by introducing randomness
145in the execution time of the affected API.
Eric Lawrence15fdea252017-08-09 19:37:41[diff] [blame]146
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]147<a name="TOC-What-if-a-Chrome-component-breaks-an-OS-security-boundary-"></a>
148### What if a Chrome component breaks an OS security boundary?
149
150If Chrome or any of its components (e.g. updater) can be abused to
151perform a local privilege escalation, then it may be treated as a
152valid security vulnerability.
153
154Running any Chrome component with higher privileges than intended is
155not a security bug and we do not recommend running Chrome as an
156Administrator on Windows, or as root on POSIX.
157
158<a name="TOC-Why-isn-t-passive-browser-fingerprinting-including-passive-cookies-in-Chrome-s-threat-model-"></a>
159<a name="TOC-What-is-Chrome-s-threat-model-for-fingerprinting-"></a>
160### What is Chrome's threat model for fingerprinting?
161
162> **Update, August 2019:** Please note that this answer has changed. We have
163> updated our threat model to include fingerprinting.
164
165Although [we do not consider fingerprinting issues to be *security
166vulnerabilities*](#TOC-Are-privacy-issues-considered-security-bugs-), we do now
167consider them to be privacy bugs that we will try to resolve. We distinguish two
168forms of fingerprinting.
169
170* **Passive fingerprinting** refers to fingerprinting techniques that do not
171require a JavaScript API call to achieve. This includes (but is not limited to)
172mechanisms like [ETag
173cookies](https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags) and [HSTS
174cookies](https://security.stackexchange.com/questions/79518/what-are-hsts-super-cookies).
175* **Active fingerprinting** refers to fingerprinting techniques that do require
176a JavaScript API call to achieve. Examples include most of the techniques in
177[EFF's Panopticlick proof of concept](https://panopticlick.eff.org).
178
179For passive fingerprinting, our ultimate goal is (to the extent possible) to
180reduce the information content available to below the threshold for usefulness.
181
182For active fingerprinting, our ultimate goal is to establish a [privacy
183budget](https://github.com/bslassey/privacy-budget) and to keep web origins
184below the budget (such as by rejecting some API calls when the origin exceeds
185its budget). To avoid breaking rich web applications that people want to use,
186Chrome may increase an origin's budget when it detects that a person is using
187the origin heavily. As with passive fingerprinting, our goal is to set the
188default budget below the threshold of usefulness for fingerprinting.
189
190These are both long-term goals. As of this writing (August 2019) we do not
191expect that Chrome will immediately achieve them.
192
193For background on fingerprinting and the difficulty of stopping it, see [Arvind
194Narayanan's site](https://33bits.wordpress.com/about/) and [Peter Eckersley's
195discussion of the information theory behind
196Panopticlick](https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy).
197There is also [a pretty good analysis of in-browser fingerprinting
198vectors](https://dev.chromium.org/Home/chromium-security/client-identification-mechanisms).
199
200<a name="TOC-I-found-a-phishing-or-malware-site-not-blocked-by-Safe-Browsing.-Is-this-a-security-vulnerability-"></a>
201### I found a phishing or malware site not blocked by Safe Browsing. Is this a security vulnerability?
202
203Malicious sites not yet blocked by Safe Browsing can be reported via
204[https://www.google.com/safebrowsing/report_phish/](https://www.google.com/safebrowsing/report_phish/).
205Safe Browsing is primarily a blocklist of known-unsafe sites; the feature warns
206the user if they attempt to navigate to a site known to deliver phishing or
207malware content. You can learn more about this feature in these references:
208
209* [https://developers.google.com/safe-browsing/](https://developers.google.com/safe-browsing/)
210* [https://www.google.com/transparencyreport/safebrowsing/](https://www.google.com/transparencyreport/safebrowsing/)
211
212In general, it is not considered a security bug if a given malicious site is not
213blocked by the Safe Browsing feature, unless the site is on the blocklist but is
214allowed to load anyway. For instance, if a site found a way to navigate through
215the blocking red warning page without user interaction, that would be a security
216bug. A malicious site may exploit a security vulnerability (for instance,
217spoofing the URL in the **Location Bar**). This would be tracked as a security
218vulnerability in the relevant feature, not Safe Browsing itself.
219
220<a name="TOC-I-can-download-a-file-with-an-unsafe-extension-and-it-is-not-classified-as-dangerous-"></a>
221### I can download a file with an unsafe extension and it is not classified as dangerous - is this a security bug?
222
223Chrome tries to warn users before they open files that might modify their
224system. What counts as a dangerous file will vary depending on the operating
225system Chrome is running on, the default set of file handlers, Chrome settings,
226Enterprise policy and verdicts on both the site and the file from [Safe
227Browsing](https://code.google.com/apis/safebrowsing/). Because of this it will
228often be okay for a user to download and run a file. However, if you can clearly
229demonstrate how to bypass one of these protections then we’d like to hear about
230it. You can see if a Safe Browsing check happened by opening
231chrome://safe-browsing before starting the download.
232
Daniel Ruberyc7ac344232023-10-09 22:16:20[diff] [blame]233<a name="TOC-what-about-dangerous-file-types-not-listed-in-the-file-type-policy-"></a>
234### What about dangerous file types not listed in the file type policy?
235
236The [file type
237policy](https://source.chromium.org/chromium/chromium/src/+/main:components/safe_browsing/content/resources/download_file_types.asciipb?q=download_file_types.asciipb%20-f:%2Fgen%2F&ss=chromium)
238controls some details of which security checks to enable for a given file
239extension. Most importantly, it controls whether we contact Safe Browsing about
240a download, and whether we show a warning for all downloads of that file type.
241Starting in M74, the default for unknown file types has been to contact Safe
242Browsing. This prevents large-scale abuse from a previously unknown file type.
243Starting in M105, showing a warning for all downloads of an extension became
244reserved for exceptionally dangerous file types that can compromise a user
245without any user interaction with the file (e.g. DLL hijacking). If you discover
246a new file type that meets that condition, we’d like to hear about it.
247
Daseul Leed2b02532024-01-09 15:22:10[diff] [blame]248<a name="TOC-i-found-a-local-file-or-directory-that-may-be-security-sensitive-and-is-not-blocked-by-file-system-access-api-"></a>
249### I found a local file or directory that may be security-sensitive and is not blocked by File System Access API - is this a security bug?
250
251The File System Access API maintains a [blocklist](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/file_system_access/chrome_file_system_access_permission_context.cc;l=266-346)
252of directories and files that may be sensitive such as systems file, and if user
253chooses a file or a directory matching the list on a site using File System
254Access API, the access is blocked.
255
256The blocklist is designed to help mitigate accidental granting by users by
257listing well-known, security-sensitive locations, as a defense in-depth
258strategy. Therefore, the blocklist coverage is not deemed as a security bug,
259especially as it requires user's explicit selection on a file or a directory
260from the file picker.
261
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]262<a name="TOC-I-can-download-a-file-with-an-unsafe-extension-but-a-different-extension-or-file-type-is-shown-to-the-user-"></a>
263### I can download a file with an unsafe extension but a different extension or file type is shown to the user - is this a security bug?
Alex Gough6d37dae2024-10-02 23:37:36[diff] [blame]264
265See [file types](#TOC-The-wrong-description-for-a-file-type-is-added-by-Chrome-).
266
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]267<a name="TOC-Extensions-for-downloaded-files-are-not-shown-in-a-file-dialog-"></a>
268### Extensions for downloaded files are not shown in a file dialog - is this a security bug?
Alex Gough6d37dae2024-10-02 23:37:36[diff] [blame]269
270See [file types](#TOC-The-wrong-description-for-a-file-type-is-added-by-Chrome-).
271
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]272<a name="TOC-The-wrong-description-for-a-file-type-is-added-by-Chrome-"></a>
273### The wrong description for a file type is added by Chrome - is this a security bug?
274
275Chrome tries to let users know what they will be saving and downloading before
276they do so. Often operating systems will obscure a file’s type or extension and
277there is little we can do about that. Chrome shows information to help users
278make these decisions, both in Chrome-owned UI and in information that Chrome
279passes to OS-owned UI. If this information can be manipulated from a web site to
280mislead a user, then we’d like to hear about it.
281[Example](https://crbug.com/1137247).
282
283<a name="TOC-I-can-download-a-file-and-OS-indicators-for-its-provenance-are-not-applied-"></a>
284### I can download a file and OS indicators for its provenance are not applied - is this a security bug?
285
286Chrome attempts to label files downloaded from the internet with metadata using
287operating system APIs where these are available – for instance applying the Mark
288of the Web on Windows. This is often not possible (for instance on non-NTFS file
289systems on Windows, or for files inside downloaded archives) or disabled by
290policy. If a web site can cause Chrome to download a file without Chrome then
291adding this metadata as usual, we’d like to hear about it.
292
293<a name="TOC-I-can-cause-a-hard-or-soft-link-to-be-written-to-a-directory-bypassing-normal-OS-blocks-"></a>
294### I can cause a hard or soft link to be written to a directory bypassing normal OS blocks - is this a security bug?
295
296Chrome should not allow filesystem links to be created by initiating a download.
297[Example](https://crbug.com/1140417). [Example](https://crbug.com/1137247#c12).
298
299<a name="TOC-I-can-hijack-a-user-gesture-and-trick-a-user-into-accepting-a-permission-or-downloading-a-file-"></a>
300### I can hijack a user gesture and trick a user into accepting a permission or downloading a file - is this a security bug?
301
302Chrome tries to design its prompts to select safe defaults. If a prompt can
303accidentally be accepted without the user having an opportunity to make a
304decision about the prompt then we’d like to know. Examples might include poor
305defaults so that a user holding down an enter key might accept a dialog they
306would want to dismiss. [Example](https://crbug.com/854455#c11).
307
308Note that a user navigating to a download will cause a file to be
309[downloaded](https://crbug.com/1114592).
310
Arthur Sonzognib89b25f2024-02-13 16:11:22[diff] [blame]311<a name="TOC-security-properties-not-inherited-using-contextual-menu-"></a>
312### Sandbox/CSP/etc... security properties are not inherited when navigating using the middle-click/contextual-menu - is this a security bug?
313
314The security properties of the document providing the URL are not used/inherited
315when the user deliberately opens a link in a popup using one of:
316
317- Ctrl + left-click (Open link in new tab)
318- Shift + left-click (Open link in new window)
319- Middle-click (Open a link in a new tab)
320- Right-click > "Open link in ..."
321
322These methods of following a link have more or less the same implications as the
323user copying the link's URL and pasting it into a newly-opened window. We treat
324them as user-initiated top-level navigations, and as such will not apply or
325inherit policy restrictions into the new context
326
327Example of security related properties:
328
329- Content-Security-Policy
330- Cross-Origin-Embedder-Policy
331- Cross-Origin-Opener-Policy
332- Origin
333- Referrer
334- Sandbox
335- etc...
336
337These browser's actions/shortcuts are specific to Chrome. They are different
338from the behavior specified by the web-platform, such as using executing
339`window.open()` or opening a link with the `target=_blank` attribute.
340
Chris Palmer5649f942024-09-25 19:46:29[diff] [blame]341<a name="TOC-What-is-the-threat-model-for-Chrome-for-Testing"></a>
Adrian Taylorfe24932e2024-05-15 15:59:56[diff] [blame]342### What is the threat model for Chrome for Testing?
343
344[Chrome for Testing](https://developer.chrome.com/blog/chrome-for-testing) is a
345distribution of current and older versions of Chrome. It does not auto-update.
346Therefore, it may lack recent fixes for security bugs. Security bugs can more
347easily be exploited once their fixes are [published in the main Chromium source
348code repository](updates.md) and so it is unsafe to use Chrome for Testing to
349access any untrusted website. You should use Chrome for Testing only for
350browser automation and testing purposes, consuming only trustworthy content.
351`chrome-headless-shell` also lacks auto-updates and so, for the same reason,
352should only be used to consume trusted content.
353
Elly40a123e2025-05-23 15:59:34[diff] [blame]354<a name="TOC-What-makes-a-ui-spoof-interesting-to-report"></a>
355### What makes a UI spoof interesting to report?
356As a general rule, a UI spoof is only a security bug if _either_:
357
358* There is evidence that it is actually being exploited to trick users in the
359 field, or
360* You can make a convincing case that it would mislead a user into making a
361 _security decision_ incorrectly, or otherwise taking an action with actual
362 security consequences for that user
363
364That means that for example these are interesting security bugs:
365
366* A spoof that convinces the user they are currently on origin A when in fact
367 they are on origin B
368* A spoof that convinces the user that a permission request is from origin A
369 when in fact it is from origin B
370* A spoof that convinces the user they are installing extension A when in fact
371 they are installing extension B
372
373and so on, but for example these are **not** interesting security bugs:
374
375* A spoof that convinces the user to copy text they didn't expect to their
376 clipboard
377* A spoof that convinces the user to download a file they didn't expect (simply
378 downloading a file is not a security decision - running it is though!)
379* A spoof that convinces the user to navigate to a link they didn't expect
380* A spoof that convinces the user to click a browser UI element they weren't
381 intending to _unless you can show security consequences for them doing so_.
382
383We often tend to look at what a "reasonable and prudent" user would do in a
384situation, meaning a user who is taking basic security precautions like paying
385attention to security cues given in the product UI and who is, while not a
386security expert or even particularly security-minded, trying to take basic
387precautions to stay safe online. That doesn't mean bugs that require user error
388are always out of scope, but it does mean that spoofs which would not deceive
389a user being reasonable and prudent are out of scope.
390
Ellyd3ae9ee2025-10-06 19:09:17[diff] [blame]391<a name="TOC-As-a-user_I-can-bypass-an-enterprise-policy-is-this-a-security-bug_"></a>
392### As a user, I can bypass an enterprise policy - is this a security bug?
393In general, no. Enterprise policies applying to running, enterprise-enrolled
394Chrome instances are not by default a security boundary. It may be a functional
395bug in the implementation of the enterprise policy, or it may be intended
396behavior, but either way actions by the local user are generally considered to
397be "local attacks" and outside our threat model.
398
399ChromeOS is an exception to this. On ChromeOS, Chrome integrates more deeply
400with the host operating system and is able to provide stronger guarantees about
401policies. Therefore, an enterprise policy bypass by a local user of a ChromeOS
402device may still be a security bug.
403
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]404## Areas outside Chrome's Threat Model
405
406<a name="TOC-Are-privacy-issues-considered-security-bugs-"></a>
407### Are privacy issues considered security bugs?
408
409No. The Chrome Privacy team treats privacy issues, such as leaking information
410from Incognito, fingerprinting, and bugs related to deleting browsing data as
411functional bugs.
412
413Privacy issues are not considered under the security vulnerability rewards
414program; the [severity guidelines](severity-guidelines.md) outline the types of
415bugs that are considered security vulnerabilities in more detail.
416
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]417<a name="TOC-What-are-the-security-and-privacy-guarantees-of-Incognito-mode-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]418### What are the security and privacy guarantees of Incognito mode?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]419
420Bugs in Incognito mode are tracked as privacy bugs, not security bugs.
421
Chris Palmer9839ce42017-08-16 20:59:15[diff] [blame]422The [Help Center](https://support.google.com/chrome/?p=cpn_incognito) explains
423what privacy protections Incognito mode attempts to enforce. In particular,
424please note that Incognito is not a “do not track” mode, and it does not hide
425aspects of your identity from web sites. Chrome does offer a way to send Do Not
426Track request to servers; see chrome://settings/?search=do+not+track
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]427
428When in Incognito mode, Chrome does not store any new history, cookies, or other
429state in non-volatile storage. However, Incognito windows will be able to access
430some previously-stored state, such as browsing history.
431
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]432<a name="TOC-Are-XSS-filter-bypasses-considered-security-bugs-"></a>
433### Are XSS filter bypasses considered security bugs?
434
435No. Chromium once contained a reflected XSS filter called the [XSSAuditor](https://www.chromium.org/developers/design-documents/xss-auditor)
436that was a best-effort second line of defense against reflected XSS flaws found
437in web sites. The XSS Auditor was [removed in Chrome 78](https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/TuYw-EZhO9g/blGViehIAwAJ).
Tom Sepezfd089b8f2023-08-09 17:31:44[diff] [blame]438Consequently, Chromium no longer takes any special action in response to an
439X-XSS-Protection header.
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]440
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]441<a name="TOC-Are-denial-of-service-issues-considered-security-bugs-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]442### Are denial of service issues considered security bugs?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]443
Tom Sepeze8fb33202018-11-01 19:31:32[diff] [blame]444No. Denial of Service (DoS) issues are treated as **abuse** or **stability**
445issues rather than security vulnerabilities.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]446
Lukasz Anforowicza2be83462024-02-15 20:49:12[diff] [blame]447* If you find a reproducible crash (e.g. a way to hit a `CHECK`),
448 we encourage you to [report it](https://issues.chromium.org/new).
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]449* If you find a site that is abusing the user experience (e.g. preventing you
450 from leaving a site), we encourage you to [report
Amy Resslerb35f8e5d2024-02-02 23:12:54[diff] [blame]451 it](https://issues.chromium.org/new).
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]452
453DoS issues are not considered under the security vulnerability rewards program;
Varun Khanejadf1bc00e2017-08-10 05:22:40[diff] [blame]454the [severity guidelines](severity-guidelines.md) outline the types of bugs that
455are considered security vulnerabilities in more detail.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]456
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]457<a name="TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]458### Why aren't physically-local attacks in Chrome's threat model?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]459
460People sometimes report that they can compromise Chrome by installing a
461malicious DLL in a place where Chrome will load it, by hooking APIs (e.g. [Issue
462130284](https://crbug.com/130284)), or by otherwise altering the configuration
Tom Sepezf6b2e782020-04-06 23:08:55[diff] [blame]463of the device.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]464
465We consider these attacks outside Chrome's threat model, because there is no way
466for Chrome (or any application) to defend against a malicious user who has
Tom Sepezf6b2e782020-04-06 23:08:55[diff] [blame]467managed to log into your device as you, or who can run software with the
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]468privileges of your operating system user account. Such an attacker can modify
469executables and DLLs, change environment variables like `PATH`, change
470configuration files, read any data your user account owns, email it to
Tom Sepezf6b2e782020-04-06 23:08:55[diff] [blame]471themselves, and so on. Such an attacker has total control over your device,
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]472and nothing Chrome can do would provide a serious guarantee of defense. This
473problem is not special to Chrome ­— all applications must trust the
474physically-local user.
475
476There are a few things you can do to mitigate risks from people who have
477physical control over **your** computer, in certain circumstances.
478
479* To stop people from reading your data in cases of device theft or loss, use
480 full disk encryption (FDE). FDE is a standard feature of most operating
481 systems, including Windows Vista and later, Mac OS X Lion and later, and
482 some distributions of Linux. (Some older versions of Mac OS X had partial
483 disk encryption: they could encrypt the user’s home folder, which contains
484 the bulk of a user’s sensitive data.) Some FDE systems allow you to use
485 multiple sources of key material, such as the combination of both a
486 password and a key file on a USB token. When available, you should use
487 multiple sources of key material to achieve the strongest defense. Chrome
488 OS encrypts users’ home directories.
489* If you share your computer with other people, take advantage of your
490 operating system’s ability to manage multiple login accounts, and use a
491 distinct account for each person. For guests, Chrome OS has a built-in
492 Guest account for this purpose.
493* Take advantage of your operating system’s screen lock feature.
494* You can reduce the amount of information (including credentials like
495 cookies and passwords) that Chrome will store locally by using Chrome's
496 Content Settings (chrome://settings/content) and turning off the form
497 auto-fill and password storage features
498 ([chrome://settings/search#password](chrome://settings/search#password)).
499
500There is almost nothing you can do to mitigate risks when using a **public**
501computer.
502
503* Assume everything you do on a public computer will become, well, public.
504 You have no control over the operating system or other software on the
505 machine, and there is no reason to trust the integrity of it.
Eric Lawrence29ca2722018-02-22 19:04:05[diff] [blame]506* If you must use such a computer, use Incognito mode and close all Incognito
507 windows when you are done browsing to limit the amount of data you leave
508 behind. Note that Incognito mode **provides no protection** if the system has
509 already been compromised as described above.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]510
511<a name="TOC-Why-aren-t-compromised-infected-machines-in-Chrome-s-threat-model-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]512### Why aren't compromised/infected machines in Chrome's threat model?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]513
Tom Sepez279d9f42020-11-30 21:58:58[diff] [blame]514Although the attacker may now be remote, the consequences are essentially the
515same as with physically-local attacks. The attacker's code, when it runs as
516your user account on your machine, can do anything you can do. (See also
517[Microsoft's Ten Immutable Laws Of
Eric Lawrence5e1a9c712018-09-12 20:55:19[diff] [blame]518Security](https://web.archive.org/web/20160311224620/https://technet.microsoft.com/en-us/library/hh278941.aspx).)
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]519
Tom Sepez279d9f42020-11-30 21:58:58[diff] [blame]520Other cases covered by this section include leaving a debugger port open to
521the world, remote shells, and so forth.
522
Alex Gough5d0d5562024-11-11 22:45:23[diff] [blame]523<a name="TOC-If-a-website-can-open-an-android-app-via-an-intent"></a>
524### If a website can open an Android app via an intent is this a security bug?
525
526No - websites can link to external handlers or applications - but there are
527restrictions around requiring a user gesture and the type of intent that can
528be launched. Full details are available in the
529[external_intents](../../components/external_intents/README.md) documentation.
530
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]531<a name="TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]532### Does entering JavaScript: URLs in the URL bar or running script in the developer tools mean there's an XSS vulnerability?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]533
Eric Lawrence29ca2722018-02-22 19:04:05[diff] [blame]534[No](https://crbug.com/81697). Chrome does not attempt to prevent the user from
535knowingly running script against loaded documents, either by entering script in
536the Developer Tools console or by typing a JavaScript: URI into the URL bar.
537Chrome and other browsers do undertake some efforts to prevent *paste* of script
538URLs in the URL bar (to limit
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]539[social-engineering](https://blogs.msdn.microsoft.com/ieinternals/2011/05/19/socially-engineered-xss-attacks/))
540but users are otherwise free to invoke script against pages using either the URL
541bar or the DevTools console.
542
Tom Sepez5b700482020-04-06 20:07:21[diff] [blame]543<a name="TOC-Does-executing-JavaScript-from-a-bookmark-mean-there-s-an-XSS-vulnerability-"></a>
Eric Lawrence2de6aaa2023-04-13 17:06:55[diff] [blame]544### Does executing JavaScript from a bookmark or the Home button mean there's an XSS vulnerability?
Tom Sepez5b700482020-04-06 20:07:21[diff] [blame]545
546No. Chromium allows users to create bookmarks to JavaScript URLs that will run
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]547on the currently-loaded page when the user clicks the bookmark; these are called
548[bookmarklets](https://en.wikipedia.org/wiki/Bookmarklet).
549
Eric Lawrence2de6aaa2023-04-13 17:06:55[diff] [blame]550Similarly, the Home button may be configured to invoke a JavaScript URL when clicked.
551
Tom Sepezfeca2de2020-04-01 22:58:29[diff] [blame]552<a name="TOC-Does-executing-JavaScript-in-a-PDF-file-mean-there-s-an-XSS-vulnerability-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]553### Does executing JavaScript in a PDF file mean there's an XSS vulnerability?
Tom Sepezfeca2de2020-04-01 22:58:29[diff] [blame]554
555No. PDF files have the ability to run JavaScript, usually to facilitate field
556validation during form fill-out. Note that the set of bindings provided to
Tom Sepez72119c3c2022-12-13 18:48:56[diff] [blame]557the PDF are more limited than those provided by the DOM to HTML documents, nor
558do PDFs get any ambient authority based upon the domain from which they are
559served (e.g. no document.cookie).
Tom Sepezfeca2de2020-04-01 22:58:29[diff] [blame]560
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]561<a name="TOC-Are-PDF-files-static-content-in-Chromium-"></a>
562### Are PDF files static content in Chromium?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]563
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]564No. PDF files have some powerful capabilities including invoking printing or
Andrew Mitchell327571a2025-02-17 04:14:09[diff] [blame]565posting form data. To mitigate abuse of these capabilities, such as beaconing
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]566upon document open, we require interaction with the document (a "user gesture")
567before allowing their use.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]568
Charlie Reis65c9a4b2024-11-14 18:25:43[diff] [blame]569<a name="TOC-Are-non_committed-URLs-entered-by-the-user-considered-URL-spoofs-"></a>
570### Are non-committed URLs entered by the user considered URL spoofs?
571
572No. When a user enters a URL into the address bar (whether by typing,
573copy/pasting, drag and drop, or otherwise), Chrome intentionally displays
574it instead of the last committed URL of the currently active page, until
575both the navigation begins and the new page commits. During this time, the
576currently active page can change its appearance to mimic the new URL while
577its own URL is not shown. However, the active page does not have control
578over which URL the user entered into the address bar, limiting the
579effectiveness of a spoof attempt. The new
580[lock-replacement icon](https://blog.chromium.org/2023/05/an-update-on-lock-icon.html)
581is also not present in this state, and in many cases (i.e., once the new
582navigation has started), the loading indicators are present.
583
584The confusion between the non-committed URL and the active page's
585appearance is a consequence of the address bar needing to serve two roles:
Elly40a123e2025-05-23 15:59:34[diff] [blame]586showing both where you are and where you are going. In general, we don't think
587this technique can deceive a [reasonable and prudent
588user](#TOC-What-makes-a-ui-spoof-interesting-to-report).
Charlie Reis65c9a4b2024-11-14 18:25:43[diff] [blame]589
590See also https://crbug.com/378932942 for context.
591
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]592<a name="TOC-What-about-URL-spoofs-using-Internationalized-Domain-Names-IDN-"></a>
593### What about URL spoofs using Internationalized Domain Names (IDN)?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]594
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]595We try to balance the needs of our international userbase while protecting users
596against confusable homograph attacks. Despite this, there are a list of known
597IDN display issues we are still working on.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]598
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]599* Please see [this document](https://docs.google.com/document/d/1_xJz3J9kkAPwk3pma6K3X12SyPTyyaJDSCxTfF8Y5sU)
600for a list of known issues and how we handle them.
601* [This document](https://chromium.googlesource.com/chromium/src/+/main/docs/idn.md)
602describes Chrome's IDN policy in detail.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]603
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]604<a name="TOC-Chrome-silently-syncs-extensions-across-devices.-Is-this-a-security-vulnerability-"></a>
605### Chrome silently syncs extensions across devices. Is this a security vulnerability?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]606
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]607This topic has been moved to the [Extensions Security FAQ](https://chromium.googlesource.com/chromium/src/+/main/extensions/docs/security_faq.md).
Chris Palmer8d95482a2019-08-28 22:48:45[diff] [blame]608
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]609<a name="TOC-Why-arent-null-pointer-dereferences-considered-security-bugs-"></a>
610### Why aren't null pointer dereferences considered security bugs?
Chris Palmer8d95482a2019-08-28 22:48:45[diff] [blame]611
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]612Null pointer dereferences with consistent, small, fixed offsets are not considered
613security bugs. A read or write to the NULL page results in a non-exploitable crash.
Daniel Cheng78780d22024-01-06 06:47:43[diff] [blame]614If the offset is larger than 32KB, or if there's uncertainty about whether the
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]615offset is controllable, it is considered a security bug.
Chris Palmer8d95482a2019-08-28 22:48:45[diff] [blame]616
Daniel Cheng78780d22024-01-06 06:47:43[diff] [blame]617All supported Chrome platforms do not allow mapping memory in at least the first
61832KB of address space:
619
620- Windows: Windows 8 and later disable mapping the first 64k of address space;
621 see page 33 of [Exploit Mitigation Improvements in Windows
622 8][windows-null-page-mapping] [[archived]][windows-null-page-mapping-archived].
623- Mac and iOS: by default, the linker reserves the first 4GB of address space
624 with the `__PAGEZERO` segment for 64-bit binaries.
625- Linux: the default `mmap_min_addr` value for supported distributions is at
626 least 64KB.
627- Android: [CTS][android-mmap_min_addr] enforces that `mmap_min_addr` is set to
628 exactly 32KB.
629- ChromeOS: the [ChromeOS kernels][chromeos-mmap_min_addr] set the default
630 `mmap_min_addr` value to at least 32KB.
631- Fuchsia: the [userspace base address][fuchsia-min-base-address] begins at 2MB;
632 this is configured per-platform but set to the same value on all platforms.
633
634[windows-null-page-mapping]: https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf
635[windows-null-page-mapping-archived]: https://web.archive.org/web/20230608131033/https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf
636[android-mmap_min_addr]: https://android.googlesource.com/platform/cts/+/496152a250d10e629d31ac90b2e828ad77b8d70a/tests/tests/security/src/android/security/cts/KernelSettingsTest.java#43
637[chromeos-mmap_min_addr]: https://source.chromium.org/search?q=%22CONFIG_DEFAULT_MMAP_MIN_ADDR%3D%22%20path:chromeos%2F&ss=chromiumos%2Fchromiumos%2Fcodesearch:src%2Fthird_party%2Fkernel%2F
638[fuchsia-min-base-address]: https://cs.opensource.google/fuchsia/fuchsia/+/main:zircon/kernel/arch/arm64/include/arch/kernel_aspace.h;l=20;drc=eeceea01eee2615de74b1339bcf6e6c2c6f72769
639
Alex Gough2d9974c2023-04-11 20:47:57[diff] [blame]640<a name="TOC-Indexing-a-container-out-of-bounds-hits-a-libcpp-verbose-abort--is-this-a-security-bug-"></a>
641### Indexing a container out of bounds hits a __libcpp_verbose_abort, is this a security bug?
642
643`std::vector` and other containers are now protected by libc++ hardening on all
644platforms [crbug.com/1335422](https://crbug.com/1335422). Indexing these
645containers out of bounds is now a safe crash - if a proof-of-concept reliably
646causes a crash in production builds we consider these to be functional rather than
647security issues.
648
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]649<a name="TOC-Are-stack-overflows-considered-security-bugs-"></a>
650### Are stack overflows considered security bugs?
651
652No. Guard pages mean that stack overflows are considered unexploitable, and
653are regarded as [denial of service bugs](#TOC-Are-denial-of-service-issues-considered-security-bugs-).
654The only exception is if an attacker can jump over the guard pages allocated by
655the operating system and avoid accessing them, e.g.:
656
657* A frame with a very large stack allocation.
658* C variable length array with an attacker-controlled size.
659* A call to `alloca()` with an attacker-controlled size.
660
danakjc8fb82602024-07-09 16:36:09[diff] [blame]661<a name="TOC-Are-tint-ICE-considered-security-bugs-"></a>
662### Are tint shader compiler Internal Compiler Errors considered security bugs?
663
664No. When tint fails and throws an ICE (Internal Compiler Error), it will
665terminate the process in an intentional manner and produce no shader output.
666Thus there is not security bug that follows from it.
667
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]668<a name="TOC-Are-enterprise-admins-considered-privileged-"></a>
669### Are enterprise admins considered privileged?
670
671Chrome [can't guard against local
672attacks](#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-).
673Enterprise administrators often have full control over the device. Does Chrome
674assume that enterprise administrators are as privileged and powerful as other
675local users? It depends:
676
677* On a fully managed machine, for example a [domain-joined Windows
678 machine](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain),
679 a device managed via a Mobile Device Management product, or a device with
680 Chrome managed via machine-level [Chrome Browser Cloud
681 Management](https://support.google.com/chrome/?p=cloud_management),
682 the administrator effectively has privileges to view and mutate any state on
683 the device. Chrome [policy implementations](../enterprise/add_new_policy.md)
684 should still guide enterprise admins to the most user-respectful defaults
685 and policy description text should clearly describe the nature of the
686 capabilities and the user impact of them being granted.
687* On an unmanaged machine, Chrome profiles [can be managed via cloud
688 policy](https://support.google.com/chrome/?p=manage_profiles)
689 if users sign into Chrome using a managed account. These policies are called
690 *user policies*. In this scenario, the Chrome enterprise administrator should
691 have privileges only to *view and mutate state within the profile that they
692 administer*. Any access outside that profile requires end-user consent.
693
694Chrome administrators can force-install Chrome extensions without permissions
695prompts, so the same restrictions must apply to the Chrome extension APIs.
696
697Chrome has a long history of policy support with many hundreds of policies. We
698recognize that there may exist policies or policy combinations that can provide
699capabilities outside of the guidance provided here. In cases of clear violation
700of user expectations, we will attempt to remedy these policies and we will apply
701the guidance laid out in this document to any newly added policies.
702
Camille0f2a39f2022-11-04 10:45:04[diff] [blame]703See the [Web Platform Security
Chris Thompson1f8b00062023-05-31 00:38:49[diff] [blame]704guidelines](https://chromium.googlesource.com/chromium/src/+/main/docs/security/web-platform-security-guidelines.md#enterprise-policies)
Camille0f2a39f2022-11-04 10:45:04[diff] [blame]705for more information on how enterprise policies should interact with Web
706Platform APIs.
707
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]708<a name="TOC-Can-I-use-EMET-to-help-protect-Chrome-against-attack-on-Microsoft-Windows-"></a>
709### Can I use EMET to help protect Chrome against attack on Microsoft Windows?
710
711There are [known compatibility
712problems](https://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-and-emet)
713between Microsoft's EMET anti-exploit toolkit and some versions of Chrome. These
714can prevent Chrome from running in some configurations. Moreover, the Chrome
715security team does not recommend the use of EMET with Chrome because its most
716important security benefits are redundant with or superseded by built-in attack
717mitigations within the browser. For users, the very marginal security benefit is
718not usually a good trade-off for the compatibility issues and performance
719degradation the toolkit can cause.
720
Arthur Sonzognicbc5d692024-05-08 10:37:20[diff] [blame]721<a name="TOC-dangling-pointers"></a>
722### Dangling pointers
723
724Chromium can be instrumented to detect [dangling
725pointers](https://chromium.googlesource.com/chromium/src/+/main/docs/dangling_ptr.md):
726
727Notable build flags are:
728- `enable_dangling_raw_ptr_checks=true`
Kalvin Lee3f1e9eda2024-07-18 21:53:23[diff] [blame]729- `use_raw_ptr_asan_unowned_impl=true`
Arthur Sonzognicbc5d692024-05-08 10:37:20[diff] [blame]730
731Notable runtime flags are:
732- `--enable-features=PartitionAllocDanglingPtr`
733
734It is important to note that detecting a dangling pointer alone does not
735necessarily indicate a security vulnerability. A dangling pointer becomes a
736security vulnerability only when it is dereferenced and used after it becomes
737dangling.
738
739In general, dangling pointer issues should be assigned to feature teams as
740ordinary bugs and be fixed by them. However, they can be considered only if
741there is a demonstrable way to show a memory corruption. e.g. with a POC causing
742crash with ASAN **without the flags above**.
743
Chris Thompsonac5fdf42025-01-30 16:18:00[diff] [blame]744<a name="TOC-hard-coded-lists"></a>
745### My domain is on the [Public Suffix List / HSTS preload list / etc.] upstream but this is not yet reflected in Chrome! Is this a security bug?
746
747Chrome does not make any guarantees about how soon additions to or removals from
748external lists like the [HSTS preload list](https://hstspreload.org) or the
749[Public Suffix List (PSL)](https://publicsuffix.org/) will be incorporated into Chrome.
750If you believe Chrome's copies of these lists are notably out-of-date, we are
751happy to field bug reports but we do not consider this to be a vulnerability.
752
Alex Gough8f156132025-08-26 23:58:07[diff] [blame]753## AI Features
754
755Chrome deeply integrates AI both in user-facing features like [Gemini Live
756in Chrome](https://gemini.google/overview/gemini-in-chrome) , “Help me write”
757and Devtools assistants and in internal models that help block unwanted
758notifications or improve page loading.
759
760Chrome does not treat misleading, misaligned or unsafe model output as a
761vulnerability. Please report such safety violations using in-product feedback
762mechanisms.
763
764<a name="TOC-AI-prompt-innappropriate-output"></a>
765### Entering a prompt into an AI feature’s input surface causes inappropriate output?
766
767Chrome AI features include guardrails to ensure that their output is safe and
768reasonable but these guidelines do not form a security boundary. Any prompt that
769causes these guidelines to be violated is not a security issue in Chrome. Use
770in-product mechanisms to thumbs up / thumbs down results, or click on
771‘send feedback’ to report other inappropriate content.
772
773<a name="TOC-AI-prompt-leaks-system-prompt"></a>
774### Entering a prompt into an AI feature’s input surface leaks the system prompt, or provides access to backend services?
775
776For AI features implemented using a Google backend it is possible that some
777prompted output could be a valid abuse report, but will not be considered to be
778bugs in Chrome. These should be reported via the [Google Abuse
779VRP](https://bughunters.google.com/about/rules/google-friends/5238081279623168/abuse-vulnerability-reward-program-rules)
780or [Google VRP](https://bughunters.google.com/) depending on the severity of the
781issue.
782
783<a name="TOC-AI-prompt-can-be-copy-pasted"></a>
784### Entering a prompt into an AI feature’s input surface causes information to leak, or actions to happen?
785
786Chrome AI features trust what people using Chrome supply in input fields, audio
787inputs, or other Chrome input surfaces. Tricking a user into entering a
788malicious prompt (e.g. by copy/pasting from a site) is not considered to be a
789security boundary as many people copy & paste text and urls as they use features
790in Chrome.
791
792<a name="TOC-AI-public-urls-are-not-leaks"></a>
793### Url paths, parameters or fragments can influence the output of Chrome AI features?
794
795AI features may use urls when generating their output so it is expected that
796page content will influence the output. Chrome AI features include mitigations
797and filters to prevent harmful actions that result from operating on page
798content. Controlling the AI output is, by itself, not a security issue, unless
799some further harm to a user can be demonstrated.
800
801<a name="TOC-AI-page-content-influences-model-output"></a>
802### Page content can influence the output of Chrome AI features?
803
804AI features may use page content (including images and subframes) when
805generating their output so it is expected that page content will influence the
806output. Chrome AI features include mitigations and filters to prevent harmful
807actions that result from operating on page content. Controlling the AI output
808is, by itself, not a security issue, unless some further harm to a user can be
809demonstrated.
810
811<a name="TOC-AI-invisible-page-content"></a>
812### Invisible page content can influence the output of Chrome AI features?
813
814AI features may use page content including invisible content when generating
815their output so it is expected that page content will influence the output.
816Chrome AI features may detect, scrub, or deprioritize invisible content, but
817failing to do so is not considered a security vulnerability as it is impossible
818to do so in all cases.
819
820<a name="TOC-AI-leaky-urls-can-be-reported"></a>
821### I have an example of page content that results in Chrome AI features creating links that leak information if followed?
822
823Chrome AI features take actions to limit what navigations are possible, and
824require user action before following links that could leak information to
825prevent scalable or targeted attacks. Web pages can already supply links or
826cause redirections and navigation and causing a user to follow these, via an AI
827feature, does not add a new attack surface.
828
829<a name="TOC-AI-page-content-harmful-actions"></a>
830### I have an example of page content that results in Chrome AI features performing harmful actions?
831
832Indirect prompt injections that result in unintended actions or leak information
833may be considered security issues and should be reported through the Chrome
834security tracker. Please create a recording from a fresh session that
835demonstrates the issue, and upload all files used as part of the demonstration.
836If a Gemini session is associated with your report, it will help us if you are
837able to share the session from your activity page, and the version of the model
838you are using.
839
840<a name="TOC-AI-xss-in-glic-window"></a>
841### I have an example of page content that results in XSS in the context of a Chrome AI feature?
842
843Output surfaces should sanitize inputs and transformed outputs. Please create a
844recording from a fresh session that demonstrates the issue, and upload all files
845used as part of the demonstration. If a Gemini session is associated with your
846report, it will help us if you are able to share the session from your activity
847page, and the version of the model you are using. Note that directly injecting
848code into a trusted surface via devtools does not demonstrate a vulnerability.
849
Alex Gough272f4cc2025-05-09 18:25:14[diff] [blame]850## AI Generated Vulnerability reports
851
852<a name="TOC-should-i-ask-an-ai-to-generate-a-vulnerability-report-for-chrome"></a>
853### Should I ask an AI to Generate a Vulnerability Report for Chrome?
854
855Simply asking an AI to identify a bug report in Chrome is unlikely to yield a
856valid report. Before submitting a report generated by AI please ensure you have
857done enough human work to validate that any issue is (a) in our threat model,
858and (b) reachable in Chrome by constructing a POC, generating an ASAN trace,
859recording the bug reproducing, or performing your own debugging.
860
861AI is prone to hallucinations when asked to find security bugs and can generate
862reports that repeat previously fixed issues, or describe general classes of bugs
863without discovering a specific actionable issue. As the reports can be lengthy,
864they take a lot of time for our security experts to process and understand
865before closing. Submitting reports without doing some work yourself to validate
866that an issue is actually present in Chrome harms our users by wasting the time
867and resources of the Chrome security team.
868
869Submitting multiple low-quality AI generated reports will be treated as spamming
870and has lead to accounts being banned from our reporting systems.
871
872AI can be used to accelerate developer workflows and may be useful when
873understanding code or translating from one language to another. AI tools can be
874helpful when searching for security vulnerabilities in Chrome, but remember that
875additional work must be done to ensure that vulnerability reports are brief,
876actionable, and reproducible. These must meet the prerequisites of a [baseline
877security bug report](https://g.co/chrome/vrp#report-quality) before we can pass
878them to teams to be fixed.
879
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]880## Certificates & Connection Indicators
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]881
882<a name="TOC-Where-are-the-security-indicators-located-in-the-browser-window-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]883### Where are the security indicators located in the browser window?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]884
885The topmost portion of the browser window, consisting of the **Omnibox** (or
886**Location Bar**), navigation icons, menu icon, and other indicator icons, is
887sometimes called the browser **chrome** (not to be confused with the Chrome
888Browser itself). Actual security indicators can only appear in this section of
889the window. There can be no trustworthy security indicators elsewhere.
890
891Furthermore, Chrome can only guarantee that it is correctly representing URLs
892and their origins at the end of all navigation. Quirks of URL parsing, HTTP
893redirection, and so on are not security concerns unless Chrome is
894misrepresenting a URL or origin after navigation has completed.
895
896Browsers present a dilemma to the user since the output is a combination of
897information coming from both trustworthy sources (the browser itself) and
898untrustworthy sources (the web page), and the untrustworthy sources are allowed
899virtually unlimited control over graphical presentation. The only restriction on
900the page's presentation is that it is confined to the large rectangular area
901directly underneath the chrome, called the **viewport**. Things like hover text
902and URL preview(s), shown in the viewport, are entirely under the control of the
903web page itself. They have no guaranteed meaning, and function only as the page
904desires. This can be even more confusing when pages load content that looks like
905chrome. For example, many pages load images of locks, which look similar to the
906meaningful HTTPS lock in the Omnibox, but in fact do not convey any meaningful
907information about the transport security of that page.
908
909When the browser needs to show trustworthy information, such as the bubble
910resulting from a click on the lock icon, it does so by making the bubble overlap
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]911chrome. This visual detail can't be imitated by the page itself since the page
912is confined to the viewport.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]913
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]914<a name="TOC-Why-does-Chrome-show-a-lock-even-if-my-HTTPS-connection-is-being-proxied-"></a>
915### Why does Chrome show a lock, even if my HTTPS connection is being proxied?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]916
917Some types of software intercept HTTPS connections. Examples include anti-virus
918software, corporate network monitoring tools, and school censorship software. In
919order for the interception to work, you need to install a private trust anchor
920(root certificate) onto your computer. This may have happened when you installed
921your anti-virus software, or when your company's network administrator set up
922your computer. If that has occurred, your HTTPS connections can be viewed or
923modified by the software.
924
925Since you have allowed the trust anchor to be installed onto your computer,
926Chrome assumes that you have consented to HTTPS interception. Anyone who can add
927a trust anchor to your computer can make other changes to your computer, too,
928including changing Chrome. (See also [Why aren't physically-local attacks in
Avi Drissman36d4e2e2017-07-31 20:54:39[diff] [blame]929Chrome's threat model?](#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-).)
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]930
931<a name="TOC-Why-can-t-I-select-Proceed-Anyway-on-some-HTTPS-error-screens-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]932### Why can’t I select Proceed Anyway on some HTTPS error screens?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]933
934A key guarantee of HTTPS is that Chrome can be relatively certain that it is
935connecting to the true web server and not an impostor. Some sites request an
936even higher degree of protection for their users (i.e. you): they assert to
937Chrome (via Strict Transport Security —
Xiaoyin Liub7985e52017-09-21 18:07:46[diff] [blame]938[HSTS](https://tools.ietf.org/html/rfc6797) — or by other means) that any
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]939server authentication error should be fatal, and that Chrome must close the
940connection. If you encounter such a fatal error, it is likely that your network
941is under attack, or that there is a network misconfiguration that is
942indistinguishable from an attack.
943
944The best thing you can do in this situation is to raise the issue to your
945network provider (or corporate IT department).
946
947Chrome shows non-recoverable HTTPS errors only in cases where the true server
948has previously asked for this treatment, and when it can be relatively certain
949that the current server is not the true server.
950
951<a name="TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]952### How does key pinning interact with local proxies and filters?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]953
954To enable certificate chain validation, Chrome has access to two stores of trust
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]955anchors (i.e., certificates that are empowered as issuers). One trust anchor
Alex Goughc9ab81fd2023-05-15 19:03:14[diff] [blame]956store is for authenticating public internet servers, and depending on the
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]957version of Chrome being used and the platform it is running on, the
958[Chrome Root Store](https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md#what-is-the-chrome-root-store)
959might be in use. The private store contains certificates installed by the user
960or the administrator of the client machine. Private intranet servers should
961authenticate themselves with certificates issued by a private trust anchor.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]962
963Chrome’s key pinning feature is a strong form of web site authentication that
964requires a web server’s certificate chain not only to be valid and to chain to a
965known-good trust anchor, but also that at least one of the public keys in the
966certificate chain is known to be valid for the particular site the user is
967visiting. This is a good defense against the risk that any trust anchor can
968authenticate any web site, even if not intended by the site owner: if an
969otherwise-valid chain does not include a known pinned key (“pin”), Chrome will
970reject it because it was not issued in accordance with the site operator’s
971expectations.
972
973Chrome does not perform pin validation when the certificate chain chains up to a
974private trust anchor. A key result of this policy is that private trust anchors
975can be used to proxy (or
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]976[MITM](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)) connections,
977even to pinned sites. “Data loss prevention” appliances, firewalls, content
978filters, and malware can use this feature to defeat the protections of key
979pinning.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]980
981We deem this acceptable because the proxy or MITM can only be effective if the
982client machine has already been configured to trust the proxy’s issuing
983certificate — that is, the client is already under the control of the person who
984controls the proxy (e.g. the enterprise’s IT administrator). If the client does
985not trust the private trust anchor, the proxy’s attempt to mediate the
986connection will fail as it should.
987
Adam Langleyc078ba82018-12-17 17:25:46[diff] [blame]988<a name="TOC-When-is-key-pinning-enabled-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]989### When is key pinning enabled?
Adam Langleyc078ba82018-12-17 17:25:46[diff] [blame]990
Eric Lawrence542967372024-12-02 22:13:58[diff] [blame]991Key pinning is enabled for Chrome-branded non-iOS builds when the local
Adam Langleyc078ba82018-12-17 17:25:46[diff] [blame]992clock is within ten weeks of the embedded build timestamp. Key pinning is a
993useful security measure but it tightly couples client and server configurations
994and completely breaks when those configurations are out of sync. In order to
995manage that risk we need to ensure that we can promptly update pinning clients
Chris Palmer59877ec2019-11-22 01:28:09[diff] [blame]996in an emergency and ensure that non-emergency changes can be deployed in a
Adam Langleyc078ba82018-12-17 17:25:46[diff] [blame]997reasonable timeframe.
998
999Each of the conditions listed above helps ensure those properties:
1000Chrome-branded builds are those that Google provides and they all have an
Eric Lawrence542967372024-12-02 22:13:58[diff] [blame]1001auto-update mechanism that can be used in an emergency. Even in cases where
1002auto-update is generally effective, there are still non-trivial populations
1003of stragglers for various reasons. The ten-week timeout prevents those
1004stragglers from causing problems for regular, non-emergency changes and
Adam Langleyc078ba82018-12-17 17:25:46[diff] [blame]1005allows stuck users to still, for example, conduct searches and access Chrome's
1006homepage to hopefully get unstuck.
1007
1008In order to determine whether key pinning is active, try loading
Francois Mariere1b8e702023-07-07 05:25:08[diff] [blame]1009[https://pinning-test.badssl.com/](https://pinning-test.badssl.com/). If key
Adam Langleyc078ba82018-12-17 17:25:46[diff] [blame]1010pinning is active the load will _fail_ with a pinning error.
1011
Chris Palmer38d751d002017-08-23 17:37:35[diff] [blame]1012<a name="TOC-How-does-certificate-transparency-interact-with-local-proxies-and-filters-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1013### How does Certificate Transparency interact with local proxies and filters?
Chris Palmer38d751d002017-08-23 17:37:35[diff] [blame]1014
Chris Palmer413f3c02017-08-23 17:47:54[diff] [blame]1015Just as [pinning only applies to publicly-trusted trust
1016anchors](#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-),
1017Chrome only evaluates Certificate Transparency (CT) for publicly-trusted trust
1018anchors. Thus private trust anchors, such as for enterprise middle-boxes and AV
1019proxies, do not need to be publicly logged in a CT log.
Chris Palmer38d751d002017-08-23 17:37:35[diff] [blame]1020
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1021<a name="TOC-Why-are-some-web-platform-features-only-available-in-HTTPS-page-loads-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1022### Why are some web platform features only available in HTTPS page-loads?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1023
1024The full answer is here: we [Prefer Secure Origins For Powerful New
1025Features](https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features).
1026In short, many web platform features give web origins access to sensitive new
1027sources of information, or significant power over a user's experience with their
Eric Romaned127b672018-01-23 19:36:38[diff] [blame]1028computer/phone/watch/etc., or over their experience with it. We would therefore
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1029like to have some basis to believe the origin meets a minimum bar for security,
1030that the sensitive information is transported over the Internet in an
Eric Romaned127b672018-01-23 19:36:38[diff] [blame]1031authenticated and confidential way, and that users can make meaningful choices
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1032to trust or not trust a web origin.
1033
1034Note that the reason we require secure origins for WebCrypto is slightly
1035different: An application that uses WebCrypto is almost certainly using it to
1036provide some kind of security guarantee (e.g. encrypted instant messages or
1037email). However, unless the JavaScript was itself transported to the client
1038securely, it cannot actually provide any guarantee. (After all, a MITM attacker
1039could have modified the code, if it was not transported securely.)
1040
Camille0f2a39f2022-11-04 10:45:04[diff] [blame]1041See the [Web Platform Security
Chris Thompson1f8b00062023-05-31 00:38:49[diff] [blame]1042guidelines](https://chromium.googlesource.com/chromium/src/+/main/docs/security/web-platform-security-guidelines.md#encryption)
Camille0f2a39f2022-11-04 10:45:04[diff] [blame]1043for more information on security guidelines applicable to web platform APIs.
1044
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1045<a name="TOC-Which-origins-are-secure-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1046### Which origins are "secure"?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1047
1048Secure origins are those that match at least one of the following (scheme, host,
1049port) patterns:
1050
1051* (https, *, *)
1052* (wss, *, *)
1053* (*, localhost, *)
1054* (*, 127/8, *)
1055* (*, ::1/128, *)
1056* (file, *, —)
1057* (chrome-extension, *, —)
1058
1059That is, secure origins are those that load resources either from the local
1060machine (necessarily trusted) or over the network from a
1061cryptographically-authenticated server. See [Prefer Secure Origins For Powerful
1062New
1063Features](https://sites.google.com/a/chromium.org/dev/Home/chromium-security/prefer-secure-origins-for-powerful-new-features)
1064for more details.
1065
1066<a name="TOC-What-s-the-story-with-certificate-revocation-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1067### What's the story with certificate revocation?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1068
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]1069Chrome's primary mechanism for checking certificate revocation status is
Joe DeBlasio0c6480712024-07-04 00:11:51[diff] [blame]1070[CRLSets](https://dev.chromium.org/Home/chromium-security/crlsets).
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]1071Additionally, by default, [stapled Online Certificate Status Protocol (OCSP)
1072responses](https://en.wikipedia.org/wiki/OCSP_stapling) are honored.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1073
Joe DeBlasio0c6480712024-07-04 00:11:51[diff] [blame]1074As of 2024, Chrome enforces most security-relevant certificate revocations that
1075are visible via Certificate Revocation Lists (CRLs) published to the
1076[CCADB](https://www.ccadb.org/) via CRLSets. There is some inherent delay in
1077getting revocation information to Chrome clients, but most revocations should
1078reach most users within a few days of appearing on a CA's CRL.
1079
1080Chrome clients do not, by default, perform "online" certificate revocation
1081status checks using CRLs directly or via OCSP URLs included in certificates.
1082This is because online checks offer limited security value unless a client, like
danakjc8fb82602024-07-09 16:36:09[diff] [blame]1083Chrome, refuses to connect to a website if it cannot get a valid response,
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1084
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]1085Unfortunately, there are many widely-prevalent causes for why a client
1086might be unable to get a valid certificate revocation status response to
1087include:
1088* timeouts (e.g., an OCSP responder is online but does not respond within an
Alex Goughc9ab81fd2023-05-15 19:03:14[diff] [blame]1089 acceptable time limit),
1090* availability issues (e.g., the OCSP responder is offline),
1091* invalid responses (e.g., a "stale" or malformed status response), and
1092* local network attacks misrouting traffic or blocking responses.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1093
Alex Goughc9ab81fd2023-05-15 19:03:14[diff] [blame]1094Additional concern with OCSP checks are related to privacy. OCSP
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]1095requests reveal details of individuals' browsing history to the operator of the
1096OCSP responder (i.e., a third party). These details can be exposed accidentally
1097(e.g., via data breach of logs) or intentionally (e.g., via subpoena). Chrome
1098used to perform revocation checks for Extended Validation certificates, but that
1099behavior was disabled in 2022 for [privacy reasons](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/S6A14e_X-T0/m/T4WxWgajAAAJ).
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1100
Ryan Dicksonbbcdf3d2022-11-16 19:43:51[diff] [blame]1101The following enterprise policies can be used to change the default revocation
1102checking behavior in Chrome, though these may be removed in the future:
1103* [enable soft-fail OCSP](https://chromeenterprise.google/policies/#EnableOnlineRevocationChecks)
1104* [hard-fail for local trust anchors](https://chromeenterprise.google/policies/#RequireOnlineRevocationChecksForLocalAnchors).
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1105
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1106## Passwords & Local Data
1107
1108<a name="TOC-What-about-unmasking-of-passwords-with-the-developer-tools-"></a>
1109### What about unmasking of passwords with the developer tools?
1110
1111One of the most frequent reports we receive is password disclosure using the
1112Inspect Element feature (see [Issue 126398](https://crbug.com/126398) for an
1113example). People reason that "If I can see the password, it must be a bug."
1114However, this is just one of the [physically-local attacks described in the
1115previous
1116section](#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-),
1117and all of those points apply here as well.
1118
1119The reason the password is masked is only to prevent disclosure via
1120"shoulder-surfing" (i.e. the passive viewing of your screen by nearby persons),
1121not because it is a secret unknown to the browser. The browser knows the
1122password at many layers, including JavaScript, developer tools, process memory,
1123and so on. When you are physically local to the computer, and only when you are
1124physically local to the computer, there are, and always will be, tools for
1125extracting the password from any of these places.
1126
1127<a name="TOC-Is-Chrome-s-support-for-userinfo-in-HTTP-URLs-e.g.-http:-user:password-example.com-considered-a-vulnerability-"></a>
1128### Is Chrome's support for userinfo in HTTP URLs (e.g. http://user:password@example.com) considered a vulnerability?
1129
1130[Not at this time](https://crbug.com/626951). Chrome supports HTTP and HTTPS
1131URIs with username and password information embedded within them for
1132compatibility with sites that require this feature. Notably, Chrome will
1133suppress display of the username and password information after navigation in
1134the URL box to limit the effectiveness of spoofing attacks that may try to
1135mislead the user. For instance, navigating to
1136`http://trustedsite.com@evil.example.com` will show an address of
1137`http://evil.example.com` after the page loads.
1138
Tom Sepez83fd1f612022-07-18 21:21:27[diff] [blame]1139Note: We often receive reports calling this an "open redirect". However, it has
1140nothing to do with redirection; rather the format of URLs is complex and the
1141userinfo may be misread as a host.
1142
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1143<a name="TOC-Why-does-the-Password-Manager-ignore-autocomplete-off-for-password-fields-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1144### Why does the Password Manager ignore `autocomplete='off'` for password fields?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1145
1146Ignoring `autocomplete='off'` for password fields allows the password manager to
1147give more power to users to manage their credentials on websites. It is the
1148security team's view that this is very important for user security by allowing
1149users to have unique and more complex passwords for websites. As it was
1150originally implemented, autocomplete='off' for password fields took control away
1151from the user and gave control to the web site developer, which was also a
1152violation of the [priority of
Adam Barth3a3bfef2021-10-06 02:36:44[diff] [blame]1153constituencies](https://www.schemehostport.com/2011/10/priority-of-constituencies.html).
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1154For a longer discussion on this, see the [mailing list
1155announcement](https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/zhhj7hCip5c).
1156
Eric Lawrence122e86882017-12-07 22:53:05[diff] [blame]1157<a name="TOC-Signout-of-Chrome"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1158### Signing out of Chrome does not delete previously-synced data?
Eric Lawrence122e86882017-12-07 22:53:05[diff] [blame]1159
1160If you have signed into Chrome and subsequently sign out of Chrome, previously
1161saved passwords and other data are not deleted from your device unless you
1162select that option when signing out of Chrome.
1163
1164If you change your Google password, synced data will no longer be updated in
1165Chrome instances until you provide the new password to Chrome on each device
1166configured to sync. However, previously synced data [remains available](https://crbug.com/792967)
1167on each previously-syncing device unless manually removed.
1168
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1169<a name="TOC-Why-doesn-t-the-Password-Manager-save-my-Google-password-if-I-am-using-Chrome-Sync-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1170### Why doesn't the Password Manager save my Google password if I am using Chrome Sync?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1171
1172In its default mode, Chrome Sync uses your Google password to protect all the
1173other passwords in the Chrome Password Manager.
1174
1175In general, it is a bad idea to store the credential that protects an asset in
1176the same place as the asset itself. An attacker who could temporarily compromise
1177the Chrome Password Manager could, by stealing your Google password, obtain
1178continuing access to all your passwords. Imagine you store your valuables in a
1179safe, and you accidentally forget to close the safe. If a thief comes along,
1180they might steal all of your valuables. That’s bad, but imagine if you had also
1181left the combination to the safe inside as well. Now the bad guy has access to
1182all of your valuables and all of your future valuables, too. The password
1183manager is similar, except you probably would not even know if a bad guy
1184accessed it.
1185
1186To prevent this type of attack, Chrome Password Manager does not save the Google
1187password for the account you sync with Chrome. If you have multiple Google
1188accounts, the Chrome Password Manager will save the passwords for accounts other
1189than the one you are syncing with.
1190
1191<a name="TOC-Does-the-Password-Manager-store-my-passwords-encrypted-on-disk-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1192### Does the Password Manager store my passwords encrypted on disk?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1193
1194Chrome generally tries to use the operating system's user storage mechanism
1195wherever possible and stores them encrypted on disk, but it is platform
1196specific:
1197
Vasilii Sukhanov6afa0372025-07-29 18:00:31[diff] [blame]1198* On Windows, Chrome uses [App-Bound encryption](https://source.chromium.org/chromium/chromium/src/+/main:components/os_crypt/async/)
1199 to store them on disk encrypted with a key only accessible to the Chrome
1200 process as well as admin processes.
Viktor Semeniuk3720fc42024-04-03 09:33:52[diff] [blame]1201* On macOS and iOS, Chrome previously stored credentials directly in the user's
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1202 Keychain, but for technical reasons, it has switched to storing the
1203 credentials in "Login Data" in the Chrome users profile directory, but
1204 encrypted on disk with a key that is then stored in the user's Keychain.
Viktor Semeniuk3720fc42024-04-03 09:33:52[diff] [blame]1205 See [Issue 466638](https://crbug.com/466638) and [Issue 520437](https://crbug.com/520437) for further explanation.
Christos Froussios2a02cc52019-07-30 07:04:46[diff] [blame]1206* On Linux, Chrome previously stored credentials directly in the user's
Tom Anderson761687a2023-06-14 17:27:39[diff] [blame]1207 Gnome Secret Service or KWallet, but for technical reasons, it has switched to
Christos Froussios2a02cc52019-07-30 07:04:46[diff] [blame]1208 storing the credentials in "Login Data" in the Chrome user's profile directory,
1209 but encrypted on disk with a key that is then stored in the user's Gnome
Tom Anderson761687a2023-06-14 17:27:39[diff] [blame]1210 Secret Service or KWallet. If there is no available Secret Service or KWallet,
1211 the data is not encrypted when stored.
Viktor Semeniuk3720fc42024-04-03 09:33:52[diff] [blame]1212* On Android, Chrome doesn't store in the profile anymore, instead it uses Google
1213 Play Services to access passwords stored on a device.
1214* On ChromeOS passwords are only obfuscated since all profile data is encrypted
1215 by the OS.
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1216
Adrian Taylorae8545252021-05-27 17:16:51[diff] [blame]1217<a name="TOC-If-theres-a-way-to-see-stored-passwords-without-entering-a-password--is-this-a-security-bug-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1218### If there's a way to see stored passwords without entering a password, is this a security bug?
Adrian Taylorae8545252021-05-27 17:16:51[diff] [blame]1219
1220No. If an attacker has control of your login on your device, they can get to
1221your passwords by inspecting Chrome disk files or memory. (See
1222[why aren't physically-local attacks in Chrome's threat
1223model](#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-)).
1224
1225On some platforms we ask for a password before revealing stored passwords,
1226but this is not considered a robust defense. It’s historically to stop
1227users inadvertently revealing their passwords on screen, for example if
1228they’re screen sharing. We don’t do this on all platforms because we consider
1229such risks greater on some than on others.
1230
Martin Kreichgauer8788fc622024-09-11 21:06:19[diff] [blame]1231
1232<a name="TOC-On-some-websites-I-can-use-a-passkey-without-passing-a-lock-screen-or-biometric-challenge-is-this-a-security-bug"></a>
1233### On some websites, I can use passkeys without passing a lock screen or biometric challenge. Is this a security bug?
1234
1235Probably not. When a website requests a passkeys signature, it can choose
1236whether the authenticator should perform user verification (e.g. with a local
1237user lock screen challenge). Unless the website sets user verification parameter
1238in the request to 'required', the passkey authenticator can choose to skip the
1239lock screen challenge. Authenticators commonly skip an optional challenge if
1240biometrics are unavailable (e.g. on a laptop with a closed lid).
1241
1242If you can demonstrate bypassing the user verification challenge where the
1243request user verification parameter is set to 'required', please
1244[report it](https://issues.chromium.org/issues/new?noWizard=true&component=1363614&template=1922342).
1245
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1246## Other
Alex Gough8dc4f562022-04-18 22:14:05[diff] [blame]1247
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1248<a name="TOC-What-is-the-security-story-for-Service-Workers-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1249### What is the security story for Service Workers?
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1250
1251See our dedicated [Service Worker Security
Eric Lawrence [MSFT]f80579552021-04-22 18:39:26[diff] [blame]1252FAQ](https://chromium.googlesource.com/chromium/src/+/main/docs/security/service-worker-security-faq.md).
Chris Palmer554c66e2017-07-29 01:02:56[diff] [blame]1253
Devlin Cronin7304fec2021-06-02 22:51:26[diff] [blame]1254<a name="TOC-What-is-the-security-story-for-Extensions-"></a>
Alex Goughe7bcbea2022-05-03 21:45:34[diff] [blame]1255### What is the security story for Extensions?
Devlin Cronin7304fec2021-06-02 22:51:26[diff] [blame]1256
1257See our dedicated [Extensions Security FAQ](https://chromium.googlesource.com/chromium/src/+/main/extensions/docs/security_faq.md).
Adrian Taylord57a4c62022-11-10 10:27:50[diff] [blame]1258
Adrian Taylor1bbbf142023-08-29 17:41:17[diff] [blame]1259<a name="TOC-What-is-the-security-model-for-Chrome-Custom-Tabs-"></a>
1260### What's the security model for Chrome Custom Tabs?
1261
1262See our [Chrome Custom Tabs security FAQ](custom-tabs-faq.md).
1263
Muyao Xu1d58c632025-03-05 19:01:14[diff] [blame]1264<a name="TOC-What-is-the-security-story-for-Fullscreen-"></a>
1265### What is the security story for Fullscreen?
1266
1267See our dedicated [Fullscreen Security FAQ](https://chromium.googlesource.com/chromium/src/+/main/docs/security/fullscreen.md).
1268
Adrian Taylor98e9c792024-04-29 18:59:23[diff] [blame]1269<a name="TOC-How-is-security-different-in-Chrome-for-iOS--"></a>
1270### How is security different in Chrome for iOS?
1271
1272Chrome for iOS does not use Chrome's standard rendering engine. Due to Apple's
1273iOS platform restrictions, it instead uses Apple's WebKit engine and a more
1274restricted process isolation model. This means its security properties are
1275different from Chrome on all other platforms.
1276
1277The differences in security are far too extensive to list exhaustively, but some
1278notable points are:
1279
1280* Chromium's [site
1281 isolation](https://www.chromium.org/Home/chromium-security/site-isolation/)
1282 isn't used; WebKit has its own alternative implementation with different costs
1283 and benefits.
1284* WebKit has [historically been slower at shipping security
1285 fixes](https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html).
1286* Chrome's network stack, [root
1287 store](https://www.chromium.org/Home/chromium-security/root-ca-policy/) and
1288 associated technology are not used, so
1289 the platform will make different decisions about what web servers to trust.
1290* Sandboxing APIs are not available for native code.
1291
1292Given that the fundamentals of the browser are so different, and given these
1293limitations, Chrome for iOS has historically not consistently implemented some
1294of Chrome's [standard security guidelines](rules.md). This includes the
1295important [Rule of Two](rule-of-2.md). Future Chrome for iOS features should
1296meet all guidelines except in cases where the lack of platform APIs make it
1297unrealistic. (The use of WebAssembly-based sandboxing is currently considered
1298unrealistic though this could change in future.)
1299
1300If the Rule of Two cannot be followed, features for Chrome for iOS should
1301nevertheless follow it as closely as possible, and adopt additional mitigations
1302where they cannot:
1303
1304* First consider adding a validation layer between unsafe code and web contents,
1305 or adopting memory-safe parsers at the boundary between the renderer and the
1306 browser process. Consider changing the design of the feature so the riskiest
1307 parsing can happen in javascript injected in the renderer process.
1308* Any unsafe unsandboxed code that is exposed to web contents or other
1309 untrustworthy data sources must be extensively tested and fuzzed.
1310
1311The Chrome team is enthusiastic about the future possibility of making a version
1312of Chrome for iOS that meets our usual security standards if richer platform
1313facilities become widely available: this will require revisiting existing
1314features to see if adjustment is required.
1315
Adrian Taylor82a534b2023-05-09 19:21:20[diff] [blame]1316<a name="TOC-Are-all-Chrome-updates-important--"></a>
1317### Are all Chrome updates important?
1318
1319Yes - see [our updates FAQ](updates.md).
1320
1321<a name="TOC-What-older-Chrome-versions-are-supported--"></a>
1322### What older Chrome versions are supported?
1323
1324We always recommend being on the most recent Chrome stable version - see
1325[our updates FAQ](updates.md).
1326
Adrian Taylord57a4c62022-11-10 10:27:50[diff] [blame]1327<a name="TOC-Im-making-a-Chromium-based-browser-how-should-I-secure-it-"></a>
1328### I'm making a Chromium-based browser. How should I secure it?
1329
1330If you want to make a browser based on Chromium, you should stay up to date
1331with Chromium's security fixes. There are adversaries who weaponize fixed
1332Chromium bugs ("n-day vulnerabilities") to target browsers which haven’t yet
1333absorbed those fixes.
1334
1335Decide whether your approach is to stay constantly up to date with Chromium
1336releases, or to backport security fixes onto some older version, upgrading
1337Chromium versions less frequently.
1338
1339Backporting security fixes sounds easier than forward-porting features, but in
1340our experience, this is false. Chromium releases 400+ security bug fixes per
1341year ([example
1342query](https://bugs.chromium.org/p/chromium/issues/list?q=type%3DBug-Security%20has%3Arelease%20closed%3Etoday-730%20closed%3Ctoday-365%20allpublic&can=1)).
1343Some downstream browsers take risks by backporting only Medium+ severity fixes,
1344but that's still over 300 ([example
1345query](https://bugs.chromium.org/p/chromium/issues/list?q=type%3DBug-Security%20has%3Arelease%20closed%3Etoday-730%20closed%3Ctoday-365%20allpublic%20Security_Severity%3DMedium%2CHigh%2CCritical&can=1)).
1346Most are trivial cherry-picks; but others require rework and require versatile
1347engineers who can make good decisions about any part of a large codebase.
1348
1349Our recommendation is to stay up-to-date with Chrome's released versions. You
1350should aim to release a version of your browser within just a few days of each
1351Chrome [stable
1352release](https://chromereleases.googleblog.com/search/label/Stable%20updates).
1353If your browser is sufficiently widely-used, you can [apply for advance notice
1354of fixed vulnerabilities](https://www.chromium.org/Home/chromium-security/) to
1355make this a little easier.
1356
1357Finally, if you choose the backporting approach, please explain the security
1358properties to your users. Some fraction of security improvements cannot be
1359backported. This can happen for several reasons, for example: because they
1360depend upon architectural changes (e.g. breaking API changes); because the
1361security improvement is a significant new feature; or because the security
1362improvement is the removal of a broken feature.
Lily Chen842810ff2024-12-18 17:00:40[diff] [blame]1363
1364<a name="TOC-How-can-I-appeal-a-Safe-Browsing-warning-"></a>
1365### How can I appeal a Safe Browsing warning?
Lily Chenefbacb82025-01-02 17:52:53[diff] [blame]1366To request a review of warnings relating to your own website, use the
Lily Chen842810ff2024-12-18 17:00:40[diff] [blame]1367[Security Issues report](https://support.google.com/webmasters/answer/9044101)
1368page in your Google Search Console. If the warning applies to another site, you
1369may be able to use
1370[https://safebrowsing.google.com/safebrowsing/report_error/](https://safebrowsing.google.com/safebrowsing/report_error/),
1371though you are likely better off contacting the site owner.
1372
Lily Chenefbacb82025-01-02 17:52:53[diff] [blame]1373If your concern relates to malware warnings, you may find the warning in your
Lily Chen842810ff2024-12-18 17:00:40[diff] [blame]1374Security Issues report and request a review from there. There is no separate
1375appeal form or process at this time. Please follow these
1376[guidelines](https://developers.google.com/search/docs/monitor-debug/security/malware#guidelines)
1377to avoid having your binary show warnings from Safe Browsing.
Morty Proxy This is a proxified and sanitized view of the page, visit original site.