Fixed in Google Chrome 106.0.5249.79.
End user warning message when opening a PDF in Google Chrome prior to 106.0.5249.73 displayed a warning that was potentially confusing to users. (Chromium security severity: Medium)
Fixed in Google Chrome 106.0.5249.79.
For user input to be validated, it must be in a form> element.
But the input> element doesn't actually do any validation, so developers using it for this purpose must use JavaScript.
That means that the code that validates user input must be in a script> element. But script> elements are executed before any other JavaScript elements, so it's possible for malicious code to be placed in script> elements and for these elements to be executed before any other code.
If an attacker can place malicious code in script> elements, he can potentially make these elements execute malicious code before any other code. That could lead to a variety of unwanted outcomes, including allowing him to take control of the user's browser. (Chromium security severity: Medium)
Fixed in Google Chrome 106.0.5249.73.
When a form> is submitted, all its controls are validated. But this validation only happens when the form is submitted, not when the user is interacting with the form while it's loading. This can lead to a user receiving unexpected
HTML5: DOM Parsing Best Practices
HTML5 is a new standard for markup language that provides all the latest features, including:
-Efficient API for HTML.
-Improved accessibility.
-Greater web standards compliance.
-New opportunities for responsive design.
However, there are some important things to know about parsing HTML5 with the DOM API of JavaScript before you get started.
When parsing HTML5 with the DOM API, there are certain things to keep in mind. Most importantly, it's important to understand what the elements of your document mean and how they're parsed. For example, a
Implied trust:
This is an implicit trust relationship between the computer and software vendor.
The remote computer (the software vendor) does not need to be trusted, but users implicitly trust it as long as it outputs what it promises.
Data that has been submitted because of this trust relationship is considered confidential by some data protection regulations. (Chromium security severity: Medium)
Fixed in Google Chrome 106.0.5249.73
Chromium - HTML5 Security Overview
The security model for HTML5 is based on the concept of "Same Origin Policy" with a few key differences.
There are two ways in which an HTML5 application can interact with a web page:
1) If it's loaded from the same origin as the target page, then everything works just like it always has - no special rules apply.
2) If one or both of them come from different origins, there's a new Security Policy that applies. This security policy is designed to let apps and sites share content and functionality in ways that would have been difficult or impossible before, while maintaining the trust and privacy of all users. (Chromium security severity: Medium)
Fixed in Google Chrome 106.0.5249.73.
Timeline
Published on: 11/01/2022 20:15:00 UTC
Last modified on: 12/08/2022 21:54:00 UTC