Edge

Status

Under Development

Related pages

The following page requires authorization.

  • VULN-071893: Vulnerabilities Related to Web Browser Permissions

https://msrc.microsoft.com/report/vulnerability/VULN-071893

Timelines

We have summarized some messages in terms of copyright.

2022/08/14

We submitted our report.

2022/08/16

The status changed from “New” to “Review / Repro”

2022/08/20

The status changed from “Review / Repro” to “Develop”

2022/09/02

We received a comment and question from Microsoft about our report.

We reviewed the report and determined that the issue is not a vulnerability, but rather a privacy concern. We didn’t confirm if they are still repro in the latest version. It is likely that the implementation reported in the paper is inherited from the upstream implementation, i.e., the Chrome browser. One claim made about Clear Browser History not clearing the permission state from a running InPrivate instance was interesting but doesn’t seem like a serviceable bug as that state is cleared when the last instance is closed, which we expect it is.

 

2022/09/05

We responded to Microsoft’s comments and questions (We attached the user study results.).

We will be able to share the report/paper with you prior to publication.

We recognized that the Edge implementations are inherited from the upstream Chromium. We are encouraging Google to address the reported issues as well.
The Brave, which is also inherited from Chromium, has completed its own fixes in the implementation. The fixed codes are inherited from Chrome; you can see an example of the fix in the following GitHub issue: https://github.com/brave/brave-browser/issues/24720

Do you have any plans to take the same approach of Brave or contact Google / Apple regarding the implementations we have reported?

For your reference, we provide the highlights of our user study, which aims to study users’ expectations regarding browser implementation. Details are presented in the attached paper (revised version). These results may imply the need for the fixes.

– Permission behaviors in the browsing modes (Related to T2 and T3)
Of the users who were familiar with the private browsing mode, 70-80% expected that the permission state is not persistent in the private browsing mode and that the permission state will not be inherited between browsing modes.- Data deletion mechanism (Related T4)
More than 70 % of the users expected that the data deletion mechanism would clear their permission state.- Behavior when permission requests are ignored (Related T5)
60% of users were unaware of the fact that some browsers will automatically set the permission status denied when a website automatically requests the permission several times and the requests are ignored.