Comments on: Google Chrome Options http://www.gnucitizen.org/blog/google-chrome-options/ Information Security Think Tank Tue, 06 Jan 2009 09:11:24 +0000 http://wordpress.org/?v=2.7 hourly 1 By: media buff http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123806 media buff Sat, 20 Sep 2008 21:48:19 +0000 https://www.gnucitizen.org/?p=1318#comment-123806 it's funny, the more i use Chrome, the more unstable it seems to get... crashes a lot more, can't handle sites with flash, hangs every time i close a tab... all that to say, i'm switching back to Firefox it’s funny, the more i use Chrome, the more unstable it seems to get… crashes a lot more, can’t handle sites with flash, hangs every time i close a tab… all that to say, i’m switching back to Firefox

]]> By: meathive http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123790 meathive Fri, 19 Sep 2008 14:36:42 +0000 https://www.gnucitizen.org/?p=1318#comment-123790 I'm inclined to believe that Google is simply testing the waters by releasing Chrome; I also think something truly deceptive is going on in releasing it that I can't quite grasp. https://kinqpinz.info/lib/2008/sep/#d5ab0fdf I’m inclined to believe that Google is simply testing the waters by releasing Chrome; I also think something truly deceptive is going on in releasing it that I can’t quite grasp.

https://kinqpinz.info/lib/2008/sep/#d5ab0fdf

]]> By: est http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123789 est Fri, 19 Sep 2008 14:09:10 +0000 https://www.gnucitizen.org/?p=1318#comment-123789 what's the difference between %s %l and %* ? what’s the difference between %s %l and %* ?

]]> By: pdp http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123786 pdp Fri, 19 Sep 2008 09:34:16 +0000 https://www.gnucitizen.org/?p=1318#comment-123786 10x, Chris. Keep up the good work! 10x, Chris. Keep up the good work!

]]> By: ronald http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123783 ronald Fri, 19 Sep 2008 00:33:19 +0000 https://www.gnucitizen.org/?p=1318#comment-123783 I'm highly dissapointed by Chrome. Google had the manpower to create something new and epic, but they failed. I mean what are they doing? copying Webkit and tweaking it a bit? It's sad dudes, I'm really dissapointed that no-one in this Universe seems to create a secure browser. For real, it's that bad! It's depressing at most. I’m highly dissapointed by Chrome. Google had the manpower to create something new and epic, but they failed. I mean what are they doing? copying Webkit and tweaking it a bit?

It’s sad dudes, I’m really dissapointed that no-one in this Universe seems to create a secure browser. For real, it’s that bad!

It’s depressing at most.

]]> By: Chris Evans http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123776 Chris Evans Thu, 18 Sep 2008 21:59:50 +0000 https://www.gnucitizen.org/?p=1318#comment-123776 Yes, it's a reasonable defense in depth measure so I'll make it happen. Yes, it’s a reasonable defense in depth measure so I’ll make it happen.

]]> By: Michael Brooks http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123773 Michael Brooks Thu, 18 Sep 2008 19:40:14 +0000 https://www.gnucitizen.org/?p=1318#comment-123773 You totally found this file (http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc) by doing a "find in files" for "file://"! I like your file:// hack for quicktime, how did you know it was a flaw? You totally found this file (http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc) by doing a “find in files” for “file://”! I like your file:// hack for quicktime, how did you know it was a flaw?

]]> By: pdp http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123770 pdp Thu, 18 Sep 2008 16:02:11 +0000 https://www.gnucitizen.org/?p=1318#comment-123770 Ryan, yes, this is what <a href="http://www.scary.beasts.org/security/" rel="nofollow">Chris Evans</a> suggested as well. Ryan, yes, this is what Chris Evans suggested as well.

]]> By: Julian Rodriguez http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123769 Julian Rodriguez Thu, 18 Sep 2008 15:55:39 +0000 https://www.gnucitizen.org/?p=1318#comment-123769 hahaha nice, very nice post. hahaha nice, very nice post.

]]> By: Ryan Patterson http://www.gnucitizen.org/blog/google-chrome-options/comment-page-1/#comment-123768 Ryan Patterson Thu, 18 Sep 2008 15:18:50 +0000 https://www.gnucitizen.org/?p=1318#comment-123768 This is a good point. I think the best way to fix it is not to remove those options, though, but instead to change the shell open command to c:\path\to\chrome.exe -- "%s". Traditionally, -- as an argument means "end of options", specifying that only input files follow. However, an equally effective measure might be c:\path\to\chrome.exe "--url=%s". This removes the vulnerability from the shell's open URL command, but still leaves the flexibility provided by allowing command-line arguments. This is a good point. I think the best way to fix it is not to remove those options, though, but instead to change the shell open command to c:\path\to\chrome.exe — “%s”. Traditionally, — as an argument means “end of options”, specifying that only input files follow. However, an equally effective measure might be c:\path\to\chrome.exe “–url=%s”.

This removes the vulnerability from the shell’s open URL command, but still leaves the flexibility provided by allowing command-line arguments.

]]>