I think you might have misunderstood it, but file a bug report and someone will make sure we haven't missed anything. 
-
-
Replying to @taviso @PowerDNS_Bert and
No I did not I made a fully functional PoC doing exactly that, and this bug was filed almost 4 years ago and dismissed with "it's not a problem since you could do the same thing with malicious software via LD_PRELOAD"

2 replies 0 retweets 0 likes -
Replying to @staatsgeheim @PowerDNS_Bert and
That assessment sounds correct to me. Sorry, I don't know what to tell you.
2 replies 0 retweets 0 likes -
Replying to @taviso @PowerDNS_Bert and
Maarten Boone 🇪🇺 Retweeted Maarten Boone 🇪🇺
Also, not a problem?https://twitter.com/staatsgeheim/status/1181594111255683072?s=19 …
Maarten Boone 🇪🇺 added,
1 reply 0 retweets 0 likes -
Replying to @staatsgeheim @PowerDNS_Bert and
Yes, not a problem, but thank you for reporting it, better safe than sorry! Hey, malicious software could just patch that feature back in if we remove it!
1 reply 0 retweets 0 likes -
Replying to @taviso @PowerDNS_Bert and
Yeah but malicious software can be detected bij endpoint protection systems or AV. Maybe don't bother about certificate pinning either then since malicious software could just disable it anyway, and why use encryption for local password storage in Chrome?
1 reply 0 retweets 0 likes -
Replying to @staatsgeheim @PowerDNS_Bert and
Certificate pinning isn't intended to protect against malware, it's intended to protect against misissued certificates. You're correct that encryption doesn't protect against malware on compromised endpoints, I don't know what to tell you.
1 reply 0 retweets 0 likes -
Replying to @taviso @PowerDNS_Bert and
Well what you are telling me is that the local threat model isn't important
2 replies 0 retweets 1 like -
Replying to @staatsgeheim @PowerDNS_Bert and
You can read about the official position on this here, hope this helps
https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model …1 reply 0 retweets 0 likes -
Replying to @taviso @PowerDNS_Bert and
Sandbox disabled: Banner notifying the user HTTPS error: User visible error message Forms trying to send unencrypted content: User visible error message SSL/TLS material being logged compromising all your connections: No banner/warning or anything what so ever to notify user
1 reply 0 retweets 0 likes
I would refer you to the link I just gave you, and the question immediately after it, "Why aren‘t compromised/infected machines in Chrome’s threat model?".
-
-
Replying to @taviso @PowerDNS_Bert and
Even when it's not malicious you should show a warning that it's enable, why else would you show a warning when the sandbox is disabled otherwise?
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.