DescriptionNull out LocalDOMWindow::frame() on navigation.
In Blink, LocalDOMWindow::frame() is only set to null when the
LocalFrame is destroyed. Multiple LocalDOMWindow objects can hold a
reference to the same LocalFrame.
It turns out that this is dangerous and a persistent source of XSS bugs.
Code that creates scriptable objects for a frame needs to remember to
call DOMWindow::isCurrentlyDisplayedInFrame() to verify that the
creating context is still active in the frame. If this check is left
out, the created object can often trigger XSS.
Instead of depending on developers to remember to add this check where
needed, Blink now nulls out LocalDOMWindow::frame() as soon as it
navigates away from a LocalDOMWindow. Code in Blink already handles the
null case, since this is already something that can happen. Code that
improperly handles this case will tend to crash (suboptimal but safe),
and in general, failures won't result in XSS, since a detached frame
cannot be reattached.
BUG=525330
Committed: https://crrev.com/a55a83b15a84eb408cd5805c4fb4dcba17d6054a
Cr-Commit-Position: refs/heads/master@{#351496}
Patch Set 1 #Patch Set 2 : Moar assert #Patch Set 3 : Add comments and fix stack overflow. #
Total comments: 2
Patch Set 4 : Fix tests and add a test #
Total comments: 5
Patch Set 5 : try to fix crash-on-querying-event-path.html #
Total comments: 1
Messages
Total messages: 30 (9 generated)
|