Issue 1718403002: Fix security checks when navigating remote frames to javascript: URLs.

Issue 1718403002: Fix security checks when navigating remote frames to javascript: URLs. (Closed)

Created:
4 years, 10 months ago by alexmos

Modified:
4 years, 10 months ago

Reviewers:
haraken, dcheng, Yuki

CC:
blink-reviews, blink-reviews-bindings_chromium.org, blink-reviews-html_chromium.org, chromium-reviews, dglazkov+blink, site-isolation-reviews_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Fix security checks when navigating remote frames to javascript: URLs. When navigating a frame by setting an iframe element's src attribute, HTMLFrameElementBase::isURLAllowed has a security check for javascript: URLs, which wasn't getting called for remote frames. It first referenced the contentDocument(), and only proceeded to do the security check on that document's frame if the document is not null. With a remote frame, there will be no Document, so this should directly access the contentFrame() and use it for the security check. BUG=588096, 582201 Committed: https://crrev.com/13de353d05728e9560672dd751402597efe3e6b8 Cr-Commit-Position: refs/heads/master@{#377040}

Patch Set 1 #

Patch Set 2 : #

Patch Set 3 : Fix check #

Total comments: 2

Patch Set 4 : Pass v8::Isolate directly #

Created: 4 years, 10 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+3 lines, -5 lines)			Patch
M	third_party/WebKit/Source/bindings/core/v8/ScriptController.h	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp	View	1 2 3	1 chunk	+1 line, -2 lines	0 comments	Download
M	third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp	View	1 2 3	1 chunk	+1 line, -2 lines	0 comments	Download

Dependent Patchsets:

Issue 1715993002 Patch 120001

Messages

Total messages: 14 (6 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

alexmos

Daniel, can you please take a look to see if this fix makes sense? This ...

4 years, 10 months ago (2016-02-23 00:40:26 UTC) #2

haraken

https://codereview.chromium.org/1718403002/diff/40001/third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp File third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp (right): https://codereview.chromium.org/1718403002/diff/40001/third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp#newcode86 third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:86: bool ScriptController::canAccessFromCurrentOrigin(ExecutionContext& context, Frame* frame) How about just passing ...

4 years, 10 months ago (2016-02-23 10:08:00 UTC) #6

alexmos

4 years, 10 months ago (2016-02-23 17:51:05 UTC) #7

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1718403002/60001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1718403002/60001

4 years, 10 months ago (2016-02-23 18:27:59 UTC) #11

commit-bot: I haz the power

Description was changed from ========== Fix security checks when navigating remote frames to javascript: URLs. ...

4 years, 10 months ago (2016-02-23 19:22:03 UTC) #13

commit-bot: I haz the power

4 years, 10 months ago (2016-02-23 19:22:04 UTC) #14

Message was sent while issue was closed.

Patchset 4 (id:??) landed as
https://crrev.com/13de353d05728e9560672dd751402597efe3e6b8
Cr-Commit-Position: refs/heads/master@{#377040}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages