Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(90)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp

Issue 1887553002: Make sure binding security checks don't pass if the frame is remote. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: address comments / add more comments Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/browser/frame_host/render_frame_host_manager_browsertest.cc ('K') | « content/browser/frame_host/render_frame_host_manager_browsertest.cc ('k') | third_party/WebKit/Source/core/frame/DOMWindow.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
diff --git a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
index 186f6a165a308c8b33d6afa9eb905d74b7421c16..12503415b5e34926422b0eb716289fc7defa5821 100644
--- a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
@@ -50,7 +50,11 @@ static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing
{
ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow());
- if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
+ // It's important to check that targetWindow is a LocalDOMWindow: it's
+ // possible for a remote frame and local frame to have the same security
+ // origin, depending on the model being used to allocate Frames between
+ // processes. See https://crbug.com/601629
Charlie Reis 2016/04/13 16:45:56 nit: End with period, here and below (as you did i
dcheng 2016/04/13 17:13:01 Done.
+ if (targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
return true;
if (targetWindow)
@@ -62,7 +66,11 @@ static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing
{
ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow());
- if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
+ // It's important to check that targetWindow is a LocalDOMWindow: it's
+ // possible for a remote frame and local frame to have the same security
+ // origin, depending on the model being used to allocate Frames between
+ // processes. See https://crbug.com/601629
+ if (targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
return true;
if (reportingOption == ReportSecurityError && targetWindow)
« content/browser/frame_host/render_frame_host_manager_browsertest.cc ('K') | « content/browser/frame_host/render_frame_host_manager_browsertest.cc ('k') | third_party/WebKit/Source/core/frame/DOMWindow.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698