Index: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp |
diff --git a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp |
index 186f6a165a308c8b33d6afa9eb905d74b7421c16..12503415b5e34926422b0eb716289fc7defa5821 100644 |
--- a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp |
+++ b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp |
@@ -50,7 +50,11 @@ static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing |
{ |
ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow()); |
- if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow)) |
+ // It's important to check that targetWindow is a LocalDOMWindow: it's |
+ // possible for a remote frame and local frame to have the same security |
+ // origin, depending on the model being used to allocate Frames between |
+ // processes. See https://crbug.com/601629 |
Charlie Reis
2016/04/13 16:45:56
nit: End with period, here and below (as you did i
dcheng
2016/04/13 17:13:01
Done.
|
+ if (targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow)) |
return true; |
if (targetWindow) |
@@ -62,7 +66,11 @@ static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing |
{ |
ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow()); |
- if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow)) |
+ // It's important to check that targetWindow is a LocalDOMWindow: it's |
+ // possible for a remote frame and local frame to have the same security |
+ // origin, depending on the model being used to allocate Frames between |
+ // processes. See https://crbug.com/601629 |
+ if (targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow)) |
return true; |
if (reportingOption == ReportSecurityError && targetWindow) |