Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(227)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp

Issue 1887553002: Make sure binding security checks don't pass if the frame is remote. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: . Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/browser/frame_host/render_frame_host_manager_browsertest.cc ('K') | « content/browser/frame_host/render_frame_host_manager_browsertest.cc ('k') | third_party/WebKit/Source/core/frame/DOMWindow.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
diff --git a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
index 186f6a165a308c8b33d6afa9eb905d74b7421c16..191407e7da41c4b1a6d5d1be94ed4da7f85a08fb 100644
--- a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
@@ -50,7 +50,11 @@ static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing
{
ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow());
- if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
+ // It's important to check that targetWindow is a LocalDOMWindow: it's
+ // possible for a remote frame and local frame to have the same security
+ // origin, depending on the model being used to allocate Frames between
+ // processes. See https://crbug.com/601629.
+ if (targetWindow && targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
return true;
if (targetWindow)
@@ -62,7 +66,11 @@ static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing
{
ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow());
- if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
+ // It's important to check that targetWindow is a LocalDOMWindow: it's
+ // possible for a remote frame and local frame to have the same security
+ // origin, depending on the model being used to allocate Frames between
+ // processes. See https://crbug.com/601629.
+ if (targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
return true;
if (reportingOption == ReportSecurityError && targetWindow)
« content/browser/frame_host/render_frame_host_manager_browsertest.cc ('K') | « content/browser/frame_host/render_frame_host_manager_browsertest.cc ('k') | third_party/WebKit/Source/core/frame/DOMWindow.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698