Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(112)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp

Issue 1898303002: Make sure binding security checks don't pass if the frame is remote. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@2661
Patch Set: Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/browser/frame_host/render_frame_host_manager_browsertest.cc ('k') | third_party/WebKit/Source/core/frame/DOMWindow.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
diff --git a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
index 66d06a05a9b42d0b85681c419c004962bee4e494..57016bb4fdfeb0f41caebc28421963b90897a43a 100644
--- a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
@@ -49,7 +49,11 @@ static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing
{
ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow());
- if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
+ // It's important to check that targetWindow is a LocalDOMWindow: it's
+ // possible for a remote frame and local frame to have the same security
+ // origin, depending on the model being used to allocate Frames between
+ // processes. See https://crbug.com/601629.
+ if (targetWindow && targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
return true;
if (targetWindow)
@@ -61,7 +65,11 @@ static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing
{
ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow());
- if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
+ // It's important to check that targetWindow is a LocalDOMWindow: it's
+ // possible for a remote frame and local frame to have the same security
+ // origin, depending on the model being used to allocate Frames between
+ // processes. See https://crbug.com/601629.
+ if (targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow))
return true;
if (reportingOption == ReportSecurityError && targetWindow)
« no previous file with comments | « content/browser/frame_host/render_frame_host_manager_browsertest.cc ('k') | third_party/WebKit/Source/core/frame/DOMWindow.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698