XSSAuditor bypass with frameset tags.

Source/core/html/parser/XSSAuditor.cpp

Index: Source/core/html/parser/XSSAuditor.cpp
diff --git a/Source/core/html/parser/XSSAuditor.cpp b/Source/core/html/parser/XSSAuditor.cpp
index ccae51ca3072363c37573e4775617e1cdc501a26..b7f0149e586198fa1fb4e6b6e8db34244f1906c1 100644
--- a/Source/core/html/parser/XSSAuditor.cpp
+++ b/Source/core/html/parser/XSSAuditor.cpp
@@ -353,7 +353,7 @@ bool XSSAuditor::filterStartToken(const FilterTokenRequest& request)
         didBlockScript |= filterEmbedToken(request);
     else if (hasName(request.token, appletTag))
         didBlockScript |= filterAppletToken(request);
-    else if (hasName(request.token, iframeTag))
+    else if (hasName(request.token, iframeTag) || hasName(request.token, frameTag))
         didBlockScript |= filterIframeToken(request);

[abarth-chromium, 2013/09/13 21:19:51]

filterIframeToken -> Can we rename this function to filterFrameToken ?

[Tom Sepez, 2013/09/13 21:29:28]

Done.

     else if (hasName(request.token, metaTag))
         didBlockScript |= filterMetaToken(request);
@@ -463,7 +463,7 @@ bool XSSAuditor::filterAppletToken(const FilterTokenRequest& request)
 bool XSSAuditor::filterIframeToken(const FilterTokenRequest& request)
 {
     ASSERT(request.token.type() == HTMLToken::StartTag);
-    ASSERT(hasName(request.token, iframeTag));
+    ASSERT(hasName(request.token, iframeTag) || hasName(request.token, frameTag));
 
     bool didBlockScript = false;
     if (isContainedInRequest(decodedSnippetForName(request))) {