Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2537143004:
Stop a SVG <use> element from modifying its UA shadow tree when it is removed (Closed)
DescriptionStop a SVG <use> element from modifying its UA shadow tree when it is removed
Each element should not modify its UA shadow tree when being removed.
That is like a *double-free* because a super class's |removedFrom()| handles that.
BUG=630870, 637641
Committed: https://crrev.com/66a0e78c24b56758cd9733959f583e6e75fa2b66
Cr-Commit-Position: refs/heads/master@{#435205}
Patch Set 1 #
Messages
Total messages: 18 (11 generated)
The CQ bit was checked by hayato@chromium.org to run a CQ dry run
Description was changed from ========== Stop a SVG <use> element from modifying its UA Shadow tree in removedFrom(). BUG=637641 ========== to ========== Stop a SVG <use> element from modifying its UA Shadow tree in removedFrom() BUG=637641 ==========
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Description was changed from ========== Stop a SVG <use> element from modifying its UA Shadow tree in removedFrom() BUG=637641 ========== to ========== Stop a SVG <use> element from modifying its UA shadow tree when it is removed Each element should not modify its UA shadow tree when being removed. That is like a *double-free* because a super class's removedFrom handles that. BUG=637641 ==========
Description was changed from ========== Stop a SVG <use> element from modifying its UA shadow tree when it is removed Each element should not modify its UA shadow tree when being removed. That is like a *double-free* because a super class's removedFrom handles that. BUG=637641 ========== to ========== Stop a SVG <use> element from modifying its UA shadow tree when it is removed Each element should not modify its UA shadow tree when being removed. That is like a *double-free* because a super class's |removedFrom()| handles that. BUG=637641 ==========
hayato@chromium.org changed reviewers: + fs@opera.com, tkent@chromium.org
PTAL
I don't have enough context. Is this a behaivor change? Or just removing redundant work?
No behavior change. This removes redundant work, which caused a XSS security bug. See https://bugs.chromium.org/p/chromium/issues/detail?id=630870 for details.
Description was changed from ========== Stop a SVG <use> element from modifying its UA shadow tree when it is removed Each element should not modify its UA shadow tree when being removed. That is like a *double-free* because a super class's |removedFrom()| handles that. BUG=637641 ========== to ========== Stop a SVG <use> element from modifying its UA shadow tree when it is removed Each element should not modify its UA shadow tree when being removed. That is like a *double-free* because a super class's |removedFrom()| handles that. BUG=630870,637641 ==========
lgtm
The CQ bit was unchecked by hayato@chromium.org
The CQ bit was checked by hayato@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 1, "attempt_start_ts": 1480495723711340, "parent_rev":
"fef3784ca53dc769e85b1d78a8af5be5e8ebfb6d", "commit_rev":
"77b2a4891db6524edb7f9f23bd1924de6270b272"}
Message was sent while issue was closed.
Committed patchset #1 (id:1)
Message was sent while issue was closed.
Description was changed from ========== Stop a SVG <use> element from modifying its UA shadow tree when it is removed Each element should not modify its UA shadow tree when being removed. That is like a *double-free* because a super class's |removedFrom()| handles that. BUG=630870,637641 ========== to ========== Stop a SVG <use> element from modifying its UA shadow tree when it is removed Each element should not modify its UA shadow tree when being removed. That is like a *double-free* because a super class's |removedFrom()| handles that. BUG=630870,637641 Committed: https://crrev.com/66a0e78c24b56758cd9733959f583e6e75fa2b66 Cr-Commit-Position: refs/heads/master@{#435205} ==========
Message was sent while issue was closed.
Patchset 1 (id:??) landed as https://crrev.com/66a0e78c24b56758cd9733959f583e6e75fa2b66 Cr-Commit-Position: refs/heads/master@{#435205} |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
