Thanks for the report.

japhet@, could you please look at this one too? It seems like 613266 didn't fully solve this problem.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/be655fd4fb9ab3291a855a939496111674037a2f

commit be655fd4fb9ab3291a855a939496111674037a2f
Author: japhet <japhet@chromium.org>
Date: Sat Jun 18 01:02:39 2016

Always use FrameNavigationDisabler during DocumentLoader detach.

BUG= 617495 

Review-Url: https://codereview.chromium.org/2079473002
Cr-Commit-Position: refs/heads/master@{#400558}

[modify] https://crrev.com/be655fd4fb9ab3291a855a939496111674037a2f/third_party/WebKit/Source/core/loader/FrameLoader.cpp

japhet: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I'm inclined to let this bake a couple of days before merging, if there are no objections.

I don't see any evidence of regressions from the bugfix. Should this be merged to M51 and/or M52?

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz

[Automated comment] There appears to be on-going work (i.e. bugroid changes), needs manual review.

[Automated comment] There appears to be on-going work (i.e. bugroid changes), needs manual review.

Before we approve merge to M52, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

Also is this change applicable to all OS or any specific OS?

All OSes are affected.

This fix has been on canaries for a little over a week, and I haven't been able to find any crashes or regression reports that appear to be related to this change, so I think this is baked.

Thank you. Approving merge to M52 branch 2743 based on comment #12. Please merge asap. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/019484e056b10a33a91b1342de1cd1d08d18d605

commit 019484e056b10a33a91b1342de1cd1d08d18d605
Author: Nate Chapin <japhet@chromium.org>
Date: Tue Jun 28 22:03:05 2016

Always use FrameNavigationDisabler during DocumentLoader detach.

BUG= 617495 

Review-Url: https://codereview.chromium.org/2079473002
Cr-Commit-Position: refs/heads/master@{#400558}
(cherry picked from commit be655fd4fb9ab3291a855a939496111674037a2f)

Review URL: https://codereview.chromium.org/2103703004 .

Cr-Commit-Position: refs/branch-heads/2743@{#511}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/019484e056b10a33a91b1342de1cd1d08d18d605/third_party/WebKit/Source/core/loader/FrameLoader.cpp

And $7,500 for this one!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot