Reproduction case is similar to bug 574896 case:
https://www.youtube.com/watch?v=bkM6EiUzy-4&feature=youtu.be

Assigning to meacer to triage.

Argh, I missed this bug too, apologies. I feel like this could be medium severity too, even though there is an interaction requirement.

Not sure what the best fix is, short of adding a type field to GuestViewContainer. Devlin, what do you think?

Same issue exists for IframeGuestViewContainer because of the cast in GuestViewInternalCustomBindings::AttachIframeGuest. This crashes the renderer:

for(var i = 0; i < 50000; i++) requireNative('guest_view_internal').AttachIframeGuest(i, function() {})

Bumping severity to medium since this doesn't require an extension install, but it requires another bug to get hold of requireNative.

lazyboy: Can you PTAL or reassign as appropriate? Thanks.

Assigning to James.

wjmaclean: Uh oh! This issue still open and hasn't been updated in the last 107 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Lucas, could you take a look at this please?

Re# 6: What's the callstack of the renderer crash? The cast in AttachIframeGuest should be harmless, except for perhaps leaking memory if you do that repeatedly.

The original reported one is definitely a bug that should be fixed.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a539cacdcc17694e23c30fc0eb10ffe150129a3a

commit a539cacdcc17694e23c30fc0eb10ffe150129a3a
Author: lfg <lfg@chromium.org>
Date: Thu Oct 20 23:09:00 2016

Fix wrong cast in ExtensionsGuestViewContainer.

This change moves DidResizeElement from ExtensionsGuestViewContainer to GuestViewContainer, so we don't need the cast to ExtensionsGuestViewContainer.

BUG= 625475 

Review-Url: https://chromiumcodereview.appspot.com/2427893003
Cr-Commit-Position: refs/heads/master@{#426637}

[modify] https://crrev.com/a539cacdcc17694e23c30fc0eb10ffe150129a3a/components/guest_view/renderer/DEPS
[modify] https://crrev.com/a539cacdcc17694e23c30fc0eb10ffe150129a3a/components/guest_view/renderer/guest_view_container.cc
[modify] https://crrev.com/a539cacdcc17694e23c30fc0eb10ffe150129a3a/components/guest_view/renderer/guest_view_container.h
[modify] https://crrev.com/a539cacdcc17694e23c30fc0eb10ffe150129a3a/extensions/renderer/guest_view/extensions_guest_view_container.cc
[modify] https://crrev.com/a539cacdcc17694e23c30fc0eb10ffe150129a3a/extensions/renderer/guest_view/extensions_guest_view_container.h
[modify] https://crrev.com/a539cacdcc17694e23c30fc0eb10ffe150129a3a/extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc

Given the low impact and requirements to reproduce the bad cast, I won't be merging this back.

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

+awhalley@ for M55 merge review

I don't think this is worth merging, but since sheriffbot requested the merge I'll let awhalley make the call.

No need to merge this one.

I'm afraid the panel declined to reward for this bug, given it's pretty highly mitigated.

sad!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot