In fact, I found a way to bypass the function constructor restrictions. That is, UXSS is possible. The trick is to create and resolve a promise, and call the function constructor in the `then` callback:

  var parent_Promise = fetch.call(parent).constructor;
  var parent_Function = parent_Promise.constructor;
  new parent_Promise(function(resolve) {
    resolve();
  }).then(function() {
    var f = new parent_Function("document.body.style.backgroundColor = 'red';");
    f();
  });

Deleted: parent.html 77 bytes

parent.html 77 bytes View Download

Deleted: child.html 448 bytes

child.html 448 bytes View Download

Thanks for your report!

dcheng@, would you mind helping to triage this?

Actually hmm, bisect-builds.py narrows this down to https://chromium.googlesource.com/chromium/src/+log/2ba53c9cf88833aabbb642e53de195fb150e28f0..d14e966090ffb39319f6baeb364426a00b5ede7b

There's a v8 roll which has https://chromium.googlesource.com/v8/v8/+/d008b9efcbddf299feefe7b420fd7e1601512ba5, so maybe jochen@ should be looking at this one.

Thanks dcheng@!

Thx for the report, the work-around for the function constructor check looks interesting, I'll investigate how to fix this.

Assigning back to yukishiino@ for using the wrong context in fetch

I've found that my CL mentioned caused this regression.  This is purely a binding issue, not related to Fetch API.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Just FYI, I sent out a CL: http://crrev.com/2418413004

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e04d69152b9c2ac7b4e395213c0e19c52e69bcc

commit 9e04d69152b9c2ac7b4e395213c0e19c52e69bcc
Author: yukishiino <yukishiino@chromium.org>
Date: Wed Oct 19 13:19:13 2016

binding: Creates a reject promise always in the current realm.

Regular promises are created in the relevant real of the context
object.  However, reject promises are special, they must be
created in the current realm as same as exceptions must be
created in the current realm.

BUG= 656274 

Review-Url: https://chromiumcodereview.appspot.com/2418413004
Cr-Commit-Position: refs/heads/master@{#426171}

[add] https://crrev.com/9e04d69152b9c2ac7b4e395213c0e19c52e69bcc/third_party/WebKit/LayoutTests/http/tests/security/promise-realm.html
[modify] https://crrev.com/9e04d69152b9c2ac7b4e395213c0e19c52e69bcc/third_party/WebKit/Source/bindings/core/v8/GeneratedCodeHelper.h
[modify] https://crrev.com/9e04d69152b9c2ac7b4e395213c0e19c52e69bcc/third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl

I confirmed that the fix is working fine with Canary(precise64) Version 56.0.2896.3 unknown (64-bit).
Request a merge to M55.

Your change meets the bar and is auto-approved for M55 (branch: 2883)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4152354ad141e5f759ee0d80a95b1a8bb49143e7

commit 4152354ad141e5f759ee0d80a95b1a8bb49143e7
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Fri Oct 21 07:07:09 2016

binding: Creates a reject promise always in the current realm.

Regular promises are created in the relevant real of the context
object.  However, reject promises are special, they must be
created in the current realm as same as exceptions must be
created in the current realm.

BUG= 656274 

Review-Url: https://chromiumcodereview.appspot.com/2418413004
Cr-Commit-Position: refs/heads/master@{#426171}
(cherry picked from commit 9e04d69152b9c2ac7b4e395213c0e19c52e69bcc)

Review URL: https://codereview.chromium.org/2438253002 .

Cr-Commit-Position: refs/branch-heads/2883@{#227}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[add] https://crrev.com/4152354ad141e5f759ee0d80a95b1a8bb49143e7/third_party/WebKit/LayoutTests/http/tests/security/promise-realm.html
[modify] https://crrev.com/4152354ad141e5f759ee0d80a95b1a8bb49143e7/third_party/WebKit/Source/bindings/core/v8/GeneratedCodeHelper.h
[modify] https://crrev.com/4152354ad141e5f759ee0d80a95b1a8bb49143e7/third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl

Congratulations, the panel has awarded $5,000 for this report.  Many thanks!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4152354ad141e5f759ee0d80a95b1a8bb49143e7

commit 4152354ad141e5f759ee0d80a95b1a8bb49143e7
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Fri Oct 21 07:07:09 2016

binding: Creates a reject promise always in the current realm.

Regular promises are created in the relevant real of the context
object.  However, reject promises are special, they must be
created in the current realm as same as exceptions must be
created in the current realm.

BUG= 656274 

Review-Url: https://chromiumcodereview.appspot.com/2418413004
Cr-Commit-Position: refs/heads/master@{#426171}
(cherry picked from commit 9e04d69152b9c2ac7b4e395213c0e19c52e69bcc)

Review URL: https://codereview.chromium.org/2438253002 .

Cr-Commit-Position: refs/branch-heads/2883@{#227}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[add] https://crrev.com/4152354ad141e5f759ee0d80a95b1a8bb49143e7/third_party/WebKit/LayoutTests/http/tests/security/promise-realm.html
[modify] https://crrev.com/4152354ad141e5f759ee0d80a95b1a8bb49143e7/third_party/WebKit/Source/bindings/core/v8/GeneratedCodeHelper.h
[modify] https://crrev.com/4152354ad141e5f759ee0d80a95b1a8bb49143e7/third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl

[Automated comment] removing mislabelled merge-merged-2840

[Automated comment] removing mislabelled merge-merged-2840

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot