New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 660683 link

Starred by 1 user
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Nov 2016
Cc:
jww@chromium.org
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

Crash when a page in a suborigin sets window.location.hash

Project Member Reported by a...@google.com, Oct 29 2016 
Version: 56.0.2902.0 dev (64-bit)
OS: Ubuntu 14.04.5 LTS, Trusty Tahr

What steps will reproduce the problem?
(1) Page sets a Suborigin header.
(2) Page assigns a string to window.location.hash.

Example: http://lingro.com:81/cgi-bin/suborigin-testing/bug1.py

#!/usr/bin/python
import cgi

print """\
Content-Type: text/html; charset=utf-8
Suborigin: foo

<script>window.location.hash = '#bar'</script>
"""

What is the expected output?
The URL fragment is changed, no crash.

What do you see instead?
The "Aw, Snap!" crashed tab.


Some quick testing reveals that this happens for non-navigating hash assignments, including directly setting window.location = "#...", but not for navigations, e.g. window.location = "/foo#bar".

Comment 1 by jochen@chromium.org, Oct 31 2016 

could you please post a crash id? (chrome://crashes lists them)

Comment 2 by a...@google.com, Oct 31 2016 

Sure, sorry! The most recent one is bf90c04700000000

Comment 3 by a...@google.com, Nov 2 2016

Labels: -Pri-2 Pri-1
After some thought I'm bumping it to P1 because the crash is blocking suborigin testing/adoption in several of the applications we've had on our radar.
Project Member

Comment 4 by bugdroid1@chromium.org, Nov 3 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/25ec43232e79ebfe0c4fdd2e301d957268c66e26

commit 25ec43232e79ebfe0c4fdd2e301d957268c66e26
Author: mkwst <mkwst@chromium.org>
Date: Thu Nov 03 13:47:47 2016

Suborigins should not crash fragment navigations.

We should be checking for physical origin matches when committing URLs,
as the URL we commit doesn't include the suborigin.

BUG= 660683 
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2472963002
Cr-Commit-Position: refs/heads/master@{#429563}

[modify] https://crrev.com/25ec43232e79ebfe0c4fdd2e301d957268c66e26/content/renderer/render_frame_impl.cc
[add] https://crrev.com/25ec43232e79ebfe0c4fdd2e301d957268c66e26/third_party/WebKit/LayoutTests/http/tests/security/suborigins/suborigin-in-page-navigation.php

Comment 5 by mkwst@chromium.org, Nov 14 2016

Status: Fixed (was: Untriaged)
If this isn't fixed, Artur, ping me.

Comment 6 by a...@google.com, Nov 14 2016 

I just tried it in Canary and everything seems to work fine now. Thanks for the fix, Mike!

Sign in to add a comment