VULNERABILITY DETAILS
UA shadow tree implementations have multiple non-checked casts.
See https://bugs.chromium.org/p/chromium/issues/detail?id=666246 Comment 33 and 38.
IMO, introducing toHTMLSelectEelmentOrDie() and using it in UA shadow trees would be enough.
I missed this comment about debugger API.
https://bugs.chromium.org/p/chromium/issues/detail?id=666246#c47
> This API isn't in stable yet
It sounds that the API is not stable yet.
Could we have a chance to reject debugger API reaching an internal of UA shadow trees? I am afraid that Blink is not ready for such an API. That would cause a lot of breakage of the current code's assumptions.
I think introducing toHTMLSelectEelmentOrDie() is just a *local* fix.
Comment 1 by tkent@chromium.org
, Nov 28 2016