Issue metadata
Sign in to add a comment
|
Fix cross-origin security issue raised by PerformanceNavigationTiming. |
||||||||||||||||||||||
Issue descriptionFix cross-origin security issue raised by PerformanceNavigationTiming. Currently, PerformanceNavigationTiming holds on to a LocalFrame directly. A DocumentLoader will be extracted at runtime from this LocalFrame. During the lifetime of a LocalFrame, multiple documents can get loaded and get attached to the same frame, which causes old PNT instance to reference DocumentLoader that could be created for new cross-origin document. Therefore, instead of holding on to a LocalFrame, PNT should hold on to a Document instead.
,
Mar 27 2017
,
Mar 27 2017
,
Mar 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/47b93d128610246960c032a00b67ec2083b2a05b commit 47b93d128610246960c032a00b67ec2083b2a05b Author: sunjian <sunjian@chromium.org> Date: Tue Mar 28 20:13:19 2017 Fix PerformanceNavigationTiming accessor behavior after document detach. Currently, PerformanceNavigationTiming holds on to a LocalFrame directly. A DocumentLoader will be extracted at runtime from this LocalFrame. During the lifetime of a LocalFrame, multiple documents can get loaded and get attached to the same frame, which causes old PNT instance to reference DocumentLoader that could be created for new cross-origin document. Therefore, instead of holding on to a LocalFrame, PNT should hold on to a Document instead. The change in this patch also fixes the crash reported by clusterfuzz, which is dereferencing a null pointer when PerformanceNavigationTiming::type gets called after a Document gets replaced which causes its associated DocumentLoader to be null. BUG= 704352 , 703540 Review-Url: https://codereview.chromium.org/2774543003 Cr-Commit-Position: refs/heads/master@{#460198} [add] https://crrev.com/47b93d128610246960c032a00b67ec2083b2a05b/third_party/WebKit/LayoutTests/external/wpt/navigation-timing/nav2_test_document_replaced.html [add] https://crrev.com/47b93d128610246960c032a00b67ec2083b2a05b/third_party/WebKit/LayoutTests/external/wpt/navigation-timing/nav2_test_frame_removed.html [modify] https://crrev.com/47b93d128610246960c032a00b67ec2083b2a05b/third_party/WebKit/Source/core/timing/PerformanceNavigationTiming.cpp [modify] https://crrev.com/47b93d128610246960c032a00b67ec2083b2a05b/third_party/WebKit/Source/core/timing/PerformanceNavigationTiming.h
,
Mar 29 2017
,
Mar 29 2017
,
Mar 29 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 29 2017
,
Mar 30 2017
,
Apr 7 2017
,
Jul 6 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by amineer@chromium.org
, Mar 27 2017Labels: Restrict-View-SecurityTeam