Skip to content

Latest commit

 

History

History

CVE-2016-1673

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Security: Universal XSS using a FrameNavigationDisabler bypass

Reported by mailto:[email protected], Mar 24 2016

VULNERABILITY DETAILS

When a top-level navigation is triggered on a frame displaying the initial empty document, FrameLoader::load is invoked directly:

void LocalFrame::navigate(Document& originDocument, const KURL& url, bool replaceCurrentItem, UserGestureStatus userGestureStatus)
{
(...)
    if (isMainFrame() && !m_loader.stateMachine()->committedFirstRealDocumentLoad()) {
        FrameLoadRequest request(&originDocument, url);
        request.resourceRequest().setHasUserGesture(userGestureStatus == UserGestureStatus::Active);
        m_loader.load(request);
    } else {
        m_navigationScheduler->scheduleLocationChange(&originDocument, url.getString(), replaceCurrentItem);
    }
}

As a result, FrameNavigationDisabler will fail to prevent the navigation when the URL is loaded synchronously.

VERSION

Chrome 49.0.2623.87 (Stable) Chrome 50.0.2661.49 (Beta) Chrome 51.0.2687.0 (Dev) Chromium 51.0.2690.0 + Pepper Flash (Release build compiled today)

Link: https://bugs.chromium.org/p/chromium/issues/detail?id=597532