angler-fishThe Vulnerability History Project

Block javascript: document navigations during page dismissal events.

      This basically reflects the logic from FrameLoader::startLoad. Before this patch, javascript: document navigations could be performed during page dismissal events. This could be problematic, especially that dismissal events prevent loaders from being stopped or detached.

This patch adds a bail-out condition to FrameLoader::replaceDocumentWhileExecutingJavaScriptURL.

BUG=556724

Review URL: https://codereview.chromium.org/1451123002

Cr-Commit-Position: refs/heads/master@{#360242}
by Stanley the Reindeer 2015-11-18 01:00:59 UTC
commit e6fabc430b0f6a52dacc47860d66da09c79c310b
Chromium Fix CVE-2015-6768
AUTHORS
-1
third_party/WebKit/LayoutTests/fast/events/javascript-uri-navigation-blocked-in-unload-handler-expected.txt
-2
third_party/WebKit/LayoutTests/fast/events/javascript-uri-navigation-blocked-in-unload-handler.html
-29
third_party/WebKit/Source/core/loader/FrameLoader.cpp
+1 -1
expand_less