diff options
| author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-07-26 14:17:51 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2016-08-10 13:47:51 +0000 |
| commit | 593bee0d9cca3c3b45f279e1e25daac06e996489 (patch) | |
| tree | 8dff89ca79f59cf453a35c373e38f9fdf24b83ce | |
| parent | e63b94dd0a1510de212006d07cd13669a10b09ee (diff) | |
| download | qtwebengine-chromium-593bee0d9cca3c3b45f279e1e25daac06e996489.tar.gz | |
[Backport] Update HistoryController::current_entry_ on all main frame back/forwards.
This fixes a case where it was left stale on a cross-origin commit
because the provisional_entry_ had been cleared by a different commit.
BUG=623319
TEST=See bug comment 14 for repro steps.
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
Review-Url: https://codereview.chromium.org/2134493002
(CVE-2016-5130)
Change-Id: I95870ed830ce8772ef22576d85e39179ede8fe76
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/content/renderer/history_controller.cc | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/chromium/content/renderer/history_controller.cc b/chromium/content/renderer/history_controller.cc index 860c68e3ef8..ba22246329b 100644 --- a/chromium/content/renderer/history_controller.cc +++ b/chromium/content/renderer/history_controller.cc @@ -169,8 +169,29 @@ void HistoryController::UpdateForCommit(RenderFrameImpl* frame, bool navigation_within_page) { switch (commit_type) { case blink::WebBackForwardCommit: - if (!provisional_entry_) + if (!provisional_entry_) { + // The provisional entry may have been discarded due to a navigation in + // a different frame. For main frames, it is not safe to leave the + // current_entry_ in place, which may have a cross-site page and will be + // included in the PageState for this commit. Replace it with a new + // HistoryEntry corresponding to the commit. + // + // This will lack any subframe history items that were in the original + // provisional entry, but we don't know what those were after discarding + // it. We'll load the default URL in those subframes instead. + // + // TODO(creis): It's also possible to get here for subframe commits. + // We'll leave a stale current_entry_ in that case, but that only causes + // an earlier URL to load in the subframe when leaving and coming back, + // and only in rare cases. It does not risk a URL spoof, unlike the + // main frame case. Since this bug is not present in the new + // FrameNavigationEntry-based navigation path (https://crbug.com/236848) + // we'll wait for that to fix the subframe case. + if (frame->GetRenderView()->GetMainRenderFrame() == frame) + current_entry_.reset(new HistoryEntry(item)); + return; + } // If the current entry is null, this must be a main frame commit. DCHECK(current_entry_ || !frame->GetWebFrame()->parent()); |