diff options
| author | Mike West <mkwst@chromium.org> | 2019-11-16 18:53:06 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-06 12:03:18 +0000 |
| commit | cfd1a2eb98c687e9d33f1554483c35d2abb69f70 (patch) | |
| tree | 856947d033f3541a9b986ec951df8642c1c2e7e8 | |
| parent | 80029e447371aa473ac524177cc0667742e93ee2 (diff) | |
| download | qtwebengine-chromium-cfd1a2eb98c687e9d33f1554483c35d2abb69f70.tar.gz | |
[Backport] CVE-2020-6394 - Insufficient policy enforcement in Blink
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1916467:
Prevent sandboxed frames from navigating to `javascript:`.
Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags
can cause JavaScript execution in their origin by navigating to a
`javascript:` URL via `target=_blank` or similar. This is technically
correct, but surprising.
https://github.com/whatwg/html/pull/5083 aims to tighten that check to
match developers' expectations that `javascript:` URLs controlled by a
page that's been sandboxed away from script will not execute.
Bug: 1014371
Change-Id: Id3e9ebf7f4082c96a92bdaccaea1dd73f5c9b54b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/loader/frame_loader.cc | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/core/loader/frame_loader.cc b/chromium/third_party/blink/renderer/core/loader/frame_loader.cc index c56c4f347c1..35c2bb2a10a 100644 --- a/chromium/third_party/blink/renderer/core/loader/frame_loader.cc +++ b/chromium/third_party/blink/renderer/core/loader/frame_loader.cc @@ -726,8 +726,11 @@ void FrameLoader::StartNavigation(const FrameLoadRequest& passed_request, } if (url.ProtocolIsJavaScript()) { - frame_->GetDocument()->ProcessJavaScriptUrl( - url, request.ShouldCheckMainWorldContentSecurityPolicy()); + if (!origin_document || + origin_document->CanExecuteScripts(kAboutToExecuteScript)) { + frame_->GetDocument()->ProcessJavaScriptUrl( + url, request.ShouldCheckMainWorldContentSecurityPolicy()); + } return; } |