diff options
author | Charlie Hu <chenleihu@google.com> | 2020-05-11 17:05:21 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-07-22 15:18:15 +0000 |
commit | 5748e38c2f2085cb07663e3d2102ee101d206a46 (patch) | |
tree | aecf5d2a42d40f49460f3fdad94fd18314e09a4f | |
parent | 1c142fada62e576b89a2630e166943fb212a945f (diff) | |
download | qtwebengine-chromium-5748e38c2f2085cb07663e3d2102ee101d206a46.tar.gz |
[Backport] CVE-2020-6526: Inappropriate implementation in iframe sandbox
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2181318:
Fix uninitialized frame policy issue in javascript url
This CL follows up the previous CL that fixed the timing bug on
frame policy(https://chromium-review.googlesource.com/c/chromium/src/+/1852905).
There was a uncovered code path for subframe navigation where frame
policy is not initialized.
Bug: 1074340
Change-Id: I3840cd5a4f8b18f0976b164e5c768ad56eb6e492
Reviewed-by: Philip Jägenstedt <foolip@chromium.org>
Commit-Queue: Charlie Hu <chenleihu@google.com>
Cr-Commit-Position: refs/heads/master@{#767358}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/bindings/core/v8/script_controller.cc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/bindings/core/v8/script_controller.cc b/chromium/third_party/blink/renderer/bindings/core/v8/script_controller.cc index 363375fe315..6311d5262d9 100644 --- a/chromium/third_party/blink/renderer/bindings/core/v8/script_controller.cc +++ b/chromium/third_party/blink/renderer/bindings/core/v8/script_controller.cc @@ -297,6 +297,8 @@ void ScriptController::ExecuteJavaScriptURL( WebFeature::kReplaceDocumentViaJavaScriptURL); auto params = std::make_unique<WebNavigationParams>(); params->url = GetFrame()->GetDocument()->Url(); + if (auto* owner = GetFrame()->Owner()) + params->frame_policy = owner->GetFramePolicy(); String result = ToCoreString(v8::Local<v8::String>::Cast(v8_result)); WebNavigationParams::FillStaticResponse(params.get(), "text/html", "UTF-8", |