diff options
author | Nate Chapin <japhet@chromium.org> | 2021-10-14 20:24:32 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-02-08 10:18:40 +0000 |
commit | f0327bde5d526512e67b84128079b523a6b77031 (patch) | |
tree | a5b80f6c6e793303803925518e0a973fae15d324 /chromium/third_party/blink/renderer | |
parent | fd51c46b0f8d4977bfe277f7d67df514e8c8e2a2 (diff) | |
download | qtwebengine-chromium-f0327bde5d526512e67b84128079b523a6b77031.tar.gz |
[Backport] CVE-2022-0108: Inappropriate implementation in Navigation
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3193885:
Fire iframe onload for cross-origin-initiated same-document navigations
A cross-origin initiator can check whether or not onload fired to
guess the url of a target frame. Always firing onload makes it
appear to be a cross-document navigation, even when it wasn't.
Bug: 1248444
Change-Id: I79249cb441f61ac6cab65ab9e5dd4a44b291bc4a
Commit-Queue: Nate Chapin <japhet@chromium.org>
Reviewed-by: Rakina Zata Amni <rakina@chromium.org>
Cr-Commit-Position: refs/heads/main@{#931681}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium/third_party/blink/renderer')
-rw-r--r-- | chromium/third_party/blink/renderer/core/loader/document_loader.cc | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/core/loader/document_loader.cc b/chromium/third_party/blink/renderer/core/loader/document_loader.cc index 5f0be38667a..ae8baa6ab44 100644 --- a/chromium/third_party/blink/renderer/core/loader/document_loader.cc +++ b/chromium/third_party/blink/renderer/core/loader/document_loader.cc @@ -1429,7 +1429,25 @@ void DocumentLoader::CommitSameDocumentNavigationInternal( initial_scroll_state_.was_scrolled_by_user = false; - frame_->GetDocument()->CheckCompleted(); + if (frame_->GetDocument()->LoadEventStillNeeded()) { + frame_->GetDocument()->CheckCompleted(); + } else if (frame_->Owner() && initiator_origin && + !initiator_origin->CanAccess( + frame_->DomWindow()->GetSecurityOrigin()) && + frame_->Tree() + .Parent() + ->GetSecurityContext() + ->GetSecurityOrigin()) { + // If this same-document navigation was initiated by a cross-origin iframe + // and is cross-origin to its parent, fire onload on the owner iframe. + // Normally, the owner iframe's onload fires if and only if the window's + // onload fires (i.e., when a navigation to a different document completes). + // However, a cross-origin initiator can use the presence or absence of a + // load event to detect whether the navigation was same- or cross-document, + // and can therefore try to guess the url of a cross-origin iframe. Fire the + // iframe's onload to prevent this technique. https://crbug.com/1251790 + frame_->Owner()->DispatchLoad(); + } // If the item sequence number didn't change, there's no need to trigger // popstate, restore scroll positions, or scroll to fragments for this |