Reported by mailto:[email protected], Sep 22 2015
From /WebKit/Source/core/loader/DocumentLoader.cpp:
PassRefPtrWillBeRawPtr<DocumentWriter> DocumentLoader::createWriterFor(const Document* ownerDocument, const DocumentInit& init, ...)
{
LocalFrame* frame = init.frame();
ASSERT(!frame->document() || !frame->document()->isActive());
ASSERT(frame->tree().childCount() == 0);
if (!init.shouldReuseDefaultView())
frame->setDOMWindow(LocalDOMWindow::create(*frame));
RefPtrWillBeRawPtr<Document> document = frame->localDOMWindow()->installNewDocument(mimeType, init);
(...)
}frame->setDOMWindow clears the window proxy, which disposes the V8 context, which notifies observers of WillReleaseScriptContext. Among the observers, there's extension_dispatcher_, which loads the "unload_event" module and triggers its dispatch method. This in turn can run user's code through getters/setters. Having arbitrary script at this execution point may lead to all sorts of broken/unexpected behavior, the example below bypasses SOP by attaching a document that's never forced to detach itself from the frame.
Chrome 45.0.2454.99 (Stable) Chrome 46.0.2490.33 (Beta) Chrome 47.0.2508.0 (Dev) Chromium 47.0.2517.0 (Release build compiled today)
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=534923