Reported by mailto:[email protected], Dec 14 2015
From /content/renderer/pepper/ppb_flash_message_loop_impl.cc:
int32_t PPB_Flash_MessageLoop_Impl::InternalRun(
const RunFromHostProxyCallback& callback) {
(...)
// It is possible that the PPB_Flash_MessageLoop_Impl object has been
// destroyed when the nested message loop exits.
scoped_refptr<State> state_protector(state_);
{
base::MessageLoop::ScopedNestableTaskAllower allow(
base::MessageLoop::current());
base::MessageLoop::current()->Run();
}
(...)
}PPB_Flash_MessageLoop_Impl::InternalRun doesn't initialize a ScopedPageLoadDeferrer before spinning an event loop. As a result, cross-origin documents can be loaded at an arbitrary javascript execution point.
Chrome 47.0.2526.80 (Stable) Chrome 48.0.2564.41 (Beta) Chrome 49.0.2587.3 (Dev) Chromium 49.0.2591.0 + Pepper Flash (Release build compiled today)
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=569496