commit | 372343377dfdc9736630ba80887bab27e047f4e6 | [log] [tgz] |
---|---|---|
author | clamy <clamy@chromium.org> | Wed Dec 06 22:45:07 2017 |
committer | Commit Bot <commit-bot@chromium.org> | Wed Dec 06 22:45:07 2017 |
tree | 87021f4f08e71db0658593a95fa65b42beeb2d61 | |
parent | 8bda568a48de22bc805e4440218edcda5bd6ed14 [diff] |
Fix for URL spoof caused by deletion of speculative RFH This CL fixes a security issue where a website could succeed in spoofing the URL of a cross-process navigation by issuing an endless loop of JavaScript navigations. When the cross-site navigation was ready to commit, a renderer-initiated navigation would start, causing the deletion of the speculative RenderFrameHost. However, we would not update the visible URL for the tab, even though the load of the cross-site navigation had stopped (due to the deletion of the speculative RFH). This CL ensures that the pending NavigationEntry is deleted in that case. BUG=760342 Change-Id: Ie24beda484ebd6daca5feb17f74da921eac80ce9 Reviewed-on: https://chromium-review.googlesource.com/808924 Commit-Queue: Charlie Reis <creis@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#522231}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .