commit | 9efc6345d59766bd88e72123b12dd154e051161e | [log] [tgz] |
---|---|---|
author | clamy <clamy@chromium.org> | Fri Jan 19 15:43:34 2018 |
committer | Camille Lamy <clamy@chromium.org> | Fri Jan 19 15:43:34 2018 |
tree | 215fe0ac365e3fc4ce27e6a8d6fc61763779b927 | |
parent | 4ac53f6cc73b9d697a286b197228fa2049136afc [diff] |
Fix for URL spoof caused by deletion of speculative RFH This CL fixes a security issue where a website could succeed in spoofing the URL of a cross-process navigation by issuing an endless loop of JavaScript navigations. When the cross-site navigation was ready to commit, a renderer-initiated navigation would start, causing the deletion of the speculative RenderFrameHost. However, we would not update the visible URL for the tab, even though the load of the cross-site navigation had stopped (due to the deletion of the speculative RFH). This CL ensures that the pending NavigationEntry is deleted in that case. BUG=760342 Change-Id: Ie24beda484ebd6daca5feb17f74da921eac80ce9 Reviewed-on: https://chromium-review.googlesource.com/808924 Commit-Queue: Charlie Reis <creis@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#522231}(cherry picked from commit 372343377dfdc9736630ba80887bab27e047f4e6) Reviewed-on: https://chromium-review.googlesource.com/876342 Reviewed-by: Camille Lamy <clamy@chromium.org> Cr-Commit-Position: refs/branch-heads/3282@{#547} Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .