Null out LocalDOMWindow::frame() on navigation.
In Blink, LocalDOMWindow::frame() is only set to null when the
LocalFrame is destroyed. Multiple LocalDOMWindow objects can hold a
reference to the same LocalFrame.
It turns out that this is dangerous and a persistent source of XSS bugs.
Code that creates scriptable objects for a frame needs to remember to
call DOMWindow::isCurrentlyDisplayedInFrame() to verify that the
creating context is still active in the frame. If this check is left
out, the created object can often trigger XSS.
Instead of depending on developers to remember to add this check where
needed, Blink now nulls out LocalDOMWindow::frame() as soon as it
navigates away from a LocalDOMWindow. Code in Blink already handles the
null case, since this is already something that can happen. Code that
improperly handles this case will tend to crash (suboptimal but safe),
and in general, failures won't result in XSS, since a detached frame
cannot be reattached.
BUG=525330
Review URL: https://codereview.chromium.org/1374533002
Cr-Commit-Position: refs/heads/master@{#351496}
14 files changed
