Reported by mailto:[email protected], Dec 5 2016
ScopedPageSuspender works by taking pages from Page::ordinaryPages()
and marking them as suspended. When window.close()
is called, the following operations are performed:
From /third_party/WebKit/Source/web/ChromeClientImpl.cpp
:
void ChromeClientImpl::closeWindowSoon() {
// Make sure this Page can no longer be found by JS.
m_webView->page()->willBeClosed();
// Make sure that all loading is stopped. Ensures that JS stops executing!
m_webView->mainFrame()->stopLoading();
if (m_webView->client())
m_webView->client()->closeWidgetSoon();
}
m_webView->page()->willBeClosed()
removes the associated page from the ordinaryPages set. Therefore, suspenders instantiated later, for example during m_webView->mainFrame()->stopLoading()
, won't include the closing page. This allows an attacker to circumvent the suspender and perform synchronous loads in unexpected circumstances.
Chrome 55.0.2883.75 (Stable) Chrome 55.0.2883.75 (Beta) Chrome 56.0.2924.14 (Dev) Chromium 57.0.2943.0 + Pepper Flash (Release build compiled today)
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=671102