Chrome Universal XSS using a FrameNavigationDisabler bypass (CVE-2016-1673)

#### VULNERABILITY DETAILS When a top-level navigation is triggered on a frame displaying the initial empty document, FrameLoader::load is invoked directly: ``` void LocalFrame::navigate(Document& originDocument, const KURL& url, bool replaceCurrentItem, UserGestureStatus userGestureStatus) { (...) if (isMainFrame() && !m_loader.stateMachine()->committedFirstRealDocumentLoad()) { FrameLoadRequest request(&originDocument, url); request.resourceRequest().setHasUserGesture(userGestureStatus == UserGestureStatus::Active); m_loader.load(request); } else { m_navigationScheduler->scheduleLocationChange(&originDocument, url.getString(), replaceCurrentItem); } } ``` As a result, FrameNavigationDisabler will fail to prevent the navigation when the URL is loaded synchronously. #### VERSION Chrome 49.0.2623.87 (Stable) Chrome 50.0.2661.49 (Beta) Chrome 51.0.2687.0 (Dev) Chromium 51.0.2690.0 + Pepper Flash (Release build compiled today) 附件：[CVE-2016-1673](http://paper.seebug.org/papers/Archive/poc/CVE-2016-1673.zip)