WebKit: UXSS: CachedFrame doesn't detach openers(CVE-2017-2528)

When a document loads "about:blank" or "about:srcdoc", it tries to inherit the security origin from its parent frame, or its opener frame if the parent frame doesn't exist. Normally, it doesn't happen that a subframe's document inherits its opener frame's security origin, because it has the paren...

WebKit: UXSS via Document::prepareForDestruction and CachedFrame

WebKit: UXSS via Document::prepareForDestruction and CachedFrame Here's a snippet of Document::prepareForDestruction void Document::prepareForDestruction if mhasPreparedForDestruction return; ... detachFromFrame; mhasPreparedForDestruction = true; Document::prepareForDestruction is called on the...

WebKit - Document::prepareForDestruction CachedFrame Universal Cross-Site Scripting

WebKit - Document::prepareForDestruction CachedFrame Universal Cross-Site Scripting Click anywhere. function createURLdata, type = 'text/html' return URL.createObjectURLnew Blobdata, type: type; function waitForcheck, cb let it = setInterval = if check clearIntervalit; cb; , 10; window.onclick = ...

WebKit CachedFrame Universal Cross Site Scripting Vulnerability

Exploit for multiple platform in category web applications WebKit: UXSS: CachedFrame doesn't detach openers CVE-2017-2528 When a document loads "about:blank" or "about:srcdoc", it tries to inherit the security origin from its parent frame, or its opener frame if the parent frame doesn't exist...

WebKit Document::prepareForDestruction / CachedFrame Universal XSS

WebKit: UXSS via Document::prepareForDestruction and CachedFrame Here's a snippet of Document::prepareForDestruction void Document::prepareForDestruction if mhasPreparedForDestruction return; ... detachFromFrame; mhasPreparedForDestruction = true; Document::prepareForDestruction is called on the...

WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting

tree.parent; Frame openerFrame = mframe-loader.opener; Frame ownerFrame = parentFrame; if !ownerFrame ownerFrame = openerFrame; if !ownerFrame didFailToInitializeSecurityOrigin; return; ... setCookieURLownerFrame-document-cookieURL; // We alias the SecurityOrigins to match Firefox, see Bug 15313 ...

WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting

WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting tree.parent; Frame openerFrame = mframe-loader.opener; Frame ownerFrame = parentFrame; if !ownerFrame ownerFrame = openerFrame; if !ownerFrame didFailToInitializeSecurityOrigin; return;...

WebKit Document::prepareForDestruction / CachedFrame Universal XSS

WebKit suffers from a universal cross site scripting vulnerability via Document::prepareForDestruction and CachedFrame. WebKit: UXSS via Document::prepareForDestruction and CachedFrame Here's a snippet of Document::prepareForDestruction void Document::prepareForDestruction if...