Brave Software: chrome://brave navigation from web

Summary: It's possible to navigate to the infamous 'chrome://brave' and all other privileged page from web, requiring only a single click. This is possible by opening popups with the 'noopener' attribute. Products affected: Brave: 0.24.0 V8: 6.9.427.23 rev: f657f15bf7e0e0c50a2b854c6b05edb59bfc556...

WebKit: UXSS through HTMLObjectElement::updateWidget(CVE-2017-2493)

When an object element loads a JavaScript URLe.g., javascript:alert1, it checks whether it violate the Same Origin Policy or not. Here's some snippets of the logic. void HTMLObjectElement::updateWidgetCreatePlugins createPlugins ... String url = this-url; ... if !allowedToLoadFrameURLurl return;...

Apple WebKit / Safari 10.0.3 (12602.4.8) - Synchronous Page Load Universal Cross-Site Scripting

URL scriptURL; URL url; if protocolIsJavaScripturlString scriptURL = completeURLurlString; // completeURL encodes the URL. url = blankURL; else url = completeURLurlString; if shouldConvertInvalidURLsToBlank && !url.isValid url = blankURL; Frame frame = loadOrRedirectSubframeownerElement, url,...

WebKit: UXSS via a synchronous page load（CVE-2017-2480）

Here's a snippet of the method SubframeLoader::requestFrame which is invoked when the |src| of an iframe object is changed. bool SubframeLoader::requestFrameHTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList...