ScopedPageSuspender works by taking pages from Page::ordinaryPages() and marking them as suspended. When the window. close() is called, the following operations are performed:
From /third_party/WebKit/Source/web/ChromeClientImpl.cpp: `` void ChromeClientImpl::closeWindowSoon() { // Make sure this Page can no longer be found by JS. m_webView->page()->willBeClosed();
// Make sure that all loading is stopped. Ensures that JS stops executing! m_webView->mainFrame()->stopLoading();
if (m_webView->client()) m_webView->client()->closeWidgetSoon(); } ``
|m_webView->page()->willBeClosed()| removes the associated page from the ordinaryPages set. Therefore, suspenders instantiated later, for example during |m_webView->mainFrame()->stopLoading()|, won’t include the closing page. This allows an attacker to circumvent the All and perform synchronous loads in unexpected circumstances.
Chrome 55.0.2883.75 (Stable)
Chrome 55.0.2883.75 (Beta)
Chrome 56.0.2924.14 (Dev)
Chromium 57.0.2943.0 + Pepper Flash (Release build compiled today)
Attachment: exploit.zip