When an input element is removed, the popup is closed during the layout tree detach:
void HTMLInputElement::detachLayoutTree(const AttachContext& context) { HTMLTextFormControlElement::detachLayoutTree(context); m_needsToUpdateViewValue = true; m_inputTypeView->closePopupView(); }
If the chooser is still being displayed, its associated popup is torn down and the client (ColorChooserPopupUIController for inputs of type “color”) is notified:
void WebPagePopupImpl::closePopup() { // This function can be called in EventDispatchForbiddenScope for the main // the document, and the following operations dispatch some events. It's safe // because web authors can't listen to the events. EventDispatchForbiddenScope::AllowUserAgentEvents allowEvents; (...) m_popupClient->didClosePopup(); m_webView->cleanupPagePopup(); }
The notification is propagated back to the input type, which may dispatch a change event to the input element if its value has changed recently:
void ColorInputType::didEndChooser() { EventQueueScope scope; if (LayoutTheme::theme(). isModalColorChooser()) element(). dispatchFormControlChangeEvent(); m_chooser. clear(); }
An attacker can exploit this synchronous event to corrupt the DOM tree.
Chrome 54.0.2840.59 (Stable)
Chrome 55.0.2883.21 (Beta)
Chrome 56.0.2896.3 (Dev)
Chromium 56.0.2899.0 (Release build compiled today)
Attachment: exploit.zip