Chrome Universal XSS using deferred history loads (CVE-2016-1675)

VULNERABILITY DETAILS

When a ScopedPageLoadDeferrer is destroyed, the deferring state is updated on the associated pages and loaders. If any history of load was set aside during the event loop the deferrer has been protecting, it’s processed during the update without checking if navigation is allowed on the frame:

void FrameLoader::setDefersLoading(bool defers) { (...) if (! defers) { if (m_deferredHistoryLoad) { load(FrameLoadRequest(nullptr, m_deferredHistoryLoad->m_request), m_deferredHistoryLoad->m_loadType, m_deferredHistoryLoad->m_item. get(), m_deferredHistoryLoad->m_historyLoadType); m_deferredHistoryLoad. clear(); } m_frame->navigationScheduler(). startTimer(); scheduleCheckCompleted(); } }

This opens an avenue for an attacker to bypass the FrameNavigationDisabler.

VERSION

Chrome 49.0.2623.110 (Stable)
Chrome 50.0.2661.57 (Beta)
Chrome 51.0.2693.2 (Dev)
Chromium 51.0.2698.0 + Pepper Flash (Release build compiled today)

Attachment: CVE-2016-1675.zip