Chrome Universal XSS using a FrameNavigationDisabler bypass (CVE-2016-1673)

VULNERABILITY DETAILS

When a top-level navigation is triggered on a frame displaying the initial empty document, FrameLoader::load is invoked directly:

void LocalFrame::navigate(Document& originDocument, const KURL& url, bool replaceCurrentItem, UserGestureStatus userGestureStatus) { (...) if (isMainFrame() && ! m_loader. stateMachine()->committedFirstRealDocumentLoad()) { FrameLoadRequest request(&originDocument, url); request. resourceRequest(). setHasUserGesture(userGestureStatus == UserGestureStatus::Active); m_loader. load(request); } else { m_navigationScheduler->scheduleLocationChange(&originDocument, url. getString(), replaceCurrentItem); } }

As a result, FrameNavigationDisabler will fail to prevent the navigation when the URL is loaded synchronously.

VERSION

Chrome 49.0.2623.87 (Stable)
Chrome 50.0.2661.49 (Beta)
Chrome 51.0.2687.0 (Dev)
Chromium 51.0.2690.0 + Pepper Flash (Release build compiled today)

Attachment: CVE-2016-1673