CVE-2016-5160

The AllowCrossRendererResourceLoad function in
extensions/browser/url_request_util.cc in Google Chrome before 53.0.2785.89
on Windows and OS X and before 53.0.2785.92 on Linux does not properly use
an extension’s manifest.json web_accessible_resources field for
restrictions on IFRAME elements, which makes it easier for remote attackers
to conduct clickjacking attacks, and trick users into changing extension
settings, via a crafted web site, a different vulnerability than
CVE-2016-5162.

Bugs

• <https://crbug.com/576867&gt;