diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-06 13:10:51 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-12 07:44:03 +0000 |
commit | c952ab2ef5eb141cd594788f30e36f084908ad2e (patch) | |
tree | a66c656991694d336717897ddfcb9ebaeff3f938 /chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_uio.h | |
parent | f1f5e7417e9b4f39d7f007b4d98d8551efd23a8a (diff) |
[Backport] CVE-2018-16074
Avoid sharing process for blob URLs with null origin.
Previously, when a frame with a unique origin, such as from a data
URL, created a blob URL, the blob URL looked like blob:null/guid and
resulted in a site URL of "blob:" when navigated to. This incorrectly
allowed all such blob URLs to share a process, even if they were
created by different sites.
This CL changes the site URL assigned in such cases to be the full
blob URL, which includes the GUID. This avoids process sharing for
all blob URLs with unique origins.
This fix is conservative in the sense that it would also isolate
different blob URLs created by the same unique origin from each other.
This case isn't expected to be common, so it's unlikely to affect
process count. There's ongoing work to maintain a GUID for unique
origins, so longer-term, we could try using that to track down the
creator and potentially use that GUID in the site URL instead of the
blob URL's GUID, to avoid unnecessary process isolation in scenarios
like this.
Note that as part of this, we discovered a bug where data URLs aren't
able to script blob URLs that they create: https://crbug.com/865254.
This scripting bug should be fixed independently of this CL, and as
far as we can tell, this CL doesn't regress scripting cases like this
further.
Bug: 863623
Change-Id: I861330de193039ac9f6ef9039e7cd9a2c3d3d383
Reviewed-on: https://chromium-review.googlesource.com/1142389
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_uio.h')
0 files changed, 0 insertions, 0 deletions